The most threatening kinds of spyware, which I call "true" spyware, are real software, computer programs, that actively execute on your PC and do malicious things such as record keystrokes to capture passwords as you type them, harvest email addresses, or scan your hard disk to find Social Security numbers, bank account numbers, or the passwords you use at websites. Then they use your internet connection to send the collected information to a remote computer somewhere. If you have a high-speed internet connection, they could transfer the entire contents of your hard drive to somebody else without your knowing.
Tracking cookies, by contrast, are small data files stored in one designated folder on your computer. They are not software (computer programs). They don't "run". They don't have access to your hard drive and cannot scan it for information. They are text files that can only sit there doing nothing. They are created by websites when you visit them (more correctly, they are created by the web pages you get from those sites), and they can only store whatever information that website knows about you.
That makes them sound pretty harmless in comparison to true spyware, and in a sense they are.
However, they can sometimes contain sensitive data such as about your internet browsing, and there is something special about tracking cookies that makes them different from the ordinary cookies that many websites use:
Tracking cookies are often placed on your computer not by the website you are visiting, but by one of the advertisements on the page. Your browser fetches the ad from the advertiser's website, not from the "main" site you're looking at, and the cookie it writes (known as a "third-party" cookie) is a separate cookie from the one (if any) that the main site creates (known as a "first-party" cookie).
When your browser fetches the ad, the advertiser receives information about which web page the ad is being fetched for, and they can write that data into their cookie. If they have their ads on many sites, they can collect a list of the pages you viewed on all those sites. This is how tracking cookies "track" you.
The reason they do it is to build a profile of your interests so that when you visit a new page where one of their ads is displayed, they can send you an ad tailored to what they perceive your interests to be, based on the websites and pages you've visited.
Even that might not sound so bad (and again, compared to real spyware, maybe it isn't). So far, the advertiser only knows you by your cookie. They can determine your approximate geographical location by your IP address, but they don't know your name or email address or much else about you except the list of web pages you've visited.
However, they might be able to determine by other means who you are. As an example, they could invite you to enter a contest or sweepstakes where the entry form requires your name and email address (does "Win a free iPod!" or "Congratulations, you are our 1,000,000th visitor!" sound familiar?), or they could present you with a questionnaire that (based on the interests stored in your cookie) they think you will want to fill out. Whatever information you give them can be combined with your cookie data to build a more complete profile that isn't anonymous anymore.
Antivirus and antispyware companies probably classify tracking cookies as privacy-invading spyware because of scenarios like this. Even though the cookies are not software themselves, they CAN be used in schemes that collect more data than the average web surfer realizes is possible.
