Cookies and Their Impact on Internet Security Cookies are tiny bits of information that is stored by a web site when a user enters its site. The next time the user enters that site; the user's browser sends the information back to the site (Andrews, 1996). A cookie is typically designed to remember and tell a web site some useful information about the user.

For example, an online music store may uses cookies to keep track of what products each individual customer purchases. When the customer returns to the site, the company's browser allows it to read the cookie. The site could then make a list of similar products that the customer may be interested in, based on the cookie's information (p. 20).

Cookies are invisible to users, unless the users set preferences that alert them when cookies are being used. In most cases, cookies are harmless (Cole, 2002). Cookies cannot be used to gather personal information about users, unless the users provide the information.

However, some companies use cookies develop a profile of Internet users' interests based on the sites visited and the things they do at the sites (Descy, 1999). As a result, advertisers can tailor online advertising based on the interests and buying habits of Internet users, or use the information in a variety of other ways. This can present a significant threat to Internet security, if Internet users do not exercise caution.

Introduction

Many Web surfers have a fear of cookies that is based on ideas from the media that cookies are a dangerous risk to Internet security (Lowe, 2002). However, the majority of cookies are actually harmless.

Cookies are small text files that many websites place on a user's machine to identify it (Cole, 2002). Different websites use cookies for different reasons. Many use cookies to store registration details, so that users do not have to enter all their details every time they visit a site.

Others use them as an additional security check, or to verify a user's identity. In addition, some use websites use cookies to record which areas of a website a user has visited. Advertisers can also use cookies to monitor which advertisements have been seen by users and how successful their campaigns are.

Cookies are actually beneficial to Internet users and websites when properly used to personalize the Web experience. However, some websites' use of cookies has a negative impact on Internet security, such as DoubleClick Network's use of cookies to record the Internet habits of users (Davidson, et al., Sterne, Philips). This type of use poses a threat to the privacy of the users, as the company uses information obtained through cookies for marketing purposes.

The Basics of Cookies and Their Impact on Security

According to Joshua Woodruff, E-Business architect at Avaya Communications, Inc. "Internet cookies, or small files that get downloaded to client browsers when surfing sites, can potentially expose a significant security risk."

The cookie file can contain information such as user IDs and passwords, credit card numbers, social security numbers, or any other piece of information the organization handing out the cookie feels it needs to store on a client system. This file exposes information that is then vulnerable to hackers who may be able to get onto a client system via the Internet and copy these files.

Why are cookies used then? This kind of information helps organizations track new and repeat visitors, provide automatic sign in, and pre-populate web pages with information entered the last time the client visited the site, among many other things. According to Woodruff, it "is completely up to the whims of the organization handing out the cookie as to what may be contained in the file and what it's used for."

Therefore, it is not necessarily the cookie itself that poses a security risk, but rather the level of expertise and professionalism used on the other end - the web development teams within these organizations that build the code for these cookie files and functions (Sterne, 1997).

When asked how to tell what level of skill and scrutiny a particular web developer has when visiting a particular web site, Wooduff's answer was, "You can't! Any time you visit any web site, you are exposing yourself to the code that's been written by a particular team of developers whom you can only hope use strict security guidelines in their development practices. Of course most professional, major web sites, such as Dell.com and Amazon.com, would not code cookies in such a way to expose any potential risk - right? But how do you know for sure?"

Protection...

A client browser can be configured to accept any and all cookies, allow cookies only from sites it "trusts" (which a user could configure), or not allow any cookies (Gunderson, et al., 1996).
This presents the familiar scenario of security vs. usability - if a browser is configured for high security and set to not accept cookies at all, a lot of web sites will not be able to deliver full functionality to the client, where as if the browser was configured for low security, the client may be able to experience full featured web sites but at the same time exposes itself to vulnerabilities (NetScape).

With Internet security such a huge issue today, users have to protect themselves against sites that use cookies. An Internet user must find a situation where he feels comfortable. He also must use caution when entering any kind of personal information into a web page.

Most reputable Web pages will have links to their security guidelines and even explain their usage of cookies. This information is provided to enhance awareness of the usage of information and should be used for Internet security.

Weighing the Benefits of Cookies with Their Threat to Internet Security

Cookies are mechanisms developed by the Netscape Corporation to make up for the stateless nature of the HTTP protocol (Netscape). Without cookies, every time a browser requests the URL of a page from a Web site, the request is treated as a completely new interaction.

The request, which is often just the most recent in a series of requests as the user browses through the site, may be lost. While this makes the Web more efficient, this stateless behavior makes it difficult to create things, such as shopping carts, that must remember the user's actions over a long period of time (Philips, 1995).

One of the major issues surrounding Internet security in today's society is keeping information secure and private. The Internet is a public network, so information can easily be shared with or stolen by others.

Cookies have a significant impact on Internet security when companies cross the line between using cookies as a simple data management tool and infringing on the online privacy of Internet users (Narayan, Gunderson). The users are often the victims here, because cookies are tracking all of their movements on the Internet, and the users do not know that it is happening.

Fundamentally, cookies are harmless pieces of text. They cannot be used as a virus and cannot access the hard drive. However, cookies, when transmitted through a website, can have an impact on Internet security.

Cookies cannot be used to steal data or information over the Internet. They are simply used to store information that was provided by the user at some point. For example, if a user entered his name when filling out a form, a server can turn this information into a cookie and send it to the user's browser. The next time the user visits the site, the site may welcome him by name. This is a harmless use of cookies.

However, cookies can negatively affect user security when they are used for other purposes (Andrews). When a browser accesses and surfs Web sites, it leaves a trail of information across the Internet, including the name and IP address of the computer, the brand of browser used, the operating system that is run, the URLs of the Web pages accessed, and the URLs of the pages last viewed (p. 17).

Dangers of Cookies to Internet Security

Cookies basically enable companies or individuals to follow this trail to learn about the Web browsing habits of the user.

For example, the DoubleClick Network develops profiles of individuals using the World Wide Web and sends them advertising banners customized to their interests (Descy, 1999). DoubleClick's clients are Web sites that want advertise their services.

Each of Doubleclick's clients becomes a host for the advertising of other members of the network. The clients also create advertisements for their products and services, and submit them to DoubleClick's server.

Each Web site uses it site to link with DoubleClick. If a user views on these pages, his browser automatically links to DoubleClick's server to retrieve one of its member's advertisements and return it to the browser. When the user reloads the page, a different advertisement appears (p. 50).

The user typically does not even notice the difference between DoubleClick's graphics and any other Web banner, but there is one important difference. When a user initially connects to the DoubleClick server to select a banner, the…