The myth of the dangerous cookie
Published May 21st, 2014 at 11:08 AM EDT , modified May 21st, 2014 at 11:08 AM EDT
Cookies have achieved a near-mythological status as harmful these days. Most people don’t have a clear picture of what they are, but nonetheless, many believe that cookies should be deleted regularly, or even blocked entirely. Often, this is based on advice from forums or even computer techs. The rumors of the hazardous cookie have gotten so prevalent that it’s worth asking the question: are cookies really as dangerous as everyone says?
First, for those who may not know exactly what a cookie is, they’re really quite simple. A cookie is simply a bit of data that a website has asked your browser to hold onto for a while. When you go back to that site later, that site can retrieve its data. The data stored can consist of anything, really, but it cannot hold anything that the site doesn’t already “know.”
Cookies typically expire after a certain amount of time, meaning that they will be removed after that point. The expiration date is set by the site, and can vary widely. Some sites may even set cookies that never expire, although this is fairly uncommon. Cookies are also retrievable only by the site that set them. Your web browser will not give data from a cookie belonging to one site to any other site.
One thing that cookies are often blamed for is containing and transmitting viruses. There’s absolutely no truth to this myth at all. Cookies are data, pure and simple, and even if that data happened to hold some malicious executable code, your browser would not run that code. Cookies cannot take any actions on their own, and if you happen to visit a malicious site, the threats that site may pose are not in any way related to cookies. On this point, you can set your mind completely at rest.
Cookies are also sometimes blamed for causing all manner of stability and performance problems. If someone is having a problem with their browser crashing or loading sites slowly, you can bet that someone will advise deleting cookies. (I’ve even seen such advice given for general system problems that aren’t specific to the web browser.) This advice is garbage, though, typically given by someone who is just repeating something they heard someone else say, not because it actually works. Cookies do not cause such problems in the browser, much less with the system in general!
Another “evil” attributed to cookies is violating privacy. So-called “tracking cookies” are designed to track users’ movements between sites. Such things really do exist, but stories of their capabilities have attained mythical status. In reality, tracking cookies are often used by advertisers to track the sites visited by a particular user. However, there are some serious limitations on such tracking cookies. First, because a cookie can only be retrieved by the site that set it, these cookies can only be used on sites that load and display dynamic content provided by the cookie’s creator. In other words, if an advertiser called WeLikeSpam sets a tracking cookie, that cookie is only functional on sites that include advertising from WeLikeSpam (called affiliate sites).
In addition, cookies can only contain data the site already knows. When it comes to an advertiser, like WeLikeSpam, this really includes very little. Unless you enter some personal information into a form within a WeLikeSpam advertisement, that information is limited to things like the IP address of your computer, which affiliate site you were visiting, the date you visited and what browser you’re using. So, nothing that’s actually personal. This is all information your browser provides to every single site you visit.
What concerns people about tracking cookies is that they allow an advertiser to link a pattern of behavior (ie, what affiliate sites were visited when) with a particular web browser. Privacy advocates don’t like this, and they say that this information could, in theory, be used to link the behavior with your real identity. In reality, this would be much more difficult to do than those privacy advocates let on, assuming it’s possible at all, and the advertisers really don’t seem to care about that anyway. What the advertisers want to know is that a particular browser has spent a lot of time at specific sites. This allows automated software to create a profile that can identify the kinds of ads the user is more likely to click on, tailoring the advertising to the user. They really could care less about who you are.
In theory, a malicious site that manages to get code injected into a number of other sites could try to do more malicious tracking. However, due to the limitations imposed on cookies by web browsers, this is difficult and the information available is sparse. If the user can be tricked into providing information, there’s really no need to involve cookies or track the user across sites. There are far easier ways to scam people, so the effort required means this is an extremely unlikely avenue of attack.
Now, it is true that you could block or delete only certain cookies, perhaps with the assistance of some third-party software. However, let’s be honest here: the risks are so small that it’s really not worth the effort. You are free to take that effort if you like, but I personally never bother. Does this mean that I condone tracking by advertisers? Not really, but neither do I see this as a serious privacy issue. You should be more concerned about the grocery store customer card you probably have in your wallet, since such systems are tracking much more personal data and associating it directly with your actual identity.
If you choose to block cookies, you can use a tool like Ghostery to help you do so. I do not consider that necessary, but everyone has their own tolerances for such things.