Government OKs Net cookies

After years of warning its citizens about the dangers of cigarettes, cholesterol, and sexually transmitted diseases, the U.S. government is issuing a more upbeat advisory. Cookies, it seems, are OK.

Internet cookies, that is. The bulletin, quietly issued by the Energy Department's Computer Incident Advisory Capability (CIAC) last week, said the hype about cookies has far outweighed the actual hazards of the technology.

"The popular concepts and rumors about what a cookie can do has reached almost mystical proportions," the bulletin reported. An Internet cookie "is not an executable program and cannot do anything to your machine."

One such rumor held that America Online was planning to use a cookie to glean private information about users from their hard drives.

Cookies, the bulletin goes on to explain, consist of a small amount of data that a Web server sends to a browser when a surfer visits a site that employs the technology. Most cookies are active only during a single browsing session and disappear after a user shuts down her browser.

But so-called persistent cookies plant the data on the private computer of the user, serving as a digital identification tag. The site that planted the cookie then can access that tag on subsequent visits to identify the user. An example of this type of cookie is in sites that ask users to register and enter a password, but are able to let in the user on subsequent visits without having the user re-enter the password.

The bulletin lists a number of such useful cookie applications, including keeping track of what a user puts in his "shopping cart" at retail sites such as online bookstore Amazon.com.

Most browsers let users block cookies, and some companies offer software that keeps cookies safely in their virtual jars.

Despite its upbeat assessment of the technology, however, the bulletin acknowledged that cookies are employed for some "less admirable" uses.

"Cookies are being used for tracking people's browsing habits, and that makes a lot of people really uncomfortable," report author and CIAC security specialist Bill Orvis told CNET's NEWS.COM. "People think they were anonymously browsing, and then it turns out that someone's keeping a list of sites they visit."

Orvis pointed out that those lists are not comprehensive and only track visits to sites that contract with the same company. Marketers such as DoubleClick compile such lists to build user profiles based on site visits.

Though such techniques may make some Web surfers uncomfortable, analysts note that companies such as DoubleClick use the information to tailor ads to individual users--ads that users would see regardless of whether their cookie information had been gleaned or not. Abuse of this information, however, is not hard to imagine.

"The potential problem is that companies without a sense of ethics could be doing same thing and selling addresses to offline marketers," said Electronic Frontier Foundation program director Stanton McCandlish. "They could be calling the cops any time you search for things they think you shouldn't be."

On the whole, however, McCandlish agreed with the gist of the CIAC bulletin. "They're right--there's nothing inherently bad about cookies. There are ways to abuse this technology, but it's really difficult to imagine a technology that can't be abused," he said.