Fearing What You Don’t Understand

Before I get into the meat of this post, lemme just quote this analogous story that I’ve always found amusing.

Alan McHughen, who works in the field of genetically modified plants, decided that enough was enough. He doesn’t like what he’s seeing and wants people to be able to make informed decisions.
. . .
How bad is the public’s misunderstanding of this field? McHughen cites recent surveys in Great Britain showing that only 40% of respondents correctly said that ordinary tomatoes contain genes. The rest either didn’t know, or thought that the average tomato somehow did without the genetic material that is present in every living thing. Similarly, he relates a story of how an activist in Belgium got into an argument at a summit about genetically modified plants, and stormed out yelling, “You’ll never convince me to eat DNA!”

And this angry fool is what I’ve been thinking of as I’ve seen this ridiculous uproar about the NSA’s website using cookies. To call this a tempest in a teapot would be an exaggeration. In light of the very serious issue of domestic spying by the NSA, getting worked up about this is the equivalent of berating Charles Manson for jaywalking.

As the FAQ at CookieCentral makes clear, for all practical purposes, the NSA can’t spy on you using cookies.

2.4 Are Cookies Dangerous to My Computer?

NO. A cookie is a simple piece of text. It is not a program, or a plug-in. It cannot be used as a virus, and it cannot access your hard drive. Your browser (not a programmer) can save cookie values to your hard disk if it needs to, but that is the limit of the effect on your system.
. . .
2.6 Are Cookies a Threat to My Privacy?

The sad truth is that revealing any kind of personal information opens the door for that information to be spread.

Consider the growing trend of technology conveniences in our lives. We use “frequent buyer” cards at supermarkets and gas stations. We place electronic tags on our cars to pay tolls faster and easier. We let banks pay our bills for us automatically each month without checks.

While each of these technologies (and others like them) have made our lives more convenient, each time we use them exposes us to a loss of privacy. Stores know what foods you eat. Gas stations know how much you spend on gas per fill-up. Turnpike operators know how fast you drive on their highways. Banks know how you spend your money each month.

It’s the same with cookies. In fact, one may argue that cookies in the long-run will be less damaging to privacy efforts than those technologies described above. If you’re going to single-out cookies as your sole vulnerability to personal privacy, you should re-examine how you live your daily life.

More importantly, the NSA website (or any website for that matter) can only view the cookies that come from their domain. In other words, they can’t use cookies to track how often you login to Ebay, check your email, or read a liberal blog.

And if that’s enough to freak you out, then you should just stop going on the WWW altogether. Just from the HTTP logs for this site, I can tell what time a user accessed a page, what site referred them, which pages within my site are being accessed, and the operating system, timezone, browser, and internet service provider. But anything beyond that which you might consider “personal information” (ie. names, passwords, credit card numbers) can only end up in a cookie if you give them that information in the first place.

So, yes, the NSA (like every other website) can use cookies to track when visitors access their site and record that information for later use, but they don’t know who you are unless either (a) you fill out a form on the site that provides them with personal information or (b) they tap into their massive database of information gathered by illegally tapping internet hubs. Either way, stop wasting your time freaking out about cookies guys. It’s really not a big deal compared to everything else they’ve been doing.


posted by greg on December 31, 2005 @ 1:31 am

7 comments

  1. I’m not going to argue that cookies are killing computers or something. Anybody who doesn’t know what they are (delicious, chocolate chip-filled text files) or how to turn them off hasn’t been working with computers for long.

    That said, while not as big as the NSA domestic spying issue, the use of illegal cookies should be viewed as another way our government is performing illegal actions with very little oversight.

    Americans have been a little too “New Testament” Santa Claus with the government for too long. We give and we give and we give, no matter what they do.

    I think it’s time we get a little “Old Testament” Santa on them and check our lists twice. Domestic spying - naughty. Using illegal cookies - less naughty, but still not nice.

    We have to be the ones to make the list of transgressions large and small, because we’re dealing with an administration headed by a guy who couldn’t think of ONE THING he’d done wrong in his first four years in office.

