Well, I'm stupid, and didn't know what a cookie was. And then I found out, but I was still stupid, because I couldn't see why my spyware sweeper program was trying to clear out cookies. They're pretty much harmless, aren't they? But no, apparently there are Evil Cookies, which must be destroyed. So, while I'm still not convinced that I care much about 'spy cookies', at least I know what they are. And now you will too.
What is a cookie?
We are speaking specifically of an HTTP cookie, AKA a web cookie. These are small data files that a web server sends to your web browser; they are stored on your hard drive, and are used to identify you as a specific user to the website. For example, I have an Everything2 userpass cookie on my hard drive right now, so that I don't have to re-logon to E2 every time I load a new page. If you are logged on, you have one too.
Cookie files are usually text files with a unique user ID; the web server looks at the number, and knows who you are. It's like a password and username that is automatically entered by your browser.
So what is a "Spy Cookie", and what can it do?
Well... Cookies aren't computer programs. A cookie isn't a virus or a worm. They can't read information off of your hard drive, or change or delete information. But under certain restrictive circumstances, someone could try to track your web-surfing through cookies.
A basic example would be E2. You know that E2 keeps a history of what nodes you've viewed -- there's a nodelette you can put on the sidebar that shows the last nine nodes you've visited. If The Powers That Be wanted to, they could track every node you visit, and thus learn your interests and build a profile. They could then target you with relevant ads, or sell this information to a third party.
But it gets even trickier. When you visit a webpage, you are getting one cookie from the web server on which the site is located, but you may also be receiving third-party cookies -- for example, cookies from the banner ads on the page. Banners and ads are everywhere -- we all get third-party cookies, all the time. If a company (or agency, religious movement, Evil Genius, etc.) has a banner on a page that you visit, they receive a cookie. And then if they have a banner on another page that you visit, they receive another cookie. And both cookies can be identified as coming from the same user ID. They know your unique identifier, and they know what pages they came from. Thus they can track you through any page on which they have an ad. A spy cookie is any cookie used in this way. DoubleClick, one of the largest on-line advertising companies, has been accused of doing this.
While there are laws in the US and European Union about how sneaky cookies are allowed to be, it's hard to implement the laws, and really, the public doesn't care that much. There was some fuss a few years ago when first the White House drug policy office, and then later the CIA were found to be leaving cookies on the computers of people who visited their web-sites, but most of the people who were making a fuss didn't really understand what cookies were. Most people can't locate the cookies on their computers, and wouldn't know which to keep and which to delete if they did find them.
While spy cookies are real, my impression is that they mostly appear on your spyware's sweeper report because otherwise, half the time there wouldn't be anything to report. I'll still keep deleting them, tho.