Defending the cookie monster

There are lots worse things in the world than Web sites leaving cookies on your computer.

Published May 7, 2001 6:55PM (EDT)

Most evenings, as my wife and I, having finally gotten the kids to bed, sit down to dinner, the phone rings. Without fail, whoever picks up the phone hears a hesitation, then someone fumbling with our name and launching into a script about the wonderful advantages that might accrue to us should we open a credit card account/switch long-distance providers/take advantage of this vacation getaway offer.

Telemarketing is so universally loathed that you can't even mention the subject without eliciting waves of moans and laments. Yet there's not that much we can do about it. You can laboriously tell each of your banks, telecom companies and other service providers not to resell your name and number -- but who has the time to figure out how, and who knows whether they'll actually comply? You can say to the hapless callers, "Not interested -- and take me off your list!" but you'll never be sure they've done so -- or you might get a friendly reply, as I once did, like, "I can't, because you're fat!" (I don't think that's true, but hey, even if it were, how would he know?) You can turn off your phone, but then you sort of defeat the purpose of having one in the first place.

Next to the scourge of telemarketing, the kind of aggressive marketing that thrives on the Net looks fairly tame. Now, to be sure, spam is a gargantuan nuisance. Because Salon has been online for close to six years now, and because we've always had a policy of publishing our e-mail addresses all over the site so readers could reach us, our e-mail addresses are now on every "Bulk E-Mail Works!!!!" list of addresses in existence, and every morning we wake up to dozens of unwanted messages in our in boxes. Fortunately, though, they take seconds to delete, and can be removed on our own schedule. There are other steps we can take to sidestep spam if we really need to, like changing our e-mail addresses.

Talk to large numbers of Net users about aggressive marketing, though, and you will probably hear less about spam, which already seems to be accepted as an unavoidable hazard like the weather, than about the dreaded scourge of cookies. Cookies: evil spawn of Web marketers designed to track you down, follow you about and nail you!

If you listen to the general run of complaints against cookies -- little text files that Web sites deposit on your computer for a variety of purposes -- you might think that they are some accursed technological disease that, having once infected your hard drive, leaves you open and vulnerable to the predations of legions of unscrupulous marketers, spreaders of viruses and malicious hackers everywhere.

I've been thinking about cookies lately because here at Salon, our new Premium program relies on them in order to work properly, and we've corresponded with a small but vocal group of readers who feel strongly that All Cookies Must Be Destroyed. And though I am normally a diehard on issues of Web privacy, I have to report that cookies have been unfairly maligned.

A little history is in order: Web browser cookies came into being in the early days of Netscape, when programmer Lou Montulli integrated them in the browser to get around the Web's problem of "statelessness." Each time your Web browser calls on a page from a site, it sends out a request, gets a response and then closes the connection -- so that, from page to page, a Web site has trouble remembering any information about you.

This is fine if you want to stay anonymous, but problematic if a Web site wants to deliver any kind of individualized service to you -- and that kind of service was what the Web promised customers. So Netscape's cookies (later adopted by most other browsers) became part of the Web's basic infrastructure: The browser would allow sites to deposit the cookie on your computer as a kind of key so the sites could recognize you from page to page and from visit to visit. Without this capability, most of the Web's services wouldn't work at all, or would require you to log in with annoying frequency.

That cookies are data on your computer that is created and manipulated by remote Web sites is what makes them mysterious and threatening to many users. It seems like the hand of some impersonal company is reaching onto your own hard drive and doing stuff behind your back, and that gives people the willies.

But it's this very fact of cookie life that actually makes them such a relatively benign phenomenon. Because cookies are simple text files and not active code, they can't contain viruses or wreak malicious damage to your system. And whatever a cookie is doing, you are its master: You can always delete it, destroy it, blast it out of existence and return your relationship with any Web site to square one. You don't have to beg the company to "take me off your list"; you own the list. (Once you give a Web site your e-mail address or other personal information, of course, that's in its database, on its computers, and you may face the same problems you face with telemarketers if the site is unscrupulous. But that could happen just as easily in a world without cookies.)

Compare this situation with the future that Microsoft and other companies are trying to build. If the notion of delivering most software services across the Web -- à la Microsoft's "Hailstorm" initiative -- bears fruit, we will increasingly find ourselves depositing our personal data with third parties. Of course there'll be tons of assurances of privacy and personal control, and in most cases those promises will be good. But the company that wants to be more aggressive about using your data in ways you might not like is in a much better position if that data is sitting on its computers than if it's sitting on yours in a cookie file. (You can learn everything you ever wanted to know about cookies and more from Cookie Central's Frequently Asked Questions page.)

Now, there's no denying that cookies have been used for some dubious, if not outright unethical, purposes. Cookies are supposed to be used primarily as part of a relationship between one individual user and one Web site -- but in some cases, the increasingly complex nature of Web pages, which can be assembled from more than one server, has led to some genuinely troubling new wrinkles.

The most notorious case involved the ad agency DoubleClick, which serves ads on many different Web sites. DoubleClick's ads deposited cookies and then the company cross-referenced individual users' travels -- noticing, for instance, that you might have visited Salon, Yahoo and Webvan. In itself that was shady but not definitively invasive, and if DoubleClick had been content to simply use that information to fine-tune what ads it showed you, most users would probably not have cared.

But DoubleClick went too far: A year ago, after it acquired another company that compiled databases of real-world names and addresses, it announced plans to cross-reference its cookie-based information about Web users' habits with its lists of individual names and addresses. That sparked a firestorm of outrage and forced DoubleClick to back down from its plans, at least for now -- although at the time the company said its plans were "on hold" until the laws and regulations on privacy became clearer.

Even if DoubleClick proceeds with its scheme in the future, though, you can always just block or delete the company's cookies. If you're concerned about cookies, you can resort to a variety of tools to filter them so that you only accept them from sites you trust. (Internet Explorer allows you to do this in a fairly convoluted way; the fine Opera browser will give you more control.) This is far preferable to setting your browser to warn you each time a cookie is set -- on today's Web that can turn your experience into a nightmare of repetitious dialogue boxes.

The history of marketing has left most people understandably suspicious of any kind of tracking of their habits, and there's good sense in trying to avoid making the same mistakes on the Internet that we've made in every previous medium. By all means, let's be cautious about what we allow companies to do with personal data.

But let's not allow that concern to drive us batty with paranoia, either. There's no reason to throw out the good cookies with the bad.

By Scott Rosenberg

Salon co-founder Scott Rosenberg is director of He is the author of "Say Everything" and Dreaming in Code and blogs at

MORE FROM Scott Rosenberg

Related Topics ------------------------------------------