How Cookies Work

If you live in the Eurozone, you will have noticed that every time you visit a new site, a banner comes up informing you that this particular site uses Cookies. Digitally-oriented people understand that the cookie is involved in some sort of website tracking. To analogue people a cookie looks like this:

 

Cookie
Mmmmm

 

The digital version is not nearly as delicious. But it’s an essential part of the web as we know it. Now it’s your turn. Do you actually know what a cookie is? What it does? How it does what it does? The value it brings? The inconveniences it can cause? How creepy it can be?

Unfortunately, cookies are one of the things that we tend to take for granted. We are happy when cookies are regulated (like by the EU) because of visions of the NSA dancing through our heads. But if we took cookies away, every one of the websites you use every day would lose a lot of their convenience and ease of use. Since so few people actually understand what a cookie is, I’m going to attempt to give a thorough examination of them here.

Read on, brave digital citizen.

What is a cookie?

Here’s an example: you do a search for Oreos on Google. You click on the first result which takes you to the Oreos website. You find out that now Oreos are making “Thin Oreos.” That’s not what you’re looking for (nor is anyone else, why would anyone want less Oreo?). You go back to the Google search results page. Now you see that the link that you clicked is a purple color instead of the standard blue. How did this happen? How did Google know that you already clicked that link?

Here’s another example. You open your browser and go to Facebook for the 1,000th time today. You don’t need to log in again. Why is that? How does Facebook know that it’s you?

Here’s a final example. Your wife is shopping for a swimsuit from an e-commerce site. She selects a few products but doesn’t end up buying anything. You use the computer later and when you go to visit your favorite sports site, you see ads right next to the scores for the same products that she was viewing, on a sports site with a 90% male audience! How the hell did that happen? (And how can I make it happen again?).

The easy answer is to say: “you know, cookies.” But that’s like asking what GPS is and just saying “you know, satellites” or asking what a volcano is and saying, “lava.” It’s actually quite complex.

A cookie is a very, very small file that gets saved on your computer when you visit a website. To actually view a website, your browser has to make a call to the website’s server. Then the server responds by sending the elements of the page to the browser, like the code and the images. The code (HTML, JavaScript, PHP, etc) tells the browser what to do and how to display the content. Once it’s loaded, you can see and interact with the website.

During the transfer of content, the website sends along a cookie which the browser accepts and stores on your computer (or mobile device). In its most basic state, a cookie has a name and a value. Just like a Word file saved in your Documents folder has a name: the title of the document; and a value: all of the words written in the document.

Then, when you visit the site again later the browser signals the server that the cookie is present, the server checks to see what the value of the cookie is, and it triggers a different functionality. The clearest example is staying logged in to a website. If there weren’t cookies, each time you went to Twitter you would have to log in again. You might have to type more characters for your username and password than the thing you were going to tweet! Talk about a pain in the ass.

But it gets even worse. In most cases, if there were no cookies you would probably have to log in again for each page you check on a single website during a visit. That would instantly render most services unusable.

Cookies are important. But who makes them? A digital Martha Stewart?

Cookies are created either automatically on the server or with a JavaScript function in the browser itself. The value of a cookie will keep updating depending on what you do on a website. Normally speaking, only the site that creates the cookie has access to that cookie in your browser. We’ll get to the exceptions a little bit later.

The Different Types of Cookies

So far I’ve been referring to cookies in their most general sense. But like the delicious treat, there are a many different types of cookies. Some are good, like Vanilla Wafers. Some are meh like Fig Newtons, and some are bad, like any variety of oatmeal raisin cookie. Each type of cookie serves a different function, whether it be for you, for the website, or for an advertiser. Let’s take a look at some of the most common types of cookies.

Session Cookie

The session cookie is a temporary cookie that is stored in the memory of your browser for only the period that you are on a particular website. It’s good for both you and the website since it helps you navigate around, telling you which parts of a site you’ve already seen and keeping your preferences when you switch between pages. It also helps the website by allowing them to record how many unique visitors came to the site and piece together what people did during a single visit, which is the cornerstone of web analytics. A smart site will then analyze the performance of their site and make improvements, which makes a better experience for you. Virtuous cycle, check!

Plus, once you leave the site, your browser automatically deletes the cookie!

