Take It From a Web Guy — Cookies Don’t Make the NSA Scary, Wiretapping Does

Listen, people: Stop panicking about X once it takes place online, as if it’s new or different or scarier. X can be anything, because it has the magic power to make people freak out like it’s 1978 and they’ve lost their Sean Cassidy tickets if you can say that X takes place online.

Case in point: The NSA is in more trouble currently for putting cookies that don’t expire when you leave their site on your computer than they are for violating not only the constitution but US law by eavesdropping on American citizens. Let me put this in perspective.

First off, cookies are just little text files that contain information put there by the site you visit. They could as easily be stored on the site you visit–and in fact, we Web types do just that on a regular basis. The single and only difference is that cookies are stored on your computer, not theirs. They have no special powers, contain no information not available to the site you’re visiting anyway, and just sit there on your computer. And since it’s your computer, you can delete them any time you like. You can’t do that on their computer. In fact, deleting a file on the NSA’s computer is a federal offense that will land you in jail for a very long time. So 99% of the concerns about cookies are either ill-founded, untrue, or irrelevant.

The 1% that is true is that it is a more reliable way to tell who you are when you come back to their site later–though as someone who has clients continually demanding more and more information about the habits of you, the gentle website reader, I can tell you it is so far from foolproof as to make it virtually useless–and it’s completely useless if it’s the only measure you use to track repeat visits. What can someone do with that information? Not bloody much. They might be able to tell that you–or someone else who uses the same computer as you–visit their site every Thursday. I’m scared, are you? Oh, wait. I’m not scared.

They can’t tell anything more about who you are, where you live, or anything else you might be worried about the NSA knowing by using cookies. Not. One. Thing. But listening to your conversations on the phone? They have a record of your voice, what number you called, the voice that answered, what you said, and maybe background noises. They know what number you called from, and where that is in the world much more precisely than they know where your computer is when you visit their site. And unlike cookies, you can’t delete the recording of your call–doing so, were you able to do it, would put you away longer than deleting a record on their webserver.

So if you take one thing away from this, don’t worry about cookies, unless they store your password in plain text. If you are really concerned about cookies, start using Firefox. Go to the preferences, click on the Privacy button, and click on the Cookies tab. Uncheck the box labeled “Allow sites to set cookies.” There, you’re completely safe. Of course, a lot of sites won’t work, but that’s your own fault for being a paranoiac about things that just don’t matter while ignoring the erosion of the Constitution that you used to have.

2 thoughts on “Take It From a Web Guy — Cookies Don’t Make the NSA Scary, Wiretapping Does

  1. My understanding from the stories around this is that the problem isn’t about the risk from the cookies per se — it’s about there being a regulation restricting the use of cookies on government sites, which the NSA wasn’t complying with.

    see http://www.nytimes.com/2005/12/29/national/29cookies.html :

    ” In a 2003 memorandum, the Office of Management and Budget at the White House prohibited federal agencies from using persistent cookies – those that are not automatically deleted right away – unless there is a ‘compelling need.’

    A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy.

    Peter Swire, a Clinton administration official who had drafted an earlier version of the cookie guidelines, said that clear notice was a must, and that ‘vague assertions of national security, such as exist in the N.S.A. policy, are not sufficient.’ …

    The government first issued strict rules on cookies in 2000 after disclosures that the White House drug policy office had used them to track computer users viewing its online antidrug advertising. Even a year later, a Congressional study found 300 cookies still on the Web sites of 23 agencies.”

    Of course, you can argue whether or not the current policies make sense, but that’s a different issue. They should comply with whatever current laws and regulations protecting citizens’ privacy are in place; not doing so leaves a whiff of their not caring enough to pay attention to the regs, which is not a good thing to say about a spy agency, even in relatively trivial matters such as this.


  2. I’m well aware of the regs on cookies–I’ve had to deal with them while developing government sites myself. It’s more the relative panic about the two misbehaviors, both of which are illegal, that gets me irked.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.