Categories
The Industry

Those Annoying Cookies

There has been a lot of uproar recently about how ISPs are now able to monetize our browsing history. It’s certainly scary thinking that a company can record what you do on-line and then sell this information to others who can use it for reasons unknown.

But we are already being tracked today (and have been for some time) to some extent by cookies put onto our computers when we visit websites. Cookies are not automatically bad, but many cookies were designed for the express purpose of spying on us and to track and record our web behavior.

Cookies differ from viruses, worms, trojan horses and other kinds of malware which are active pieces of code that can make almost any imaginable change to a computer. Lately ransomware is the worst of the new viruses which encrypts your hard drive and won’t unlock it until you pay a ransom fee to have the virus removed (and often then your system still won’t unlock).

Cookies instead are strings of text stored on your computer. In the most benign cases a cookie can be a time log that records when you visited a given web site so that the web site owner will recognize you when you return. And many benign cookies are friendly and convenient and are used to store your log-on passwords so that you don’t have to log in every time you visit a web site. But since cookies are text files they can record a lot more information and in the most extreme cases can be used as a place to record your browsing history – the same thing we are worried about the ISPs monetizing.

Cookies are routinely used by retail shopping sites. They not only record who you are but they know what you viewed and what you purchased at a site. These adware cookies allow a web site owner to direct you to a tailored page when you visit their site based upon your past history on the site. They may send a previous shopper to a page showing the things you are interested in, or for a non-shopper may offer discounts to lure you to buy.

Shopping sites and others similar web services like cookies because it’s the only easy tool they have to identify you. If you browse a website without somehow logging in to identify yourself a web site has no idea that you have been to their site before. All that any web site can see from a non-identified user is the identity of the ISP you use to get to that site. But by putting a cookie on your computer, even if a web owner doesn’t know your name, they know your past behavior at their site and the cookie provides a ‘memory’ about you.

Of course, some cookies are more aggressive. Once sitting on your hard drive they can gather data that identifies more about who you are, so that when you return to a web site the owner might know your identity and can tailor items and prices to you.

Years ago it was fairly easy to deal with cookies. They often were named for the web service that created them, such as your bank or the log-in page to your ISP. We learned not to delete these cookies in order to avoid having to log in every time we visited a web site or service. But today there are huge volumes of cookies.

I rarely do anything personal on my work computer. I rarely shop from it, play games, watch video or do anything personal. I mostly use my work computer to do research and to read industry articles. I also run an ad blocker to minimize ads that can see my computer. Even with this limited use I get hundreds of cookies every week. Most people don’t realize that when you visit a web page with ads that many of those ads dump a cookie on your computer – and you don’t need to click on the ad for this to happen. Many web sites have been created just for this purpose, such as web sites that make you click through multiple pages of a ‘slide show’ to see the ten cutest puppies or the ten best town in America. Those sites are ad heavy and pound your computer with cookies and sometimes even malicious malware.

The worst thing about cookies to me is that I don’t know who is placing cookies on my computer or what they want to use them for. Since some cookies can be malicious I worry that they are recording my web browsing history or passwords or other information I want to keep private. The worst of the bad cookies are persistent and bury themselves in places that are hard to find. These kinds of cookies cross the line to look more like viruses, but it’s still considered to be a cookie if it just records things and become a virus when the actively change something on the computer.

I sometimes wonder if we worry about the wrong things in the cyberworld. ISPs certainly have the opportunity to know a lot of things about me, but they also are likely to be at least a little cautious about blatantly abusing their customers. It seems more likely that most big ISPs will use our data for their own market purposes and may not sell our data to competitors or the wide world.

But the people who put cookies on our computers don’t have any such restraints. They get on our computers anonymously and we have no idea what they are doing with any given cookie. It’s now well-known that there have been detailed profiles created about each of us and I have to think that a lot of the data used to populate these profiles comes from cookies. Most people I talk to do not use ad blockers or routinely purge cookies the same way I do – and I don’t even know if what I do really makes a difference. If there are even just a handful of the more malicious cookies hidden on my computer somebody might already be tracking a lot of the things I do.

Categories
What Customers Want

Productizing Safety

The Internet is becoming a scarier place by the day to the average user. It seems like a week doesn’t go by when there isn’t news of some new and huge data breach or other nefarious use of the web. But as much as those big events might create a general industry sense of unease, these announcements also make people worried about their own individual Internet security.

The big ISPs like AT&T crow about recording and monetizing everything that their customers do on the web. And with a likely weakening or elimination of Title II regulation by the FCC this is likely to intensify. Every web site parks cookies on the computers of their visitors, and the bigger sites like Facebook and Google gather every fact fed to them and peddle it to the advertising machine. There are hackers that lock down PCs and hold them hostage until the owner pays a ransom. There are smart TVs that listen to us and IoT devices that track our movements inside our homes. There was news this week that smartphones with a certain Chinese chip have been sending every keystroke back to somebody in China.

All of this has to be making the average Internet user uneasy. And that makes me wonder if there is not a product of some sort that smaller ISPs can offer to customers that can make them feel safer on the web.

Savvy Internet users already take steps to protect themselves. They use ad blockers to reduce cookies. They use browsers like DuckDuckGo that don’t track them. They use encryption and visit sites using HTTPS. They scrub their machine regularly of cookies and extra and unidentified files. In the extreme some use a VPN to keep their ISP from spying on them.

Small ISPs are generally the good guys in the industry and don’t engage in the practices used by AT&T, Comcast and Verizon. I know some small ISPs that try to communicate to their customers about safety. But I think safety is now one of the biggest worries for people and I think small ISPs can do more.

Customers can really use the help. It’s easy to assume that customers ought to understand basic safety procedures, but the vast majority of them load some sort of virus protection on their PC the day they buy it and never think of safety again. They repeatedly do all of the bad things that lead to trouble. They open attachments on emails. They don’t update their software to have the latest security patches. They use social media and other sites without setting basic privacy filters.

I think there is an opportunity for small ISPs to be proactive in helping to make their customers feel safer, and in the process can create more loyal customers. I think there are two possible ways to undertake this. One is an intensive education campaign to inform customers about better web practices. I’m not talking about the occasional safety reminder, but instead a steady and concentrated effort to tell your customers ways to be safer on the web. Brand yourself as being a provider that is looking out for their safety. But don’t pay it lip service – do it in a proactive and concentrated way.

I also think there is a space for a ‘safety’ product line. For example, I have clients who run a local version of the Geek Squad and who repair and maintain people’s computers. It would not be hard to expand on that idea and to put together a ‘safety’ package to sell to customers.

Customers could have a service tech come to their home for a day each year and you could ‘fix’ all of their safety weaknesses. That might mean installing ad blockers and a spyware scrubber. It would mean updating their browsers and other software to the latest version. It could mean helping them to safely remove software they don’t use including the junkware that comes with new computers. It might include making sure they are using HTTPS everywhere. It also might mean selling a VPN for those who want the highest level of security.

I have clients who have been selling this kind of service to businesses for years, but I can’t think of anybody who does this in any meaningful way for residential customers. But since the web is getting less safe by the day there has to be an opportunity for small ISPs to distinguish themselves from larger competitors and to also provide a needed service – for pay of course.