Cookie Monster

Cookie Monster from Sesame StreetGo ahead, admit it –  you remember the song… “C is for Cookie, that’s good enough for me.” One of my favorite Sesame Street characters as our children were growing up.

In another use of cookies, a friend exclaimed recently that she had been browsing the Amazon site for some items and later got an email from Amazon suggesting some similar products. Roughly quoting her, “That’s creepy. I felt like I was being stalked.” How did Amazon do this? Through the use of one or more browser cookies, and customer information from logging in. A browser cookie is a little snippet of code that is stored with or near your web browser, usually with a name, a value to go with that name, and an expiration date. Let’s see how this might happen and then turn the tables and ask whether or when cookies might be appropriate on a web site that you produce.

I just removed all of the Amazon cookies in my Firefox browser, and then visited the site. Then I went to Preferences in my browser, clicked on the Privacy tab, clicked on Show Cookies, and found that my arrival at the Amazon site had generated 5 separate cookies. Each cookie had a cryptic name (session-token, apn-user-id, etc.) with an assigned value – most likely something random, but remembered and stored at Amazon. But Amazon doesn’t know who I am. I had erased earlier Amazon cookies, and the home page for Amazon invites me to sign-in. Once I sign in Amazon can associate one of those cookie values with my account, which also includes an email address.  Now, I start browsing the Amazon web site, and on each page my  unique cookie ID gets recorded. So if I search for books on astronomy, Amazon knows that the customer with this cookie ID is looking for astronomy books, and they can link this preference to my customer information and later send me an email with more astronomy suggestions. Creepy? Maybe. Helpful? Maybe.

Cookies in web sites started out innocuously enough. Storing a tiny bit of information, a unique ID for the visit, allows a web site to improve the user experience. Returning to the Amazon example – if I sign-in at some point, then my checkout procedure will go more smoothly. The only way Amazon can know that I am still signed in is by storing a cookie. Each subsequent page I visit Amazon checks to see if there is an Amazon cookie on my browser, connects that to my signed-in status, and lets me see “Hello Douglas” at the top of each screen.

Not to alarm you, dear reader, but by coming to the ASHMUG web site and reading this blog, you’ve had several cookies set for the ashmug.com domain. These are benign, because we’re a good organization, run by ethical people, without any financial incentives to invade your privacy. Sadly, this is not always the case with other sites.

This early use of cookies has grown into its own form of cookie monster, and frankly I probably don’t know half of the uses and abuses of cookies today. One example of an early idea gone rogue is a persistent cookie that might be used by more than one web site. Let’s say that one site sets a cookie as part of displaying an advertisement. The company that serves up the ad stores a cookie, and remembers that you saw that ad. You then visit another site which is serviced by the same ad company. They spot the cookie set earlier, and combine that information with the newest site you’ve been to, or the kind of product you were seeking. Now, one company is building a shopping preference profile on you. They may not know who you are yet, but if you sign-in on one of your stops and that web site has a joint marketing agreement with the ad company, some information may be shared.

If you are developing a regular web site – some kind of pamphlet site that provides information for others to read – you probably don’t need to set cookies. If you are connecting to or using an e-commerce function, cookies are practically required and either your e-commerce partner or your web developer will build this in. WordPress, the well-known blogging engine (which runs this ASHMUG web site and blog) assigns some cookies on its own – again, perfectly benign. It’s possible to add WordPress plug-ins to set cookies on your own, if that can enhance your users’ experience. Programming languages for web sites, like Javascript, PHP, or Lasso, have streamlined ways to add and read cookies.

My description is not intended to make you swear off websites and logins. While it is possible to adjust your browser (both on Safari and Firefox, go to Preferences, then Privacy) and block cookies, you will find your browsing experience becomes miserable. Just like with many other aspects of the Internet and life in general, we just need to be thoughtful about when we share information with others – particularly contact and financial information. Legitimate users will have carefully designed privacy policies that we can either accept or reject. And in both Safari and Firefox you can go to the same Preferences area, and specifically delete cookies from a particular site. If you don’t want someone else to know that you were looking for volume discounts on Hostess Twinkies, you can wipe that slate relatively clean. There isn’t a wolf behind every tree, but going into the woods without a flashlight is not a good idea.