Cookie Monsters

The innocuous text files that Web surfers love to hate.

Download the MP3 audio version of this story here, or sign up to get all of Slate’s free daily podcasts.

Slate uses cookies. So do the New York Times, the Washington Post, and almost every media site on the net. Popular blogs like Daily Kos and Powerline have embraced them. Google and Yahoo! dispatch them to better target ads. Retailers like Amazon rely on them to fulfill orders. Even Sesame Street deploys them on its Web site.

Cookies are simply text files sent by a Web site to your computer to track your movements within its pages. They’re something like virtual license plates, assigned to your browser so a site can spot you in a sea of millions of visitors. Cookies remember your login and password, the products you’ve just bought, or your preferred color scheme. Sites that ask you to register use cookies to target advertising—someone who claims an annual salary of $35,000 might see ads for Boca Burgers rather than foie gras.

Though cookies make navigating the Web profoundly easier, those who deploy them have done a lousy job at promoting their utility. The result is that lots of people don’t trust them. Many surfers erase cookies frequently or refuse them entirely, blaming them for everything from spying, to identity theft, to slow Internet connections. A slew of security products lump them in with spyware, viruses, and other nasties and promise to snuff them out at no extra charge.

Cookies are not software. They can’t be programmed, can’t carry viruses, and can’t unleash malware to go wilding through your hard drive. Only the Web site that sent you the cookie can read it. As soon as you leave a site, its cookie sits dormant, waiting for your return.

The exceptions are third-party cookies—also known as “tracking cookies”—placed by an entity (usually a marketing or advertising company) that’s interested in tagging visitors. Often they make sure a user won’t be hit with the same ad twice; others guarantee that someone who says they have an interest in sports gets different ads than someone who likes gadgets. But third-party cookies could also be used to compile a dossier of surfing habits. Say you visit a Web site with cookies served by a marketing company like DoubleClick. The cookie it dispatches will come alive every time you visit another site that does business with DoubleClick. That means it could track you over dozens of sites, logging every article you read, every ad you click on, and every gadget and gizmo you buy without your knowledge or approval.

What makes many people uneasy is the potential for DoubleClick or a similar firm to match a user’s e-mail, home address, and phone number to his surfing history. How do we know the company won’t use this information for purposes other than advertising and marketing? All we have is its word that it won’t “attempt to know the real-world identity of the owner or user of a computer’s browser.” DoubleClick was pummeled six years ago when it announced its intent to create a database of consumer profiles that would include names, addresses, and online purchase histories. After public outcry and a class-action suit (which was settled in 2002), DoubleClick did an about-face and said it had made a huge mistake.

Still, the potential for marketers—which in lieu of governmental oversight regulate themselves—to abuse their position as third-party ad servers is the prime reason why all cookies have been demonized. The bad reputation of cookies has contributed to the formation of an entire industry that’s based on snuffing out potential threats on consumer desktops. The more threats they find, the more valuable their product. It’s funny, then, that many of the same companies that demonize cookies—McAfee, SpyWare Doctor, and STOPzilla—toss them at you when you visit their Web sites.

So, what would happen if the king of the Internet magically banned cookies tomorrow? Much of the Web would cease to exist. Ad-supported sites like Slatewould either go under or start charging you to visit—without a way to gauge how many people have looked at an ad, online advertisers would pull the plug. And instead of aiding privacy, the death of cookies might very well stifle it. Many Web sites would require more frequent registration—you’d have to log in every time you visited the New York Times, since the site wouldn’t remember you. And forget about shopping online.

The Web often feels like a free medium, where you can read anything you want free of charge. What keeps it cheap and convenient, though, is that it’s an advertisers’ medium. At the same time that ad revenue allows companies to serve content free of charge, consumers have unprecedented control over how they consume ad content, both online and offline. Just like you can TiVo shows and skip the commercials, you can block pop-up ads, filter junk e-mail, and corral cookies. Every major browser (Internet Explorer, Safari, and Mozilla Firefox) lets you customize your cookie consumption to accept them from sites you trust, reject them from parties you don’t, or block them entirely.

Marketers don’t fear that the government will ban or restrict cookies some day. After heavy lobbying they managed to secure an amendment to the Securely Protect Yourself Against Cyber Trespass Actthat would exempt cookies from any spyware legislation that passes in the House. Instead, they are afraid that consumers will continue to delete them, which could put a major dent in advertising revenue and undermine the economics of boatloads of sites. If they want to avoid this ignominious end, the marketers who depend on cookies had better figure out a way to market the cookies themselves. A good place to start is to abolish third-party cookies. Only then can they put the focus on the miraculous text files that let you shop and read newspapers with the greatest of ease.