A Comment on Cookies
A cookie contains information in text and code. This information allows the host server of the Website to know certain things about the user, especially about that user's previous interaction with the Website. For example, a simple cookie might be nothing more than a notification of when the user last visited the Website. That way, when the user visits again, the server knows the person has been there before. This might be useful for something like, say, a new versus returning visitor welcome message or site introduction window.
Note, by the way, that the word "person," here, is a bit fuzzy. For the most part, a server sees a computer, not a human being. Cookies can personalize the interaction to some extent, but a server computer generally can't tell who is on a visiting computer. The visiting computer, itself, is uniquely and clearly identified by its so-called "IP address," where the "IP" stands for "Internet protocol." The human at the computer could identify himself or herself by certain information entered on, say, a form; but even then, there is still a lack of complete certainty at the server level regarding who exactly is sitting at the machine during a given session. Eventually (and quite possibly now with very sophisticated programs), the actual person will be identifiable, but that's not much of an issue for the time being. For all intents and purposes, only the computer can be identified with any degree of certainty by a server. A cookie can help narrow down who exactly is on a computer. If two people use the same computer but have different accounts on it, then the cookie set for one user would not be in the "Cookies" folder of the other person; hence, a server that had already tagged the IP address of the computer could further narrow down the actual user by reading a previously set cookie that only one of them had.
There are many ways to classify cookies. Simple cookies generally store a cache of information based upon the very appearance of the visitor at the site or upon options and preferences the user has specified once there. An example of the latter is when a visitor can select certain display preferences (like color scheme, size of fonts, etc.) for a Website. That information would be stored in the cookie for that Website so that, when the visitor came back, those preferences would be loaded automatically. Some cookies set automatically while others build information based upon what you do.
You might have noticed that some Website, especially some blogs, have a "Remember me" checkbox: if you check it, a cookie will be set in your computer. This cookie holds the basic form information about your name, your e-mail address, your homepage, etc. The cookie will ensure that this information will be filled in automatically every time that form is displayed after the cookie is initially set.
The automatic form fill-in is a very common application of cookie functionality. It saves people having to fill in the same information every last time they have the same form come up.
This could be a worrisome situation. You might be thinking, "But I put credit card information into those forms. Is that information sitting in a cookie file that anyone could read?" Yes and no: yes, the information might be there; but no, the information isn't readable because it's encrypted, so only the originating Website would have the "key" to decrypt and read the code properly.
The complexity of a given cookie mostly has to do with how much information it stores, the kinds of information it collects, and the manner in which the information is retained for later use. Cookies, in and of themselves, are nothing but text files. They can't do anything but hold information for later retrieval. By themselves, they can't run around on your computer and look for all kinds of other information; but that doesn't mean they can't have that information put into them. Other programs can work with cookies to build an impressive laundry list of interesting and exciting facts about a computer user. In particular, Java and ActiveX scripts can do all kinds of snooping, then either report the results directly to a server or put those results into a cookie or other file for later retrieval or broadcast.
Cookies also, by their very existence on a computer, tell a story. Each cookie has a name, usually something like Joe@hotdog.txt. The "Joe" is the name of the user as the computer sees him. (His name might not be Joe, but at some time in the past, probably during the installation of the operating system, he told his computer to call him "Joe." If Joe never gave himself a name for his computer to use, it would probably call him "default," which is why some people see all their cookies start with that word.) The part after the "@" is the domain name of the Website that set the cookie. In this case, we know from just looking at the cookie's namenot even opening the cookie to see what information it containsthat the computer user named "Joe" went to www.hotdog.com.
Suppose we saw Joe@hotdog.txt and Joe@hotdog.txt in the cookies directory. That would mean the Website www.hotdog.com set not one but two cookies.
Perhaps you see the privacy issue. The cookie directory is a free listing of every cookie-deploying site Joe has visited. Oh my gawd! Look at some of those cookie names: Joe@lolibimbo.txt, Joe@boweltroublenow.txt, Joe@whosyerdaddy.txt, Joe@manhoodextendersolutions.txt, and other unfortunate entries.
Gracious. Our friend Joe does get around, if only in his imagination in cyberspace. The cookie directory is by its very listings a profiling resource. (In Joe's case, the profile is clear: L-O-S-E-R!)
Some cookies will have your name and other information. HaloScan, the commenting system preferred by many bloggers, writes a cookie to the user's hard drive that has the information you enter to put in comments, as well as identification information, counter output, and other stuff.
Some cookies record entry page, some record exit page. It all depends upon the sophistication of the script that writes the cookie.
Can a cookie set by one server be read by the servers of other Websites you visit? The answer is in the affirmative, but remember that cookies are written by scripts, so a reader from a non-originating site would have to understand how information was being laid out in a particular cookie to translate the contents into meaningful data. It's not as easy as just having a server look in the "Cookies" directory to rummage around and get all kinds of great information. Scripts to make cookies can be pretty generic, so it's not that difficult in some circumstances for one server to detect and understand a foreign cookie's content. However, if a cookie has encrypted information, that's a whole different issue since a snooping server would have to be able to crack the encryption to get to the interesting information in a foreign cookie. More importantly, it's not as easy as it might seem to get at a cookie that doesn't have the same domain name as the site being visited. It's not impossible; but it's definitely not just like clicking on a directory on your local computer.
