Our coronavirus coverage is free for the first 24 hours. Find the latest information at Please consider subscribing or donating.

  1. Archive

Reigning in the Web browser "cookie' monster

You may be giving away more personal information while you surf the Net than you realize, thanks to innocuous "cookie" files.

Recent news about viruses, hacker invasions, denial-of-service attacks and Trojan horses illustrate the vulnerability of the Internet to criminal assault. But what about the hidden attacks on our privacy from seemingly innocuous sources, such as the Web sites we visit and the e-commerce transactions we make?

You may not realize it, but "cookies" (those little tags placed on our computers ostensibly to identify us to a Web site when we visit it a second time) can be toxic as well as beneficial.

Sure, you want the convenience of being "remembered" by your favorite sites and may take advantage of personalization features such as MyYahoo or MyExcite. But do you want to be "followed" as you surf the Web, with information being collected and aggregated into profiles that tell advertisers all about you? Cookies can do that, too.

According to a recent survey by Cyber Dialogue, an Internet customer relationship management company, more than 46 percent of Web browsers are set to accept all cookies indiscriminately, without any warning to the user. Only 3 percent are set to reject all. Yet 49 percent also feel that sharing personal data with other Web sites via cookies is an invasion of privacy.

Why are so many people concerned about Internet privacy but seemingly not doing anything about it? Basically because managing cookies is too technical a task for most people. Opening up Internet Explorer 5.0's preferences panel, I counted more than 250 cookies in my "jar." And this is for a browser I have been using for only a month. Most of the cookies had cryptic or generic names that indicated nothing about their purpose or use.

The reality is that the average surfer can't figure out which cookies are "good" (used only to provide added services to the user) and which are "bad" (used to collect personal information that will be sold or exchanged with others).

The one piece of information that was easy to decipher was the "server" column, which tells you the source of the cookie. While most were from sites that I remembered visiting, a disturbingly large number were related to advertising, from banner networks such as Engage, Link4Ads, AdMaximize, DoubleClick, LinkExchange and

If you doubt the information-gathering power of these networks, just visit their sites and see what they promise to deliver to advertisers. After all, advertisers want proof that their ads are being seen by their target audience, which means you.

Happily, solutions are beginning to emerge that help you fight back against the data collectors without giving up the beneficial aspects of site personalization. There are two basic approaches to the problem. The more limited one focuses on cookies, letting you choose which ones to accept or deny. These usually distinguish between cookies from ad networks versus site-specific cookies, so you can routinely block the former without affecting the latter.

For the truly paranoid, or those whose work demands utmost secrecy, there is a class of anonymous proxy servers that basically intercept Net traffic to and from your computer, making sure that none can be traced back to you (unless you allow it).

This broad cloak covers e-mail, chat and Internet newsgroups, as well as surfing. Most consumer-friendly proxy servers involve fees, but, in a strange twist, a new class of ad-supported opt-in servers is emerging.

While an ad-supported proxy server devoted to preserving privacy might seem like a contradiction in terms, it can offer many benefits to user and advertiser. The user is assured that personal data will be aggregated with other users' before being sent to advertisers, while ad networks can provide targeted advertising of interest to the user.

So what are the options? In the cookie-control category, there are six major commercial packages, half of them free: AdSubtract Pro, IDcide Privacy Companion, McAfee Internet Guard Dog, Norton Internet Security, PC Magazine's CookieCop and Siemens' WebWasher.

There also are shareware products, but most of these are out of date. In this fast-changing and complex area, you probably are better off with a commercial solution.

PC Magazine's CookieCop is a free program that does exactly what it says: It notifies you of all cookies and lets you accept or reject them by site. It works with most browsers, and a new Plus version adds the ability to block certain Web sites and graphics. While it works fine, it can be tedious to respond to every cookie.

Siemens' WebWasher is another free program with a different focus. It cleans up your browser and system files after each browsing session, clearing out the cache, cookies, history, forms data and more, leaving no trace of your surfing. You can designate certain cookies as keepers, if you want to remember a few trusted sites. It works with most browsers and is the only cookie-cleaner on our list to support Mac and Linux as well as Windows.

Symantec's Norton Internet Security and McAfee's Internet Guard Dog take a bigger bite out of the cookie and Web security problem. NIS' cookie-control options include blanket ad blocking, which gets rid of ads and their cookies, and the ability to designate certain personal info that may not be transmitted to unsecured sites. NIS includes many additional features, such as virus control, a firewall and child-safe site blocking.

Internet Guard Dog is a similar complete utility that incorporates ad blocking, McAfee's VirusScan software, file encryption and password storage.

McAfee touts the program's ability to filter Internet Messenger and chat room streams for objectionable words or personal data. Settings for both NIS and Guard Dog can be configured for multiple users, a big convenience.

But our favorite cookie-cutters were IDcide Privacy Companion and AdSubtract Pro, both applications devoted specifically to cookie management that do the best job of combining control and ease of use.

AdSubtract Pro intercepts ads and cookies, and you can configure it to block them from all sites or only from some sites. Ad-blocking means faster page downloads, a nice side effect. It also can block things such as pop-up windows, animations and background music, further conserving bandwidth.

IDcide's Privacy Companion is a new entry with some powerful features. It can distinguish between "local" cookies and third-party cookies such as those from ad networks and automatically ban the latter. This is great because many sites you want to personalize and allow cookies from also have hidden ad network cookies.

The other cool feature of IDcide is that it puts little icons in the corner of your browser that show you instantly when you're being tracked. Privacy Companion is free; IDcide hopes to make money from sites that want to cater to its customers.

In the anonymous proxy server category, we have Anonymizer, Junkbusters, Privada and Freedom. Junkbusters is a free download that hopes to make money from advertisers. It allows users to specify what information may be transmitted to whom, in an "opt-in" approach. It can block cookies, graphics and other types of data, from all sites, allowing in only those from trusted sources. It works a lot like the cookie-cutters listed above (which are really proxy servers under the hood).

Anonymizer goes a step further, with total blocking of your URL (so even your ISP can't log you), blocking of "hostile" Web-based programs in Java and JavaScript. Even better, since it's Web-based, it works with any platform or browser, and there's no software to install on your computer. You simply configure the proxy server settings in your Web browser for Anonymizer.

Another entry, Lumeria's, will offer a free cookie and ad-management service next month that relies on opt-in ad sponsorship. Users can specify what information they want to give to advertisers, and information will be aggregated so it is not traceable to a specific person.

All ads but Lumeria's will be blocked. Like Anonymizer, it will be platform-independent. One interesting benefit of the opt-in advertising model is that it allows local advertising, which should be of much more interest to consumers than the typical national banners.

Finally, and are for the truly devoted privacy hounds. They let you develop whole online identities separate from your real-world ones for your Web activities, including e-mail, chat and surfing.

The big advantage of this approach is that you don't have to constantly make decisions about cookies, since you are not identifiable anyway. Your online persona has your characteristics and preferences, however, so you still can receive personalized information. But you won't get any mail or phone calls to your residence.

Privada's Web Incognito and Messaging Incognito are available for $5 a month direct, or through certain ISPs.

Zero-Knowledge Systems' costs $49.95. Both are available only for the PC.

Whatever cookie-busting program you choose, you will be taking the first steps toward safeguarding your privacy on the Web. Several industry and legislative privacy initiatives are in the works, notably the advertiser-sponsored Network Advertising Initiative and the World Wide Web Consortium's Platform for Privacy project. Maybe the need for consumers to constantly monitor cookies will soon evaporate.