Featured Research

Advertisers Using WhenU

WhenU Violates Own Privacy Policy

WhenU Spams Google, Breaks "No Cloaking" Rules

Documentation of Gator Advertisements and Targeting

"Spyware": Research, Testing, Legislation, and Suits

Which Anti-Spyware Programs Delete Which Cookies?

September 13, 2006


I've always been puzzled by the divergent attitudes of anti-spyware programs towards advertising cookies. Some anti-spyware programs take their criticism to the extreme, with terms like "spy cookies" and serious overstatements of the alleged harm from cookies. Others ignore cookies altogether. In between are some interesting alternatives -- like ignoring cookies by default (but with optional detection), giving users an easy way to hide cookie detections, and flagging cookies as "low risk" detections.

I understand why some users are concerned about cookies. It's odd and, at first, surprising that "just" visiting a web site can deposit files on a user's hard disk. Cookies are often hard or impossible to read by hand, and ad networks' cookies offer user no direct benefit.

Unrequested arrival, no benefit to users -- sounds a lot like spyware? So say some, including the distinguished Walt Mossberg. But that's actually not my view. Unlike the spyware I focus on, cookies don't interrupt users with extra ads, don't slow users' PCs, can't crash, and require only trivial bandwidth, memory, and CPU time.

Cookies do have some privacy consequences -- especially when they integrate users' behavior on multiple sites. But such tracking only occurs to the extent that the respective sites allow it -- an important check on the scope of such practices. That's not to say shared cookies can't be objectionable, but to my eye these concerns are small compared with more pressing threats to online privacy (like search engine data retention). Plus, ad networks usually address privacy worries through privacy policies limiting how users' data may be used.

All in all, I don't think cookies raise many serious concern for typical users. Still, I know and respect others who hold contrary views. It seems reasonable people can disagree on this issue, especially on the harder cases posed by certain shared cookies.

Earlier this summer, Vinny Lingham and Clicks2Customers asked me to test the current state of cookie detections by major anti-spyware programs. They had noticed that for those anti-spyware programs that detect cookies, not all cookies are equally affected. Which cookies are most affected? By which anti-spyware programs? I ran tests to see -- forming a suite of cookies, then scanning them with the leading anti-spyware programs.

Vinny is generously letting me share my results with others who are interested. The details:
     Cookies Detected by Anti-Spyware Programs: The Current Status.

See also Vinny's introduction and commentary.