Junkbusters

How Web Servers' Cookies Threaten Your Privacy

Check your browser · How to disable cookies · Further protection · (Free Cookie Management Software) · (Web Bugs) · (Cookie Links)


You can be tracked from your mouse clicks


[Feedback]  The pages you read tell marketers what junk to push on you

Imagine that your remote control informed stations the second you switched to them, and that they could sell this information to their advertisers to help them decide what junk mail to send you.

Would you want to be pushing buttons on a remote that could tell an insurance company to phone you while you're watching a program about financial planning? Well, your mouse and browser are now giving them exactly that power, except that instead of just the channel number, they are getting the exact URLs of the Web pages you look at.

We want you to know how they can identify you individually and how you can protect your identity from being discovered and sold. Don't let them use your browser as a tool of surveillance. Stop them now.

[Feedback]  What your browser tells them

Your browser is probably revealing more than you might want: which computer you are coming from, what software and hardware you are using, details of the link you clicked on, and possibly even your email address. For specifics on your browser click on our demonstration page.

If your ISP is running an identd demon, or if you leave certain IRC clients running while you surf, servers can ask for your identity at the time your browser requests a page. Try our test to see whether this is happening to you. Some firewalls (rightly) block these requests, so if the browser goes silent just interrupt the transfer request with the stop button. If you're running an IRC client you may find the disclosure stops when you turn it off; see instructions below.

[Feedback]  How they can find out who you are

All they may need is your email address because various databases let them look up your name and address from it.

  1. People often type their email or postal address into forms, when registering at a site or requesting information.
  2. Some browsers that include a mail handler disclose the user's email address in certain situations, such as when requesting a file by FTP, which you can do simply by clicking on a link that happens to begin ftp: rather than http. You can tell your browser not to do this.

[Feedback]  Cookies tell them it's you every time you click

Many organizations use ``cookies'' to track your every move on their site. A cookie is a unique identifier that a web server places on your computer: a serial number for you personally that can be used to retrieve your records from their databases. It's usually a string of random-looking letters long enough to be unique. They are kept in a file called cookies or cookies.txt or MagicCookie in your browser directory/folder. They are also known as ``persistent cookies'' because they may last for years, even if you change ISP or upgrade your browser.

If you look at your cookies file you may see the names of web sites that you have never heard of. They were probably put there by companies that resell advertising space from a large number of popular sites. Those ad placement companies maintain huge databases recording details of who looks at which pages. The larger ones have cookies in place on millions of peoples' browsers. If you use one of the popular search engines, the queries you type are probably being logged and analyzed too. We wonder whether some companies are selling your identity as part of the package.

Any web site that knows your identity and has cookie for you could set up procedures to exchange their data with the companies that buy advertising space from them, synchronizing the cookies they both have on your computer. This possibility means that once your identity becomes known to a single company listed in your cookies file, any of the others might know who you are every time you visit their sites.

The result is that a web site about gardening that you never told your name could sell not only your name to mail-order companies, but also the fact that you spent a lot of time one Saturday night last June reading about how to fertilize roses. More disturbing scenarios along the same lines could be imagined.

There are of course many beneficial and legitimate uses for cookies, as Netscape explains. They also allow ``mass customization'' of the content on web sites. But it's not generally possible to tell from looking at a cookie alone how it will be used. Because of the possibilities of misuse we recommend stopping cookies except for sites where you really need them.

[Feedback]  How to disable cookies

A cookie management package is the best first line of defense. You can also tell your browser that you don't want cookies, or to alert attempts to place a cookie. (Or if you use your cookie management software to accept cookies selectively, tell your browser to warn you before accepting cookies.) If you're using a major browser numbered below 4.0 it probably only gives you the option to refuse each cookie at the time it is pushed at you: you have to keep saying no every time.

  1. On Netscape 3.0, try the Options menu: go to Network Preferences, then Protocols. Under Show an alert before check Accepting a cookie. (Don't forget to Save your option settings.)
  2. On Microsoft Internet Explorer 3.0, try View, then Options, then Advanced, check the box Warn before accepting cookies.
  3. On Netscape Communicator 4.0b2, go to Edit, then Preferences, then Advanced, click on Never accept cookies (or Warn me before accepting a cookie).
  4. For MS-IE 4.0: View, Internet Options, Advanced, scroll down to Security, Cookies, Disable all cookie use; alternatively: Right click IE shortcut, select Properties, select Advanced, scroll down to Cookies, select options.
  5. We're told that to stop cookies on Juno Web choose Options, E-mail options, HTML E-mail preferences, Change security settings, Advanced, scroll to "security" and find "cookies", set desired option. Please tell us if this isn't right. For WebTV's browser we're not even sure whether it accepts cookies, stores them on the server or allows them to be disabled. If you have better data, please tell us.
  6. Cookies are also supported in Opera and the latest version of Lynx.

