Recommended cookie handling privacy settings for Internet Explorer 7 and Firefox 2

What is a cookie and where does it come from?

A cookie is a small data file sometimes created by a website when you visit the site. The cookie is stored in a folder on your computer that is specially designated for holding cookies. The cookie is encrypted so only the website that created it can read it again. It can only store whatever information that particular website knows about you. It doesn't "run" like a computer program, and it can't search for other information on your hard drive.

How is a cookie used?

When your browser requests a page from a website, it first looks to see if it has a previously saved cookie from that site. If it has, it sends the cookie back to the site along with the request. This allows a website to store information that relates to you in the cookie on your computer, and doesn't have to store it on their computer.

Storing the data on your computer has the additional advantage that when the website receives the data back from you, it knows it's the same data it put there. In other words, it authenticates you. Or, more accurately, it authenticates your computer as being the same one where the cookie was originally written.

Thus, for example, when you first log into a website, the site writes a unique cookie (which might contain nothing more than a long random number) to your computer that indicates you are "logged in". Your browser keeps sending the cookie back to the site with each subsequent page request, and that is what keeps you logged in as you go from page to page. It's the only thing that maintains continuity during your "session" on the site. Without it, you'd be a complete stranger with each new page request. This is, in fact, what happens when you disable or block "all cookies", and why some sites don't work properly when you do that. Without the cookie, it doesn't know if you are the same user who just requested a different page a few seconds ago.

Why are cookies a privacy concern?

First-party cookies

Most cookies, used for the intended purpose described above, are not a threat to privacy. If (and only if) the website already knows your name, email address, or any other information that personally identifies you, they might choose to store that information in their cookie (they usually don't), but since only they can read the cookie anyway, it doesn't matter. Furthermore, they only have that information if you gave it to them (such as by registering on their site), so you probably wanted them to have it.

Cookies written by the website that you initially navigated to are known as "first-party" cookies.

Third-party cookies

A web page can consist of many different pieces (or "elements"), and often some of those pieces are retrieved (by your browser) from a website other than the main one you are viewing. Your browser fetches and assembles all the pieces, from all the different sources, onto a single page before displaying it to you. Content that comes from a website outside the one you're viewing is called "third-party content".

The retrieval of this third-party content is essentially a "visit" to the other website (except that it was initiated by your browser instead of you), and the retrieved content might write a cookie to your computer just like any other website visit might. This is a separate cookie from the one written by the main website, and in fact the main website can't read it. It only relates to your "interaction" with the third-party site.

This cookie written by third-party content is known as a "third-party" cookie.

It's mostly third-party cookies that raise privacy concerns because under some circumstances they can collect information many people consider none of their business, especially because they didn't willingly navigate to that third-party website in the first place.

When your browser sends a request to a website, it often sends the web address of the page the request is coming from (the "referrer"). One of these "third-party" companies might choose to save that referrer information because it tells them you are interested in the topic of the site you're coming from.

If the company receives many such third-party requests from you (such as if it is an advertising network with ads on many sites) and if it accumulates the information about all the web pages you've viewed that contain their ads, then their cookie can be called a "tracking cookie" because it tracks your browsing history and can build a profile of your online interests.

Not all advertisers use cookies this way, and it is not just advertisers who have the ability to do it. Any website whose content is displayed on multiple other sites, or any business that operates many websites, could gather or share cookie data in potentially privacy-invading ways.

Nonetheless, many tracking cookies identified by antispyware programs are from advertising networks, probably because they have the most widespread internet presence and are therefore in the best position to do the tracking, even if they may not be the worst offenders in how they actually use the information, compared to what could be done by a network with a motivation more truly malicious than merely showing you ads they think will appeal to you based on your web browsing history.

Recommended privacy settings

Browser "privacy" settings are cookie-handling settings. They determine what should cause a particular cookie to be either allowed or blocked.

Because many websites only work properly if cookies are allowed, and because most cookies are not a privacy threat, and because even when they are a privacy threat, it is only rarely a great or urgent one, the most convenient approach is to use a relatively permissive setting for the default and then create an exception list of cookies to always block. The less convenient alternative is to use a restrictive default setting and supplement it with a very loong list of cookies to allow.

Internet Explorer 7

Set Privacy Options at IE7 > Tools > Internet Options > Privacy, and use the slider control.

Our recommended setting is Medium High, arrived at using a Goldilocks approach. After ruling the others out, it's the only one that's just right.

Legend:

• Green  = Recommended.
• Yellow = Usable, but maybe inconvenient.
• Red     = Unusable for reason given.

An alternative cookie handling option

The Advanced button overrides the slider control and allows an entirely different cookie handling method that only distinguishes between first-party (the site you're "on") and third-party cookies (outside sites). For each, you can specify Accept, Block, or Prompt.

Although I haven't experimented with the Advanced Privacy Settings, if you want to try this method, I'd suggest:

• Override automatic cookie handling.
• Accept first-party cookies.
• Block third-party cookies.
• Always allow session cookies. Session cookies are temporary ones that are active only during this session that IE7 is running. Regardless of other cookie handling settings, session cookies are always deleted when IE7 is closed and therefore cannot be reused the next time you visit a site. Thus, allowing them poses less risk than when allowing "persistent" cookies, which persist from one session to the next and are reused.

To compare the slider method against the Advanced method, you could run each for a month, scanning with a spyware scanner after each month, and see which method gave you the greatest protection with the least inconvenience.

Firefox 2

Set Privacy Options at Firefox > Tools > Options > Privacy.

Our recommended settings for Firefox are:

• Accept cookies from sites. This is because, same as in IE7, if you block all cookies, many sites won't work properly.
• Keep until they expire. To allow persistent cookies for the current session but discard them afterwards (as described above for IE7), keep until I close Firefox.
• Click the Exceptions button and create a list of sites to block.

If you have the Web Developer Toolbar installed, it provides an additional option:
Cookies > Disable Cookies > External Site Cookies, (i.e. third-party cookies).

There might be plug-ins for Firefox that provide other options for cookie management.

Notes:

• What is a second-party cookie? If the first party is the website you're visiting, and the third party is any other website, the only candidate for the second party is you, so you'd have to make (or bake) second-party cookies yourself.

Related articles:

• More about tracking cookies, and how to create your block list
• How to configure Internet Explorer 7 Security Zones for high security
  The IE7 security settings are far more important than cookie handling settings.

Assistance is available in the forum.