Berkman Center for Internet & Society
  • Privacy and Identity
  • Privacy Standards
  • Cross-Border Issues
  • Encryption
  • Cookies and Clickstreams
  • Free Speech and Filtering
  • Workplace Privacy
  • Medical Records
  • Lecture Hall

    5. Cookies and Clickstreams: Madison Ave. is Watching You
    Introduction When you browse the Web, your browser communicates with web sites through the HyperText Transfer Protocol (HTTP) to get the web pages you request.  One of the distinguishing features of HTTP (as opposed to File Transfer Protocol and Telnet) is its instantaneous nature.  There is no real connection between a web server and browser during an HTTP session.  The browser makes a request, the server fills it and moves on to its next request.  When your browser makes another request, it does so as if it had never made the first.  This is a good thing because it reduces server load (the server does not need to keep a connection open with your computer while you browse a page) but it is a bad thing because your browser must make a new connection for every request and the server treats every request as unrelated to any other.  So-called "stateless" protocols are a problem for features like shopping carts or password saving because such features require some memory of what happened in previous requests from the same browser.  Tracking a user by transactional information, cookies and the proposed Open Profiling Standard (OPS) are ways in which web servers are attempting to introduce "state" into HTTP.

    Tracking Transactional Information

    To download this file, your browser sent a request to the Berkman Center server asking for the text of the page along with its accompanying images and scripts.  The page requested, and the IP address to send it to, must have been sent to our server.  Depending on which browser you use, however, other information, such as the name and version of the browser and the page that referred you to this one, might also be supplied.  Our webserver stores all the information your browser provides and, with that information, a good web sleuth could determine much more about you, such as how long you stayed at the site, what links you followed and ignored on our site, where you are, what company you work for (or which Internet Service Provider you use) and what type of computer you are using.

    We collect that information to help us in tailoring our web pages for our users and to allow you to continue checking discussion groups without having to re-enter your username and password.  However, as the Center for Democracy and Technology warns:

      When [transactional information is] correlated with other sources of personal information, including marketing databases, phone books, voter registration lists, etc, a detailed profile of your online activities can be created without your knowledge or consent. (CDT Privacy Demonstration Page, Center for Democracy and Technology, visited March 18, 1998)


    According to Netscape, the first to implement cookie technology:
      Cookies are a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection. The addition of a simple, persistent, client-side state significantly extends the capabilities of Web-based client/server applications. (PERSISTENT CLIENT STATE HTTP COOKIES, Netscape, visited March 18, 1998)
    In English, c|net explains,
      Cookies are small data files written to your hard drive by some Web sites when you view them in your browser. These data files contain information the site can use to track such things as passwords, lists of pages you've visited, and the date when you last looked at a certain page. (C|NET Glossary: Cookie, C|NET, visited March 18, 1998)
    Most browsers support cookie technology which allows any web server to write directly to a cookie file on your hard drive and read the cookies they set. Though cookies were first used for site personalization, shopping baskets, and saving userids and passwords, they are now also used for targeted marketing and tracking across sites (see Cookie Central and Cookies Revisited by HotWired's Marc Slayton for more information).  DoubleClick, an advertising company, sets cookies for targeted advertising and tracking across sites through its banner ads on a wide variety of sites.  Chances are better than even that you have a DoubleClick cookie in your cookie file.  The company's $400 million market value is another indication that they are successful.

    See also: The Cookie Central Unofficial Cookie FAQ and Junkbusters.

    Do some online research of your own

    Berkman Center for Internet & Society