Insidious Netscape Feature: Cookies / MagicCookies

Robert Hazeltine rhazltin@bacall.nepean.uws.edu.au
Wed, 28 Feb 1996 10:19:49 +1100 (EST)


Roger

On Wed, 28 Feb 1996, Roger Clarke wrote:

> Roger.Clarke@anu.edu.au (Roger Clarke) wrote to Netscape:

I do not usually quote a complete posting in reply as I understand that 
it is in most cases considered to be in poor form.

However, I beg your ingulgence while I explain.  I am a subscriber to a 
discussion list www-html@w3.org which discusses development of HTML 
specifications.

Last Friday, a proposal under the heading, AUTOMATIC ENTRY AND FORM was 
put to the list after some preliminary discussion.  I understand that 
the proposal was co-authored by Dr P Hallam-Baker and Dan Connelly.

On the face of it, it is a simple proposal to extend HTML by adding 
certain elements that allow browser users to upload personal information 
at the behest of the author of the site.  There was nothing in the 
proposal, in my view, to protect personal particulars from robots, 
accidential submission, malicious applications and/or authors, 
unwittingly submitting your personal particular already store in a file, etc.

This has a greater potential for abuse of privacy as yet on an unimagined 
scale, especially when compared to the case you cited and which I have 
repeated below  However, rather than my prejudging your own assessment of 
the proposal and subsequent discussion, check it out yourself (I 
still have a copy).

In fact, I also invite anyone with an interest in the welfare of net 
users to check it out as the originators are being obdurate on this one.
If you read between the lines, this is an appeal for help :-)

Rob...

> > I've been reading about a 'cookies' feature in Nescape Navigator 2.0, but
> >I can
> > find nothing in the on-line Netscape Handbook, and no such file on my hard
> > disk.
> >
> > Is this a furphy / red herring / leg-pull / stir / unsubstantiated rumour?  We
> > relate to such things in Australia, and loved the Apple/Sony rumour of a
> > couple of weeks ago.
> >
> > But if it's not a furphy, why is it an undocumented feature?  Especially since
> > it has the capacity to create fear and loathing among the user community, and
> > cost Nescape the enormous advantage it's gained you over your competition??
> >
> > This is a serious request for info, by the way, not a flame!
> 
> 
> Netscape replied:
> For information regarding this matter, please refer to
> "http://home.netscape.com/assist/support/server/tn/cross-platform/20019.html"
> 
> 
> Phil Agre of rre distributed this item:
> 
> Leading Web Browsers May Violate Privacy of Users' Computers, Activities
> 
>                  By Lee Gomes, San Jose Mercury News, Calif.
>                     Knight-Ridder/Tribune Business News
>                                    Feb. 13
> 
> Attention, Web surfers: You'll probably be surprised to hear
> this, but the Web sites you're visiting may be spying on you and using your
> own computer's hard disk drive to keep detailed notes about what they see.
> 
> A little-known feature of Netscape's Navigator, as well as other World
> Wide Web browser programs, including Microsoft Corp.'s, allows Web sites to
> store any information about your visit that they want to by way of a file on
> your own hard drive. The file theoretically can be up to 1.2 megabytes big -
> - the size of a medium-sized computer program.
> 
> The feature is called "cookies," and while Netscape said the features
> have many legitimate uses, the company admitted its use could evolve to pose
> serious questions involving privacy and other issues. In response to queries
> Monday, the company said it is considering changing the way the feature
> works.
> 
> "This is a very legitimate issue that people ought to know about," said
> Len Feldman, a Netscape Communications Corp. product manager. "It's
> certainly something for us to consider."
> 
> Cookies -- the name is entirely whimsical -- allows any Web site that
> so wishes to store any sort of information they want about your visit, such
> as what specific pages you looked at and how long you looked at them. So far
> , very few Web sites are using the feature, although an industrywide forum
> is on the verge of standardizing the cookies technology.
> 
> It does not mean Netscape monitors every step a user takes. Instead, a
> company with a Web site, for example, could monitor a person's use while on
> that individual site.
> 
> Web sites store the information by way of a file called "cookies.txt"
> on Windows machines and "MagicCookie" on the Macintosh. The information
> usually resides in the same directory as the Navigator program. These are
> standard text files that can be read using any word-processing program.
> 
> Once the information is stored, the site will know you have been there
> before; it may also have an indication of what your interests are.
> 
> Because of the way that connections are made on the Internet, cookies
> will not tell a Web site your name or address -- only that you, or someone
> using your computer, had visited the site before, along with whatever other
> information it wishes.
> 
> Of course, it stores this information if you voluntarily "registered"
> at the site, giving it your name and address. From then on, all of your
> comings and goings could be recorded and linked to you, specifically -- even
> if on a subsequent visit you do not sign in using your name. That
> information, in turn, could be sold to others, such as consumer marketing
> organizations.
> 
> Even while cookies don't explicitly betray your identity, the feature
> seems to violate two nearly universal assumptions held by computer users:
> 
> One is that exploring the World Wide Web is an entirely confidential
> and anonymous experience that leaves no record of itself. The other is that
> users' hard disk drives are, in effect, their castles, and shouldn't be
> tampered with -- without an owner's explicit knowledge and approval.
> 
> Cookies are built into browsers and cannot be turned off. While
> deleting the cookies file on your computer will erase any information that's
> been stored there, if in your next session with the browser a site wants to
> store information, it will simply create a new cookies file.
> 
> Feldman said cookies were designed to allow information to last from
> one Web visit to the next, something that is now impossible because of the
> way the Internet is set up.
> 
> That capability would have many legitimate uses on the Web. For example,
> the Internet version of the Microsoft Network relies on cookies to allow
> users to customize the "home page" they first see when they visit the site
> with various stock quotes and the like.
> 
> Feldman said, though, that the use of cookies has grown without the
> company going back to consider some of the privacy and related questions
> that are raised -- especially since most browser users probably don't even
> know the feature exists. One possible solution, he said, would be to allow
> cookies to be turned off, on a permanent or per-session basis, by users via
> the program's "options" menu.
> 
> Feldman said that Netscape's software prevents one Web site from seeing
> the cookies information stored by another Web site -- for example,
> competitors looking to see what a rival had stored. But he said it is
> technically possible, although difficult, for one Web site to pretend it is
> another site and therefore get access to information.
> 
> Occasional grumblings about cookies have been a feature of several
> Internet discussion groups -- one Netscape user complained on-line that he
> felt as though he had been "electronically tagged like an animal." The
> cookies feature was also described in an article in Monday's Financial Times
> of London.
> 
> 
> 
> Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
> Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
> Tel:  +61  6  288 6916                       Fax:   +61  6  288 1472
> 
> Visiting Fellow, Faculty of          Email:  Roger.Clarke@anu.edu.au
>     Engineering and Information Technology
> Information Sciences Building Room 211       Tel:   +61  6  249 3666
> The Australian National University
> Canberra   ACT   0200   AUSTRALIA            Fax:   +61  6  249 0010
> 
> 
> 

Robert Hazeltine                    r.hazeltine@nepean.uws.edu.au
Library Web Support                 http://www.nepean.uws.edu.au/library/