Surfing the Web, whether for information, products or just to pass the time, has become a part of daily life. While a user is browsing websites, it is virtually certain that the user will encounter a “cookie.” A cookie is a piece of text that a Web server can store on the user's hard disk. Cookies allow the Web site to store information on a user's machine and later retrieve it. The pieces of information are stored as name-value pairs. A name-value pair is simply a named piece of data. A Web site can retrieve only the information that it has placed on a particular network access device. It cannot retrieve cookies placed by others on that access device.
There is nothing inherently nefarious about the use of cookies. The information in a cookie makes it possible for Web sites to assess their traffic and to customize their sites for repeat visitors. A cookie may be used to track a user's habits and to determine his or her preferences for various purposes. For example, a tracking cookie may be used by a server to capture information about a user's interests. A user profile may then be created and used to target content to the user. The content may be an offer for a particular product or a link to an article about a subject of interest.
A user may find the tracking of his or her browsing habits intrusive or helpful depending on the user's sensitivity to privacy issues, on how the tracking information is used, and whether the tracking is done surreptitiously or with the permission of the user.
Typically, when a user requests a page from a Web server, the server looks at the request headers to determine if a cookie is present. If the cookie is not present, the server creates a cookie identifier and sends it as a cookie back to the Web client application (sometimes referred to as a “browser”) together with the requested page. From this point on, the cookie will be automatically sent by the Web client application to the server every time a new page from the site is requested. The server sends the page as usual, but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file. By looking at a log file, it is then possible to find out which pages the user has visited and in what sequence using the cookie identifier. The URL and date/time stored with the cookie allow for finding out which pages the user has visited, and at what time.
Some objects of a Web page may not be stored on the server that hosts the requested page. Rather, certain objects may reside on different servers, each object potentially with its own cookie. If the servers are outside the domain of the requested Web page, the cookie is referred to as a domain cookie. When a Web client application requests a Web page, the Web client application receives the HTML code that includes location information indicating where objects are located. The Web client application issues “GET” commands to these locations. When responses to all of the GET commands have been received, the Web client application displays the page.
For example, on-line advertising may be provided through third party servers. A GET command will be issued to retrieve the ads from the third party servers. The hosts of these ads may provide cookies with the ads. The cookies in this example may be used to track a user's behavior at the original host site and across different Web sites that are linked to the third party servers.
As noted previously, cookies may be used to create an anonymous profile of the user. This allows a website to select content to show to a user based on the user's profile. When this content is advertising or other material that is pushed on the user, the user may desire to exercise control over the use of tracking cookies.
Tools are available in Web client applications to allow a user to manage cookies. A user may configure a Web client application to block cookies outside the domain of a requested Web page. However, a number of popular functions depend on domain cookies being enabled. For example, shopping carts and on-line bill paying sites use domain cookies to provide security. Additionally, if a service provider embeds a login page from an identity provider through an iFrame the cookies used by the identity provider would be considered a domain cookie. This is due to the fact that the URL in the browser does not reflect the URL from where the cookies are being sent back to the client browser.
To address privacy issues, advertisers have individually and collectively provided opt-out mechanisms that allow users to choose not to be tracked for advertising purposes. However, these mechanisms are offered in a piece-meal fashion that requires users to opt-out of tracking at multiple sites. The burden is on the user to find the link to the opt-out site, complete the information at each site, and follow various rules for maintaining the opt-out state. The opt-out state may have to be renewed from time-to-time and may be negated by system management activities that routinely clear cookies.