We all know cookies as tasty baked treats that we love to eat, but computer cookies are quite different. Although they’re most popularly known as just “cookies”, they may be referred to as browser cookies, Internet cookies, HTTP cookies, web cookies, computer cookies, or digital cookies.
What are cookies?
Cookies are pieces of information that a website can save in your browser. Websites can ask your browser to save cookies whenever the browser asks it for a page, picture, download, or any other piece of information. Until the cookie expires, the browser will keep it, and send it back to the website whenever it requests anything else.
The language web browsers and websites use to talk to each other is “stateless”, meaning that every message is totally independent and isolated from every other message. It’s like having a conversation with somebody who instantly forgets who you are after every sentence.
One of the most common uses for cookies is to provide a link between messages, so that a website can remember who you are, and tell that your messages are coming from the same individual.
To do this, a website sends a web browser a cookie with a unique ID the first time they communicate, and the web browser repeats the unique ID back to the website every time it sends a message.
In the language of the web, cookies allow us to link sentences into conversations.
Without this functionality we would not be able to log in to any websites, keep wish lists, see recommendations, use web-based video or instant messaging, or do most of the other things we rely on websites for.
Importantly, websites can read their own cookies, but can’t read cookies saved by other websites. However, there is a loophole that has led to most of the problems we have come to associate with cookies: third-party cookies.
Tracking with third-party cookies
Many people associate cookies with the cross-site tracking used by advertising companies. Advertisers like Google and Facebook can track users as they travel around the web from site to site, building up profiles of the kinds of sites they like to visit, and showing them targeted advertising.
Tracking somebody across multiple sites like this relies on third-party cookies.
Although a website can only read cookies that it has created, individual web pages can be assembled from components hosted by multiple websites. Sometimes those components are visible, like images, and sometimes they are just bits of code you can’t see.
If a website you visit includes a component pulled from another website (a third-party), that third-party website can send and receive cookies along with the component. If you visit a different website that includes the same third-party component, the third-party can read its cookies on both sites.
This is how Facebook uses its Like buttons, and Google uses its advertising code, to track you across the web. They can tell whenever you visit a site that includes one of their components because they can read their own cookies.
Importantly, the tracking stops if you block or delete those cookies.
Session cookies, persistent cookies, and “super cookies”
Just like edible cookies, digital cookies come in different flavors. Cookies that expire whenever you close your browser are called session cookies. These are used for temporary things, like telling a website that you have logged in successfully. If a website uses session cookies for its logins then you will be logged out when you close your browser, and you will have to log in again when you next visit.
Cookies that aren’t deleted when you close your browser are called persistent cookies. Persistent cookies last until you delete them, or until they expire. These are useful for things like remembering your username, so it can be pre-filled when you visit a website you have logged out of.
For all practical purposes, persistent cookies can last forever. (On 32-bit systems cookies can’t live past 2038, but we assume you’ll be using a different device by then.)
Because third-party tracking can be defeated by users deleting their cookies, some unscrupulous advertisers have turned to other things that can offer cookie-like persistence, such as ETags or browser fingerprints. Technologies that act like cookies, but aren’t affected by blocking or deleting regular cookies, are unofficially referred to as super-cookies.
So, are cookies bad?
No. Cookies are essential to the operation of the web as we know it and used for many useful, helpful things. However, cookies can also be used for things some people don’t like, such as third-party tracking, and adverts that seem to follow you around the web.
Luckily, cookies are easy to control. All browsers let you delete cookies, and there are numerous browser add-ons that can be used to block cookies, or control what cookies you will and won’t allow.
In response to increased sensitivity about cross-site tracking, some browsers, including Firefox, Safari, and Brave, now block third-party cookies by default. Google is working on an alternative, more privacy-conscious tracking technology called FLoC, and plans to block third-party cookies in 2023.
In the European Union (EU), websites have to ask for your consent before they can set cookies, which has lead to web users seeing a profusion of cookie popups. Some people argue that this has led to “cookie fatigue“, and that privacy has not been improved.
What happens if you decline to accept cookies varies from site to site, and can range from the site working perfectly to the site not working at all.
Will a VPN stop tracking cookies?
No. A Virtual Private Network (VPN) guards your privacy by masking your IP address and your location, and by passing your traffic through an encrypted tunnel that protects it from rogue WiFi hotspots, or ISPs that want to sell advertisers information about your browsing habits.
To block or rewrite cookies, a VPN would have to look at your web traffic as it passed through its servers. VPNs can’t read encrypted communication, like HTTPS, so cookie blocking would be impossible for most web traffic.
Even it was possible it would probably cause some websites to malfunction. And if that could be overcome, privacy-loving VPN users would probably rather their VPN provider stayed out of their traffic anyway.