Internet privacy advocates object to cookies for a wide variety of reasons. First among them, succinctly put by Viktor Mayer-Schonberger is that the cookie is stored in the users computer without her consent or knowledge (). Before the upgrades of popular browsers like Netscape and Microsoft Internet Explorer, cookies were placed anonymously and without alerting the user. Next, information from the cookie was transmitted to the website, again without the users knowledge. (ibid) With browser upgrades users may be alerted to when they are being offered a cookie, but the formatting of the information may tell the user little about what is actually being stored. For example, on August 10, 1997 The AdLink Exchange offered the following cookie information to the author of this paper:The server wishes to set a cookie that will be sent back to any server in the domain .linkexchange.com. The name and value of the cookie are: SAFE_COOKIE=33eec. This cookie will persist until Tue, Nov. 09 15:59:59: 1999.A second cookie was offered immediately afterward, with a value of XLINK=X194454, without an expiration date. There is little way to decipher what information was to be stored in these cookies, although presumably it would have recorded the site where the cookie was offered, what advertisement was currently on display, and whether or not the ad had been accessed.
In addition to the cryptic nature of cookie alerts to the user, it is not always clear where the cookie is coming from. In the case of banner advertisers, they are placing cookies on any number of websites, and the user may not always be alerted that the cookie is coming from an advertiser rather than the website itself. In the example above the Adlink Exchange server was clear, but on more crowded sites where multiple cookies are offered, the identity of the cookie may become blurred.
Software IssuesThe safety of personal information stored on the users hard drive has also been of concern in the cookie debate. Concerns have been raised about the possibility of cookies being written that would allow access to other information that the user has stored. Cookie programming has many times been found to contain gaping security holes. At one point in its development it allowed access to your e-mail address as you had it specified in your Netscape/MSIE preferences file (Robulack). One of the most recent upgrades of the popular Internet browser, Netscape Communicator, was plagued with a bug that would allow a website access to the information that was passed between that site and the cookie file, including credit card numbers and passwords that had been entered into files. While this bug has been fixed and did not allow access to the users hard drive, it was still a serious breach of cookie security (Radosevich). Further concerns have been raised about the possibility of websites gaining access to cookies placed by other sites, but it is being debated whether or not this is practicable (Shutko). Another issue regarding cookies is that they may contain malignant viruses which would be transferred onto the users hard drive. While it is possible that a malicious program might be transmitted and allowed to execute by a bug in Microsofts Internet Explorer 3.0, it is not a strong concern. Cookies are routinely stored only as text files, and so are not executable (Cookies and Viruses). A more serious worry could be the possibility that a cookie might be developed that could snoop through a users hard drive, looking for something that resembles a Social Security number or a bank balance (Moukheiber, 343).
Internet PrivacyThe most pressing issue concerning cookies, more than possible hardware invasions and general unease with the placing of files on user hard drives by third parties is the concern of user privacy and the potential for abuse. Advertisers and webmasters are currently using cookies to develop detailed profiles of users and their browsing habits. Each click on a particular type of advertisement or page in a website is added to the profile maintained by the maintainer. For the time being this information is primarily used for website design and the placement of banner advertisements, but the possibility also exists for these profiles to be sold and resold to other commercial interests (Roubulack). This could lead to deeper incursions into personal privacy, because if any one of the cookie-maintainers links a user identity to their cookie ID, then that information could also be resold. …once your identity becomes known to a single company listed in your cookies file, any of the others might know who you are every time you visit their sites (How web servers cookies threaten your privacy).
A closely related possibility is that user information could be resold to non-advertising entities, and possibly used in ways that advertisers had not intended. An extreme, but not impossible scenario was put forth byDavid Christle:…if you visited a number of sites that advertise alcohol…and you end up on a list that your insurance company purchases. The list compiled from a variety of Internet sites shows your name as someone who frequents sites that promote alcohol, or at least as someone who is a prime prospect for alcohol sales. They raise your premiums on a profile that has been built about you based upon the sites you visit on the Internet.
Someone assumes this is an accurate profile…and acts upon this erroneous assumption…This scenario may never happen but the door has been opened…Just ask anyone who has been victimized by an inaccurate credit report.It is an extreme example, but does point up a disturbing prospect for abuse.
Another possibility for cookies to pose an active threat to users would be in the case of law enforcement. There have been past instances where the distribution of online pornography has been tracked and arrests made on the basis of Internet activity. In the summer of 1995, as part of Operation Longarm, the FBI cracked down on what was called a Child Pornography Ring by posing as pedophiles on America Online. The FBI arrested 12 people on child porn charges (White). At this time cookies were not yet a part of the Internet world, but there is a possibility that if user profiles compiled via cookies had been available to law enforcement, they might have been admissible as evidence. Computer files, like other documents, may be sized as evidence with proper warrants, and since the cookie file exists on the users hard drive, they would be retrievable as are other files. Cyberspace law (see theElectronic CommunicationsPrivacy Act) is still being written, and it is a possibility that following a wrong link could land a user in legal trouble.