Returning to the matter of the NSA setting cookies, a little bit of knowledge goes a long way. The brouhaha that started this week has to do with the fact that the NSA was setting cookies that didn't get deleted when a visitor closed his or her Web browser. In other words, the NSA cookies were "persistent" instead of "session" cookies, which means they didn't have immediate expiration. So-called "session cookies" are no more or less "safe" than persistent cookies, the ones that stay on the computer and don't get deleted at the end of a Web browsing session. A session cookie won't be able to keep track of, say, how many times you've visited the NSA Website, nor will it be able to keep track of other surfing habits you have.
But the point is this: the type of cookie the NSA was setting is rather irrelevant. Once a cookie reports an IP address to its "mother," that information goes into a database. When the visitor unknowingly enters more information to an old (persistent) cookie or unwittingly causes the creation of a new (session) cookie, that information gets sent to the "mother," which then adds it to the database, which keys to IP addresses. In other words, the snooping goes on whether it's one cookie staying there persistently or a string of cookies, each associated with a single session. This means just about anyone could have a profile being built up in that (purely hypothetical, of course) database at the NSA or wherever else profiling of people is an on-going practice.
And on another point, going to a government Website and being shocked that the agency sponsoring the Website engages in snooping is a bit silly. It's sort of like walking into a cage with rabid lions and being quite offended when they eat your hind leg. This is the era of the neo-cons: they run this government, and they're not nice people. They have no use for personal privacy; and they're quite literally out to rule the world and to do so through mendacity, violence, and lies. They don't play by rules ordinarily anticipated by members of a civil society that greatly values and jealously protects personal privacy and individual liberty.
They just don't.
In any interaction with their kind and their government, expect that you will be treated to the full power, ferocity, and ill will of technologically-enhanced Medievalism.
The National Security Agency is a cream-of-the-crop spy operation; it has some of the best spooks that money and calls to patriotism (or coërcion) can buy; and it has a black-box budget. Anti-spyware and cookie deletion utilities bought at Elmer's Discount House o' Software aren't going to stop spies who want to know what you're doing; and manually going into the cookies folder on your computer, finding a cookie with the name "Joe@nsa.txt," and deleting it does not in any way, shape, or form give you bragging rights for outsmarting the National Security Agency.
If spies want you to know they've been in your computer, they'll make it so you can see that they've been there. If those same spies don't want you to know they've been there, they'll make sure you don't.
This is related to the matter of why it is that the U.S. releases people from detention where they've been tortured, knowing full well those people, once they're freed, are going to run around screaming, "I've been tortured! I've been tortured!" If our good national security folks don't want it known that someone was tortured, it won't be known. In the same way, if our good national security folks don't want it known that they've been watching you, then you won't know.
In most instances, when we "discover" something the spies have been doing, it's either because they don't care or more likely because they want to advertise, and all the howling upon discovery of the obvious gives them a megaphone at the same time the howling throws in the value-added red herring for their purposes.
To believe otherwise is to assign to our spooks the same level of stupidity possessed by our President and his cabal of crooked, incompetent cronies. Rest assured that, unlike George W. Bush, the operational-level folks at the NSA, the CIA, the FBI, and all the other agencies of ill intent are not stupid, nor are they incompetent.
They are dangerous, mean, frightening, untrustworthy, vicious, and nasty; but they're not stupid.
These high-end law enforcement and spying community men and women are not in some grand sense worthy of idol-worship. They are people who will hurt you if you get in their gunsites. The nearly god-like status to which some people assign a spy like Valerie Plame is misplaced: she, like all excellent spies, did work that in some instances would make your blood curdle. As necessary as spycraft is to the survival of the state, as art and science it is a scythe that does not discriminate between you and anyone else considered an enemy of the state. Should it ever become the case that what you do constitutes work contrary to national security, you will know that you've been followed, profiled, tagged, tracked, and fully quantified. The only problem is that you will know it once it's too late.
The NSA cookies, persistent or session as they may be, are not the focal point of any domestic spying agenda, nor are they even the tip of the iceberg. They just aren't. To think otherwise is to stare at penguins bobbing in the water and argue about the significance of the danger they pose to the hull of the Good Ship Personal Freedom while that good ship, itself, is sinking because of the massive underwater charges that were detonated beneath it.
Regardless of how deeply flawed that last metaphor was, the point is this: if you criticize this Administration, assume that you are being profiled. Assume that the profiling goes on in your Internet travels and pleasure as well as in your real-world life. As a corollary, assume that, if you really do come to be regarded as a threat to national security, you will pay. And if you believe that the "rule of law" will ultimately win the day and that your free-speech right of protest against the government will be upheld, you might be gruesomely surprised to learn that historynot the kind in movies and fantasy novels, but in real lifehas no special fondness for the good guys.
On the other hand, character-building through suffering is woefully underrated these days.
And living forever is terribly overrated.
The Dark Wraith encourages you to have a great Internet experience tonight and always.