Persistent Cookie

Persistent Cookies are more of a mixed bag. Generally speaking, they are the cookies that let you close your browser and reopen it and not have to log back into Gmail, which is super useful. In that case, they are known as authentification cookies. They have a pre-determined lifespan, which instructs your browser to keep them stored for a certain period of time. Whenever you visit a website your browser sends a request to the server along with the cookie which says, like Adele, “Hello, it’s me.”

Think about how many different websites you visit and interact with. If you look at your browsing history, you will probably see hundreds if not thousands of different websites. If each website gives you one cookie, that’s a Cookie Monster ration of cookies.

But it’s not as simple as that.

Third-Party Cookies

All of the elements on a website have to be stored somewhere. When a website includes an image, the image itself is not actually “in” the web page. The HTML calls for the image through the “a href” link. Every image on the web has its own link address. This is where the image file lives so that it can be accessible to you when you visit a web page. So you might visit a web page like awesomesite.net which in turn is going to pull elements from multiple other sources. Advertising works exactly the same way.

An ad server hosts the information, the actual creative image or video that you see. Your browser calls to the website to show you the page, and the page calls to the ad server to deliver the ad to you when the page loads. When the ad arrives it can also come with a cookie that gets stored in your browser. In some cases the cookie is quite harmless, it serves to tell the ad server that you have already seen a specific advertisement, to make sure that you are not bombarded with the same ad over and over again each time you visit the same site. That sounds pretty nice.

But the reality is much more complicated than that because an ad server can often see which cookies are present in your browser. They can understand which sites you visited and depending on certain conditions, see your entire browsing history. Remember that a cookie has a name and a value. So going back to the bikini example, the sports website that I’m visiting works with a specific ad partner. The ad partner goes through my cookies and sees that my browser has the cookie from the e-commerce site. If a partnership is in place, it can even check the value inside the cookie and see that it contains certain product codes that correspond to the items that my wife selected. In this particular case , it can show me an ad for those exact products. Retargeting in action.

Transparency

If that phrase above “see your entire browsing history” gave a little creep up the back of your spine, then you fall into the category of people who do terrible things on the internet! You should be embarrassed!

Just kidding, no one wants to be under the guise of Big Brother, and whether or not you are one of the people who thinks: “I don’t give a shit, let them track me,” it’s still important to understand that there are some bad cookies out there (I’m looking at you Hydrox). The classic example is the Zombie cookie, which takes his name from the way it rises from the dead. A Zombie cookie gets stored in multiple places, so when you delete one of them a program recopies it from a different place. To get rid of a Zombie cookie, you have to shoot it in the head, preferably with a crossbow.

As EU regulations made very clear, sites have to tell you explicitly when they are using cookies. But the rules get blurry about telling you how many and from how many different partners. Transparency rules are getting better, but if most internet users don’t understand what cookies are or how they work, sticking a banner on a website isn’t going to make people feel better when things happen that they don’t understand.

Privacy

Privacy is also a big point. Imagine if you’re unemployed but you get a job offer and need a loan to get a car. You go to visit a few bank websites but in your browsing history you also visited a sports-betting site. By reading your cookies, the bank can know that you gamble, and are thus riskier as a borrower. The interest rate they offer you goes up as a result, if they offer to give you a loan at all. It might seem outlandish but travel websites do something similar. They read your cookies and adjust the price of flights that you see in order to build urgency. If they see that you’ve visited a few times to search for the same flight they might opt to raise the price each time in order to motivate you to buy the ticket now. It’s a much less intrusive version of what the hypothetical bank would do: a company determining how they price an offer depending on your browsing history.

Now let’s imagine (hypothetically, of course) that you visited some sites and you don’t want to share that information with other people. The internet is a vast place where no matter how perverse you think you might be, there are always examples of people much more extreme than you. This is because up until now we have been anonymous across the web. Sure, you could track down the owner of an IP address, but that’s a pain and would require some dedicated work to trace things back to you. Plus IP addresses correspond to a connection, not a device. You can use a VPN (virtual private network) to make it seem like you’re in a different country. Cookies, on the other hand, are basically signalling where you’ve been to any website inclined to take an interest. Do you have an account on AshleyMadison? Participate in a sexual fetish forum? Frequently check a racist or misogynistic blog? A lot more people can know about that than you think. And if someone connects the cookies and the IP address, they could pretty easily figure out who you are.