    Comment by Dr. Pants — December 31, 2005 @ 7:45 am

  2. I haven’t done all the homework on this, but here’s a guess at to what might be going on: NSA uses a third-party company to track hits on their site. The same third-party company is also contracted by your bank, or an online store that you buy stuff from. You have filled out forms on these other sites, giving up personal information, which is stored in these third-party cookies on your computer for your convenience upon return visits. Everything is secure: the bank can’t read NSA cookies, NSA can’t read the bank’s cookies.

    Unless they demand access to prevent terrorism, at which point I’m sure they will get what they want, even if the president has to sign an executive order “authorizing” it.

    Even if we assume a branch of the government can’t get at the cookies stored on your computer by a company they are paying, there still might be privacy issues with one corporate entity being able to track your actions across multiple sites. In time, with enough innocuous tidbits, they might connect the dots and come up with a picture.

    Comment by Larry Jones — December 31, 2005 @ 8:23 am

  3. the use of illegal cookies should be viewed as another way our government is performing illegal actions with very little oversight.

    Understood, but aside from the fact that the use of persistent (as opposed to single-session) cookies was against a federal regulation that probably didn’t need to exist anyways, what exactly constitutes an illegal cookie? What data specifically was the NSA gathering and how is that any worse than what, say, Amazon or Yahoo do?

    I haven’t done all the homework on this, but here’s a guess at to what might be going on: NSA uses a third-party company to track hits on their site. The same third-party company is also contracted by your bank, or an online store that you buy stuff from.

    Nice to see that you’re thinking this one through, but it doesn’t quite work out this way. Without getting into specifics, lemme just say that I work as a Systems Administrator for one of the largest sites online, so trust me on this one.

    While it’s possible that the NSA website is using a third-party company to track visitors, this issue here is with the NSA domain dropping cookies. Supposing the site used Hitbox, which is used by many large corporations, the NSA couldn’t directly access to any of the information that Hitbox collects and stores in cookies. Cookies don’t work that way.

    Additionally, if you were passing personal information to a site, there’s no reason why that data would be shared with the tracking company. Amaazon doesn’t give your CC number to their tracking company and Yahoo doesn’t give your passwords to theirs. And even if they did, the NSA wouldn’t be able to collect that data without doing things that only the NSA could do.

    Comment by greg — December 31, 2005 @ 9:14 am

  4. I defer to your superior knowledge. To be honest, I wasn’t aware there was a controversy about this.

    I really like your writing here, Greg. Happy New Year.

    Comment by Larry Jones — December 31, 2005 @ 10:42 am

  5. Not all cookies are created equal. They can be crafted to send info back to the originating server such as urls visited after the initial event, not just local site activity.

    Comment by angel headed hipster — December 31, 2005 @ 6:15 pm

  6. They can be crafted to send info back to the originating server such as urls visited after the initial event, not just local site activity.

    Huh? Where’d you get that idea? Cookies aren’t code, they’re tiny little text files that save information gathered by the site through other means. They’re a method of storing data, not collecting it.

    Besides, there’s no way for a website to view a cookie from another domain. It’s impossible for the NSA’s cookies to track what other websites you visit. Period. Even if the NSA was using a thrid-party tracking company, this whole situation would be moot since the NSA’s site wouldn’t be able to view the third-party cookies.

    Now the NSA could use their HTTP headers to see which URL referred you to theirs and it could its webserver logs to track your movements throughout the site, but this would, once again, only affect visits to the NSA website and none of those have anything to do with cookies.

    Trust me on this guys. This. Is. Not. A. Big. Deal. Just take a look at the comments at Slashdot if you don’t believe me. People who understand this stuff are laughing at the outrage this has caused. There are much more important things to be concentrating on than whether or not the NSA’s website is using persistent cookies.

    For another take on this from a conservative writer who understands the severity of this issue, click here.

    Comment by greg — January 1, 2006 @ 11:47 pm

  7. It’s not about how dangerous the cookies are (or aren’t, as you correctly say).
    It’s about the fact that the cookies are used in violation of policy. ;-)

    Comment by Clive — January 4, 2006 @ 7:48 am

Copy link for RSS feed for comments on this post

Sorry, the comment form is closed at this time.