I don’t usually get too involved with lunatic fringes, they’re not worth the hassle. But this one displays such rampant ignorance about my profession that it can actually make life harder, both for me and for you, but especially for me.
So we’ll take it slow and simple, just to keep things clear. And we’ll leave the politics out, so we can keep to the facts and avoid descending into silliness (or at least any farther into silliness than the post already is).
I’m talking about the “cookie” that is a small text file deposited in your computer when you visit a website so websites, marketing agencies and a host of other commercial (and not-so-commercial) ventures can track what you do on the Internet and know what your interests are while surfing the Net.
Well….not really. The author has the glimmer of the truth, but then swings overhard and misses it.
Yes, a cookie is a text file that your browser stores on your computer, at the request of a web server. But that’s as far as it gets. It doesn’t track you anywhere. It just sits there. Servers can ask to read the cookie, and can modify the cookie, but only within set boundaries. For example, a server in my domain could ask for a cookie set by another server, but the default security in browsers would deny that request.
Let’s look at the actual policy change, as given in a link (to the NYTimes) supplied by the author:
The White House suggests federal Web sites be allowed to use “single-session” cookies during one given citizen visit that won’t do any tracking. These would be akin to those e-commerce sites use to make shopping carts work. They would also like to use tracking cookies to gather data purely for Web-traffic analysis. And finally, they propose to use persistent cookies “with the intent of remembering data, settings, or preferences unique to that visitor.”
OK, “single-session” means the cookie lasts until you close your browser. After which time your own browser will invalidate the cookie, and it will not be able to be recalled by any site, whitehouse.gov included. Almost every site in the web (including the author’s own site) uses a cookie like this. This is required because the web itself is designed to be stateless (that means every page request on the web has neither a past nor a future) while our interactions with it are certainly not.
You use single-session tracking cookies, not to track individuals, but to monitor the success of your website. By looking at the path visitors take through your site, you can adjust the site’s architecture and design so that information most sought after is easier to locate. It’s an ease of use thing, not a privacy thing. You can see that, say, 20% of your visitors take the path “a->b->c->b-a->d->e” in your website, so you change your design so that the path “a->d->e” is easier to find in the first place, or so that there is a path from “c” to “e” to make your visitors life easier. And yours, of course. After all, the easier it is for people to find the information they want, the more likely they come back next time.
The persistent cookies remember settings. Those stay from visit to visit. I’ve used them on some sites as another user-friendly aid. If there’s a color scheme or font size you liked on the site, I tell the cookie to remember those settings, and when you come back next week, I look in the cookie and set them the way you like them.
In the specific case of the whitehouse.gov cookies, they store three values and they expire at the end of the “session” (in this case, that means they are invalidated when you close your browser).
Now the next bit of ignorance:
Cookies are intrusive computer files that invade your privacy. They record your real IP address (unless it is hidden). And when the government knows what your IP address is, then they know who you are on the Internet!
Cookies are not intrusive. Cookies do not, by default, record your IP address. They do not invade your privacy in the least. They record only what the server already knows about you, what the server tells them to, what you have already told the server. I’ll repeat that for you in case you missed it: They record only what the server already knows.
Every webserver on the internet knows the IP address of the browser visiting. Cookies aren’t necessary for that. And every webserver on the Internet records in its log the IP address of the browser visiting it, automatically and without a cookie. It happens every second of every minute of every day. It *has* to record this information, else how would it know where to send the page you request?
I’ll go even farther with this. The blog I’m quoting from is powered by WordPress, and WordPress records the IP address of every person commenting on the blog, and displays it to the blog’s owner along with the comment. Therefore the blog’s author is doing precisely the same thing that is so heinous for the white house to be doing. Pot, meet kettle.
Where did cookies get this bad reputation? Because of advertising. Ad servers place cookies in browsers to track which ads have been displayed to a user and which ones have been clicked on. They can do this on a variety of sites only if those sites give them hooks to do it. Such as hooks for ad banners.
Cookies by themselves track nothing at all. They have to be written to. For cookies from whitehouse.gov to be used to track people on sites other than whitehouse.gov, it would require those other sites to directly communicate with whitehouse.gov to let them know you are there, or to write that information themselves into the whitehouse.gov cookie, something that would contravene the default security settings in every browser I can think of.
If the government wanted a list of every IP address that has visited any page on any government operated website, they can do that right now, with a cookie. And, since cookies are subject to deletion or modification by users, that would be the more reliable way to do it, as well.
Now as for:
And when the government knows what your IP address is, then they know who you are on the Internet!
This canard is truly amusing. Right now the RIAA is losing lawsuits because they can’t reliably connect people with IP addresses. It can’t be done without more information than just your IP address, period.
The IP address of the computer I’m sitting at right now is 10.0.1.5. But tomorrow it may be something different, because this address is dynamically assigned every time the machine boots (typical of networked computer behavior). Between me and the Internet is a router that translates that address into a different one for use on the Internet. That router’s address changes periodically as well. And if I pick this computer up and go to my local coffee shop and work for a while, the address changes again. And when I’m at a client site it changes again.