Cookies are text files that your web browser stores on your computer. When you visit a website, it might want to know a little about you in case you come back again (maybe you've selected some preferences or logged into your account). In essence, cookies save you the trouble of reentering the information later.
There are some privacy concerns about all this, though. Keep reading to learn more about them.
It's hard to navigate the Internet these days without coming across a box asking you to Accept All Cookies before you proceed. Perhaps you’re one of those mythical beasts that actually bothers to read the cookie and privacy policies. In reality, though, most of us will just accept them without a second thought.
You might have heard that Cookies have something to do with improving your experience. They're often used to tailor site content to your own preferences – like storing items in your online shopping cart between sessions, for example.
In this article, we'll take a deep dive into cookies: the good, the bad, and the ugly.
A cookie is a small file your computer stores on behalf of a website. There's a disappointing lack of sugar in them, unfortunately. The name, attributed to programmer Lou Montulli, is based on the name of another computing construct called a magic cookie.
But why do computers store that file? Well, there are a few different reasons. Broadly speaking, cookies help a web server to remember you. You'll do something on the website (it could be anything from switching to dark mode to logging in), and your computer makes a note of this. Then, the next time you visit, it hands the information back to the website.
Suppose that you visit everybody's favorite honey-badger-themed website, ilovehoneybadgers.com. It comes with plenty of customization options (e.g., changing your font to Comic Sans or switching the background color). A cookie that notes these preferences is saved to your computer. You navigate away to another mammal appreciation site and then close your browser, but when you come back, ilovehoneybadgers.com reloads your tailored settings based on the cookie.
This is a persistent cookie. It remains even after you close the browser (unlike a session cookie, which is destroyed upon quitting). It's also a first-party cookie because it was created by the website you visited (in this case, the ilovehoneybadgers.com domain).
You might have guessed that a third-party cookie is one that wasn't created by the host domain. Suppose now that both ilovehoneybadgers.com and another website that you visited serve ads to their users. Those ads come from the same provider, whose code is injected into the webpage of both domains.
When you visit either site, the provider creates a third-party cookie for tracking purposes. Then, as you move around the web to other sites with their code, they'll recognize you and serve up the same ads. Essentially, they track your browsing habits to build out a profile used for targeting.
Unsurprisingly, third-party cookies are also known as tracking cookies.
Not all cookies are created equal. As we've seen from the two examples in the previous section, they're a versatile data type. Let's now look at a real-life example: if you've signed into Ask Academy, your browser will show you a cookie for the site. This is what allows you to post questions and answers without constantly needing to log in again.
On Google Chrome, access your cookies by navigating to Settings > Privacy and security > Cookies and other site data. On Firefox, manage cookies under Preferences > Privacy & Security > Cookies and Site Data (note that you should use the Storage Inspector to view their actual contents).
If you dig into the content of the cookie that Academy gives you when you log in (i.e., by decoding it with this tool), you'll see a few things:
The data you pass to the site when you access it. If you log in successfully, the cookie will be created.
Nothing too sophisticated in there, right? There's minimal personal information (and it isn't shared with other domains). Those numbers you see are timestamps – one tells you when the cookie was issued, and the other tells you when it expires. You also see the issuer, your username, your role (user or moderator), and a string related to authentication.
Cookies typically have this key-value pair system. Note that many sites nowadays will provide a user ID. Once an individual visits, the server checks its database for any information it has on them and tailors the user experience accordingly.
If you fire up the prompt to clear your browsing history, you generally get the option to clear cookies, too. When you do this, you don't cause any major damage to site data. You'll notice, however, that you'll need to reenter any login information when you return to the sites that provided you with the cookies.
From our example above, you can see that there's nothing inherently evil about a cookie. Most of the time, first-party cookies work to streamline your experience. That said, you should be aware of the potential privacy ramifications that come with cookies. Ultimately, they can collect personal data – so much so that tightening data protection regulations like the General Data Protection Regulation (GDPR) require that many websites comply with their guidelines.
Third-party cookies can be particularly problematic for those conscious of their digital footprint. You've undoubtedly felt unsettled by advertisements that follow you around the web, based on what you've been reading or watching. Ever see those social media "share" buttons on a website? Even if you don't interact with them, they can parrot information about your activity back to the provider.
Exposing so much potentially sensitive data, often without realizing it, is never a good thing (see also: Device Fingerprinting: How Exposed Are You?). The party harvesting the data may not be complicit in any malicious profiling, but they could sell your data to others that might use it to those ends.
Disabling all types of cookies will lead to a poor browsing experience. However, there are very few reasons not to disable third-party cookies nowadays. Disabling them will reduce the risks of unintended data exposure. If a website blocks your access unless you enable cookies, you can always temporarily switch them back on.
The most rudimentary method of preventing third-party cookies is by sending a Do Not Track request. But you shouldn't rely on this – you're not implementing some advanced technological barrier, you're just asking the website not to serve you personalized content. In the same way that you might ask a burglar not to take your possessions. Sites can – and often do – ignore this request altogether. Originally, Do Not Track was anticipated to be a mandatory requirement, but it failed to gain traction.
Many browsers now block them for you by default (check your browser settings). Failing that, there are a handful of plugins and browser extensions you can use to prevent unwanted tracking, such as Privacy Badger and Ghostery.
Cookies shouldn't necessarily be viewed as the bogeyman of the Internet. If you've checked out our other articles in the Security category, you'll know that it's very easy to unwittingly leak personal information.
First-party cookies are part and parcel of the online landscape today, and for good reason – they improve the quality of your experience by storing information on your machine. Third-party cookies exist not so much for your benefit, but rather for that of data mining entities. By leveraging tools available in your browser, however, you can trivially block the majority of them.