Nuisance Cookies and SpyWare

[Ed_Ingold]

I keep getting firewall alerts about bfast.com and tribalfusion.com

when I use photo.net.

 

What's going on here?

[chris_hawkins]

I don't get these messages. I really really doubt that photo.net is installing spyware. What detection software are you using? Please provide additional details regarding the alerts.

[jt]

I think those are the servers the banner ads at the top of the pages come from.

[mottershead]

bfast.com serves the CameraWorld icon. Tribal Fusion serves the banner ads. These sites put cookies on your browsers. The bfast cookie is used so that if you purchase something from CameraWorld, photo.net will get credit. The purpose of the Tribal Fusion cookie is so that you don't see more impressions in a period of time of a particular ad campaign across all servers associated with TF than the advertiser has specified. The advertisers don't want to pay for you to keep seeing the same ad. TF does not use the cookie to create a user profile or target ads based on a user profile; they sell ad space based solely on the web site and fixed web site categories.

 

You are getting the alerts probably because your browser is configured to warn you when you receive the cookies. You need to reconfigure your browser so that either you allow the cookies or block them.

[mottershead]

I just wanted to clarify about "spyware". I don't like "spyware" anymore than the next guy, but many people in the industry that has developed to sell people anti-spyware products have used the term in a very misleading way, which plays on people's lack of knowledge and fears.

 

The term spyware originally referred to code in certain software, like Kaaza, that would secretly send information back to the manufacturer. For this spyware to work, you have to be enticed to download and install software on your computer. Once it is installed, such software basically can do anything on your system that it wants.

 

Somewhere along the line, the term got broadened to include certain types of web cookies. A cookie is not code that runs on your system. It is no more than data which is stored by your web browser on behalf of a web server and sent back to the server with each request. There is no information in the cookies that was not put there by the server. A cookie is not an active entity that is looking at what you are doing and spontaneously sending messages back to the server. It is just data.

 

Cookies are used, for example, to record the fact that you are logged in on a site, so that you don't have to keep logging in. Cookies are extremely common, and the web wouldn't really work without them.

 

Some ad networks, like DoubleClick, started using cookies to keep track of which DoubleClick-affiliated web sites a person had visited. For example, if site A sends me a DoubleClick ad, DoubleClick accompanies the ad with a cookie that says "This is user 1234", and stores in its database that user 1234 has been on site A. Then when I later visit site B, which tells my browser to fetch another DoubleClick ad, my browser sends the "This is user 1234" cookie along with its request to the DoubleClick server. DC can now store the fact that user 1234 has been on site B. Eventually, DC would know all the DC-affiliated web sites that user 1234 had been on. If they could get you to fill out a survey along the way, that would be in the database also. These user profiles were then used to target ads at people. Many people found this objectionable: they didn't want DoubleClick tracking their movements between DC-affiliated web sites. To make matters worse, journalists describing these tracking cookies were often confused and gave people the idea that DC could track you on every web site that you visited, not just the DC-affiliated ones. People sometimes got the idea that these tracking cookies could steal credit card information from your PC, and so forth.

 

Since cookies have always been misunderstood and controversial, and DoubleClick's use of cookies made them more so, the anti-spyware tools folks decided to provide some extra "value" by adding the ability to filter these type of cookies to their packages. All ad network cookies are put on their lists, as "spyware", regardless of how they use their cookies.

 

I think there is a huge difference between true "spyware" and cookies. The worst possible use of cookies still is far short of what "spyware" can do, and the anti-spyware tool vendors don't even bother to check whether the cookies they are labelling as "spyware" are actually being used for anything objectionable. It is enough to get on the list if it is an ad network which might be "tracking" people.

 

Because these tracking cookies have been labelled "spyware", people are now getting confused, and think that when the anti-spyware tool puts up a cookie warning, that it is protecting them from a virus or something.

[Ed_Ingold]

Brian:

 

Thank you. Your first response told me exactly what I wanted to know - who/what was placing these cookies.

 

Not all cookies are as benign as you suggest. Some collect web browsing or other personal data and report back to a server. BFAST would be OK if I purchased something through a link in PHOTO.NET. Since it stays resident, I'm not confident that BFAST ignores other orders. TRIBALFUSION, on the other hand, periodically requests restricted information.

 

Anyway, thanks again.

 

Ed

[mottershead]

Edward, I don't know how a cookie can collect information about you. In a standard browser: a cookie and its contents can be generated in only two ways: (1) It can come from the server with a Set-cookie: header on a response to a browser request, such as for an HTML page or image; (2) It can be created by a Javascript script that the browser runs in various situations.

 

The first case is quite benign: the cookie can only contain information that the server already had about you. The server is only asking the browser to hold onto this information and to send it back on subsequent requests. This makes it a lot easer for context to be propagated from one request on the web server to the next, such as the fact that you are logged in as user #42, that you are associated with shopping cart #43, etc. Even though this facility can be used for "tracking" as in the DoubleClick case, it would be very hard for the Web to operate without these cookies. Life can be made a little harder for people who want to do the DoubleClick thing by turning off "third-party" cookies, but if a group of web sites (such as those affiliated with ad networks) want to share information about your web visits, they don't need cookies to do that. Cookies just make it easier. You have to read the privacy policies of the sites, and decide whether the policy is acceptable and whether you can trust the site to adhere to it.

 

The second case, where the cookie is created by Javascript code, is potentially less benign. The Javascript code can theoretically put anything that it can discover about the client environment into a cookie, such as how big a window it is running in, information about your browser defaults, etc. There have been browser bugs where Javascript code from a server running in one browser window could learn a lot more about what people were doing with the browser in other windows than they should have been able to -- like what URL's the windows were looking at, and even what was on form fields in other windows. There are various ways for Javascript code to communicate with the server from which it originated, and one of these was by setting a cookie that the browser would send the next time the user made a request of the server. These bugs have been closed as they are discovered, and for the most part, Javascript code is now pretty secure. This doesn't guarantee that you have a browser version where all the bugs are fixed, or that people won't discover and exploit new Javascript bugs.

 

In any event, these cases were Javascript security holes rather than cookie security holes. When there is a Javascript bug, cookies are only one way to exploit it and get the information back to the server. If you are concerned about the security of Javascript, you should turn off Javascript, not cookies.

[joey]

As Brian mentioned, cookies simply can't take any personal information that you haven't actually given to them. Cookies sent from the server side can use information stored on the server, but in that case, you've already given away your personal information to the site sending the cookie, so there's no harm being done, and no personal information is being removed from your system. Cookies sent from within the HTML document (e.g., via JavaScript) can't access your system either (except in the case of rare JavaScript security holes). They can gather the number of pages you've been to since you last cleared your history, but not what specific sites you visited. The only other information that cookies can gather is harmless, readily available data, like the URL of the current site or the browser you're using.

 

In short, your personal information is safe from cookies. Web pages can't steal your personal info, unless you give it to them specifically.