Your browser may be different: it may not support cookies, or it may not allow you to stop them. Even if it does, you may have to click on cancel each time a web site wants to push a cookie on you. (Some set several per page.)

One method that works with some browsers (such as Netscape) is making the cookies file read-only (right click, choose properties) or creating a directory of that name. (On Macs, remove the MagicCookie file and create an empty folder of the same name.) However, any browser could cache cookies even when it can't write them to a file. If you remove the file your browser will probably just quietly make a new one. Some people use a batch file to delete the file on start-up.

We have had reports of the following undocumented methods for stopping cookies permanently under Windows, but haven't tried them ourselves.

  1. For MS-IE, delete the following entry in the Registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Special Paths\Cookies] Next reboot and delete the WINDOWS\COOKIES directory.
  2. For Netscape delete the following entry in the Registry: [HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Cookies] "Cookie File"="C:\\DECODER\\Netscape\\Cookies.txt" then delete the COOKIES.TXT file.
A Microsoft support article states that even if you try to delete cookie files, they may remain.

[Feedback]  How and why you should disable ActiveX, VBS, Java and Javascript

We also recommend disabling Microsoft ActiveX, Visual Basic Script (VBS, also humorously known to security experts as Virus Building System) , Java and JavaScript, due to the large number of serious security loopholes they have opened, and because they provide servers with another way to get Referer and other information. (Disabling Java also stops many pop-up ads and interstitials.) On Netscape 2.0, look under Options, then Security. On Netscape 3.0, look under Options, Network, then Languages. On Netscape Communicator 4.02, select Edit, Preferences, Advanced then deselect Enable Java and JavaScript.

Microsoft publishes instructions on how to disable active scripting. [FAQ] [NICP Assessment]

Our instructions for disabling ActiveX were taken from a single version of Windows; please tell us appropriate instructions if your version differs. Under the Windows Start menu and select Settings | Control Panel command; in the Control Panel window double click on Internet Options icon; in the Internet Properties window click on the Security tab in the Security panel: Click on the Internet icon; Click on the Custom Level... button; Scroll down to the entry for Run ActiveX controls and plug-ins and click on Disable; OK; OK.

[Feedback]  What other privacy-invading features should I disable?

Be sure to the following options are not checked: Send email address as anonymous FTP password and Enable Autoinstall.) They are in Netscape 4.X in the panel above. If you know the procedures for other browsers, please tell us. To check whether your email address is being given away, visit any FTP site such as ftp://ftp.funet.fi/ that displays the login name given by your browser. It should be UNKNOWN if your browser is configured correctly.

On Netscape 4.06 and above, we recommend disabling the What's Related feature.

MS IE-4.0 allows servers to determine the URLs you view at their site even if accessed from cache or through a proxy. To disable this, try: View, Internet Options, Advanced, clear the check-box beside Enable page hit counting. Or get another browser.

We're told by a user of the IRC client mIRC that the following lines will disable identd when it's not needed by the client.
   on 1:start: .identd on
   on 1:disconnect: .identd on
   on 1:connect: .identd off
The lines are placed in the under remotes in the mIRC editor. If you have any experiences or advice on this, please tell us.

[Feedback]  Other things you can do to protect your privacy on the Web

The Internet isn't an easy place to keep your privacy, but a few Web sites help.

  1. Use a software package such as our free proxy server to remove unwanted cookies and other sensitive headers (as well as banner ads).
  2. There are various services such as the Anonymizer that conceal your IP address. Other add-on products also reduce the amount of personal information that your surfing discloses.
  3. Tell organizations not to sell or share the information they collect about you. JUNKBUSTERS DECLARE makes this easy by drafting the letters for you.
  4. To warn visitors to your home page about the risks explained here, you are welcome to add a sentence like ``You can be tracked from your mouse clicks'' with a link to our demonstration URL (http://www.junkbusters.com/cgi-bin/privacy). [See examples]

Our services follow the principle that information about people should be made visible to those people and be approved by them. And we don't push cookies.

--- Back to Top of Page ---

Home · · Site Map · Legal · Privacy · Cookies · Banner Ads · Telemarketing · Mail · Spam · Opt Out
  ·  Surf The Web Faster Without Ads, Free!

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/cookies.html