Retracting a bit from the more extreme examples, in reality very few people or websites care about how many different porn sites you visit. In the scheme of things, little old you is just not important enough to warrant the resources necessary to follow and understand everything you do. Except for one group: advertisers. They do want to know about you. They want to know where you spend your digital time, what you do, and when you do it. They use this information to group together personas so that they can sell you directly to interested brands. It’s sort of like having a door to door salesperson who starts off already inside your house, who can follow you all around and watch you sleep. In the business of selling the more you know about your customer or client, the more you can understand their needs and desires and exploit that knowledge to sell to them. That’s what most people are referring to when they talk about the privacy problem with cookies.

Security

Yet privacy concerns pale in comparison to security issues. Because a cookie is transferred from a server to a browser, and the information is transferred back from browser to server, cookies can be intercepted. When cookies are intercepted, a hacker can then impersonate another internet user and gain access their personal information, or even transfer money from a bank account. While many sorts of security protocols exist, especially regarding banks, it is surprisingly easy to hijack cookies if you are using a public Wi-Fi network or you are in a regular HTTP environment (HTTPS is a much safer environment). Hackers do this by creating false domains or JavaScript functions that cause cookies to be shared with them instead of the site that created the cookie.

Take Control

Level 1: Do Not Track

Now you’re probably wondering what to do if you want to take control of your cookie situation. I don’t want to strike lightning on your front 9 but going online is just like going out of your house. You are out in the open world and as a result you are subject to forces and events that are out of your control. Of course, you could build a solid steel ball and roll around in relative safety, but at the cost of making any activity, like buying and enjoying a bagel, extremely inconvenient.

Ditto for the web. You have to find a balance between the convenience and security that you want. The most basic option is to go into your browser settings and select the “Do Not Track” option. This will cause your browser to tell sites that you’d rather not be tracked. Don’t be fooled though, no website is under any obligation to honor your request. It would be nice to think that some benevolent sites out there would heed the request, but most websites are businesses, and they will always put their economic interests above your personal preferences.

Level 2: Cookie Settings

In pretty much every one of the popular browsers there are options to control the cookies that are placed into your browser from websites. In Chrome, you have to go to Settings, scroll all the way down to Advanced Settings, click the link so it opens and you’ll see the Privacy list. Then click the Content Settings box to open the specifics for Cookies. The first part gives you a choice about which cookies to allow. There is an option to Block All Cookies. You can click this option and then click the Manage Exceptions button, now you can select the sites that you use the most, like your email and social networks so that Chrome will continue to store those cookies but it won’t accept cookies from any other site. I would recommend this setting as a good balance between being in control without losing convenience. There are also a host of special extensions and apps that you can add to your browser in order to control, reset, or block cookies from certain domains.

Level 3: Disable Everything

Remember that I told you that cookies can come with any of the elements on a website, such as pictures or JavaScript functions. Well, if you’re the type of person to wear aluminium helmets you can go ahead and disable everything: all JavaScript, all image requests, plug-ins etc. You will be able to browse the internet in nearly full security with absolutely no way to be tracked or to have your computer or identity hijacked through the use of cookies. You also won’t see any ads. But at the same time, you will see nothing but text pages, with no images and almost no functionality.

Side note: It’s actually a pretty fun experiment to disable JavaScript, images, and plug-ins. You should give it a try and see what your favorite sites look like without them!

The best way to be secure is to frequently change your password for all of your sites, on average once a month and clear your cookies at the same time. Ideally you would have a different password for the different sites you use. You would be shocked by the number of people who have “password” as their password. The strongest passwords are acronyms for things that only you can remember like WdIe3BtTw! which stands for “Why did I eat three Big Tasty’s this week?” If you’re following good security advice, you should be just fine, cookies or no.

Aside from all the cookie jokes, why are cookies called cookies?

It’s definitely not because they taste the same. Well, maybe Hydrox, but that shouldn’t even be considered a real cookie. Cookies are called cookies in reference to fortune cookies, one of the least tasty cookies in the world, but they are fun to eat, if only for the butchered English prophecies or fortunes that come inside of them. And therein lies the connection, you’ll remember from a few thousand words above that cookies have a name and a value inside, just like a fortune cookie.

“You can always find happiness at work on a Friday” – Random Fortune Cookie

Questions? Comments? Let me know! Thanks for reading! 

Advertisements

One thought on “How Cookies Work

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s