Misfortune | Cookies |
Adjusting Internet Explorer to Block Tracking Web Cookies | |
Page last modified: Aug 13, 2005 at 10:12 | Gibson Research Corporation |
|
"Cookie" is a software programming term referring to a unique token that isn't in itself particularly meaningful, but which can be used to uniquely identify some other entity to which it has been assigned. In the case of a web browser, once a browser has received and accepted a site's "cookie" token, that browser can be uniquely identified in the future by the cookie token it carries. Unless it is configured not to, a web browser will always accept any cookie offered to it by a cookie-enabled web site. It happens invisibly and without the user's involvement, knowledge, or permission. And from that point on that unique cookie is typically used to uniquely identify that individual browser, user, and computer from all others on the Internet. Therefore, ALL cookies ARE ultimately about identifying and TRACKING web browser contact. That's what cookies are for. Anyone who is adamant about NEVER being identified from one web page to the next can, and perhaps should, COMPLETELY disable all web browser cookies. This is not difficult to do with Internet Explorer:
A "session cookie" is a non-persistent cookie which a web browser agrees to accept and carry but only for the current web surfing session. Unlike regular cookies which are persistent and can be retained and carried in a browser for years, session cookies are kept in memory and are not written to the system's permanent storage. They are discarded when the browser or computer system is shut down. |
What are first-party cookies? So called "first-party" cookies are those offered to your web browser by the same web site you are visiting. While these cookies whether they are session-cookies or persistent-cookies do allow your movement around the site to be followed by the site, they are not generally regarded as a privacy concern because they can not be seen or accessed by other sites. First-party cookies are what allow you to be recognized by active web sites where you have accounts, like news sites or eBay or Amazon. The first-party cookie your browser carries uniquely identifies your web browser and keeps you from having to log back onto a web site every time you return. However, even that might not be what you want, depending upon who and how many people use your computer. But remaining "known" to web sites you return to can be a handy option to have and first-party cookies make that possible. As we will demonstrate below, you can enable "session-cookies" to allow the temporary use of a web site, while disabling "persistent-cookies" to prevent a site from remembering your browser when it later returns. But . . .
that are the real problem.
Modern web pages are composed of many separate pieces. Users with slower or congested Internet connections are accustomed to seeing pieces of web pages arriving at different times. Often the page's text will appear first, followed by the appearance of various visual enhancements such as icons, buttons, images and photos. These secondary components of web pages appear later, because the initial pieces of the page instruct your web browser to fetch them separately. The heart of any web page is text, but that text contains separate instructions with the name and location of the page's non-textual components which must then be fetched to finish assembling the complete page.
Part of the amazing power of the web is that a page can instruct your web browser to fetch any other pieces of the web page from any other servers located anywhere on the Internet. This is a powerful capability. But it comes at some cost of privacy and security because you, the trusting web user, are unable to exercise any control over which other "third-party" Internet servers your own web browser will be connecting to and requesting data from. In other words, not only can the site you are visiting ask your web browser to accept and carry a cookie so that it can keep track of you as you move about the site, but ANY of the other Internet servers that supply component parts of that web page are also able to give your web browser their own cookie which refers to their own server.
Here's how that is done: The third-party cookies your browser is carrying from global advertisers uniquely identifies you to that advertiser no matter where you roam. Every time your web browser asks the advertiser for an advertisement, it also tells the advertiser which site and web page "referred" it to the advertisement. (This is how advertisers pay the sites which host their ads.) So the advertiser also knows where you are, and what page you are looking at on the Internet. In this fashion, thanks entirely to third-party cookie tracking, profiles of your Internet surfing history and habits are built up over time in central databases over which you have no control. |
Why aren't any of IE's privacy settings useful? Users of Microsoft's leading Internet Explorer web browser wanted useful privacy control over cookie handling to prevent third-party tracking. Since such features were being offered by competing web browsers, Microsoft was feeling the pressure to make them available in IE. But those third-party advertisers have a "business model" which is, after all, all about tracking us. So they put a great deal of pressure on Microsoft to keep tracking active and muddy the waters enough so that most users would be so confused by the meaning of the settings that they would leave them alone and wouldn't change them. All of the standard settings other than "Block All Cookies" (which we saw above) are trivial for third-party sites to bypass, and as we've already seen, blocking all cookies is overkill which isn't useful or practical. Here is the highest privacy setting at the first notch below "Block All Cookies":
As you can see from the description, this "High" setting blocks cookies that do not have something called a "compact privacy policy" or that use "personally identifiable information". A "Compact Privacy Policy" is nothing more than a string of acronyms any server can include when it supplies a piece of a web page. Here's a typical example:
So all any web server needs to do, to completely bypass Microsoft's HIGHEST strength cookie privacy setting, is to add a P3P tag to their reply and IE will allow their use of cookies period. It's like the site saying "Oh, don't you worry, we would never do anything you wouldn't want." Yeah, right. And it all happens without your knowledge. Microsoft doesn't explain what they mean by "personally identifiable information" in cookies, but since cookies operate as "opaque tokens" and don't need to contain any personal information anyway just a unique "tag" for you this assurance means nothing. And as Internet Explorer's "privacy" slider is moved further down from its "High" setting, things only get worse. But even at the "High" setting, any third-party server can easily plant and track long-living persistent cookies onto the user's computer.
To access and change these "Advanced" settings, open any web browser window, then choose "Tool" and "Internet Options..." from the main menu. Next select the "Privacy" tab to see the dialog box we have been showing above. Pressing the "Advanced..." button displays a simple dialog with exactly the settings every user wants. Now that you understand these terms, the settings you want to choose should be obvious to you:
|
Enable the "Override automatic cookie handling" option to enable the rest of the dialog's controls. | |
For First-party Cookies: Select "Accept" First-party Cookies if you want web sites to be able to remember you when you return. If you prefer to remain unknown and unidentified at the start of a return visit, you can choose to "Block" persistent first-party cookies while still allowing session-cookies. | |
For Third-party Cookies: You will always want to select "Block" Third-party Cookies to flatly deny any attempts by third-party Internet servers to use cookies to track your movements around the Internet. There's just no good reason to ever allow sites and servers you don't intentionally visit to plant cookies onto your computer. | |
For Always allow session cookies: This should always be disabled (not checked). Accepting first-party cookies includes accepting first-party session cookies, so web sites that require your browser to carry a temporary session cookie will operate without trouble. But since "Always allowing session cookies" includes third-party session cookies which is NOT what we want leaving this option disabled is the only way to completely block both persistent and non-persistent third-party cookies. The only time you might want to always allow session cookies would be if you were not always accepting all first-party cookies. |
Once you have Internet Explorer's "Advanced" cookie settings configured as you want, click the "OK" button to accept them and IE's Privacy settings will show that you are using "Custom - Advanced or imported settings".
After clicking "OK" to accept and close this Internet Options dialog, you can surf the Internet without unseen third-party web servers having the opportunity to track your movements. With these settings, Internet Explorer will ignore and discard any cookies they attempt to supply. |
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Aug 13, 2005 at 10:12 (7,056.23 days ago) | Viewed 5 times per day |