Cookies and Privacy

Many methods are used today to collect data on internet users. Browser fingerprinting, cookies, and server logs are the kinds of methods used to collect data on internet users. This blog will concentrate on cookies and more recently “flash cookies” or “super cookies”. Cookies can violate a user’s privacy and has many users concerned. Currently there are not any laws concerning cookies but with the new “super cookies” lawmakers are taking notice. There are methods for concerned internet users to protect their privacy but with the speed of new technology these protections can often be bypassed.

A cookie is a small text file that a web server sends to your computer every time you visit a website. These text files are stored on your hard drive so servers can access them when you make a repeat visit to a website. The original purpose of cookies was so that returning users to a website did not have to keep supplying the same information over numerous visits to the website. Cookies record this information. For example, if you return to a website that uses a password and username the cookie is what keeps you from having to keep supplying the same information. Without going in too much detail, “Cookies are not computer programs and cannot start up an invasive program. Also they can only contain the information that a user willingly allows a cookie access to by filling out forms on the web site.”(Siemer) Cookies allow web developers to make improved web applications, applications that are more user friendly and increase their interactivity.

“Flash cookies” or Local Shared Objects are similar to HTTP cookies. Flash cookies are a more current way of tracking your internet movement and storing much more information than with HTTP cookies. HTTP cookies hold 4kb of data while LOC’s hold 100kb of data. These cookies are sometimes called “super cookies” and “zombie cookies” because “some super cookies have additional capabilities, like regenerating regular cookies to prevent their removal by the user. This type of cookie secretly collects user data beyond the limitations of common industry practice, and thus raises serious privacy concerns.” ( Supercookies)

Cookies can violate a user’s privacy because with flash cookies, regardless of how they set their privacy settings in their browser, these cookies still allow their preferences and internet use to be tracked. Most users do not even know these cookies exist on their computers. Internet companies can collect data using flash cookies on websites visited, buying habits, advertisements clicked on, and many other habits. They can sell this data to online advertising companies and they can target you based on your preferences and internet habits. Supposedly flash cookies can not reveal any personal information on a user such as name, address, and credit card numbers but people still feel uneasy when putting this information on a website to make a purchase. In a recent article in the New York Times, Ms. Person Burns, a concerned citizen that is taking legal action against companies that track computer user’s activity on the internet, quoted, “I thought that in all the instructions that I followed to purge my system of cookies, I thought I had done that, and I discovered I had not,” she said. “My information is now being bartered like a product without my knowledge or understanding.”(Vega) This is a common concern for people whom value their privacy.

There are no current laws in the United States concerning cookies. The Computer Abuse and Fraud Act is the only law that I could locate doing research for this essay that comes close to concerns over cookies. The law states: “The CFAA prohibits accessing and obtaining information from a computer without authorization, and permits any person who suffers damage or loss to institute an action for compensatory damages and injunctive or other equitable relief. Notably, any damage or loss must be greater than or equal to $5,000 per person.”(KHlaw) Currently individuals are relying on lawsuits against internet companies for claims of violating their privacy and monetary loss but most are dismissed by the courts. On August 18, 2011 the Bose v. Interclick lawsuit was dismissed. The courts sighted that the plaintiff could not show a monetary loss. The court also stated: “Bose . . . fails to allege specific damage or loss incurred due to alleged interruption of service, or costs incurred to remedy the alleged interruption of service. Even if a flash cookie may reach up to 100 kilobytes in size and may occupy space on Bose’s hard drive, Bose fails to demonstrate that the flash cookie caused damage, a slowdown, or a shutdown to her computer.”(Technology) The court also stated that: “personal data and demographic information concerning consumers are constantly collected by marketers, mail-order catalogs and retailers. The collection of demographic information does not ‘constitute damage’ to consumers or unjust enrichment to collectors. Advertising on the internet is no different from advertising on television or in newspapers. Even if Bose took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold.”(Technology)

In the United Kingdom there is a strict law concerning cookies that just went into effect in May of 2011 and internet companies have one year to comply. Basically the new law affects every internet company operating in the UK. The new law states that every internet company must specifically let users know what cookies are and have readily available means to opt out. Many UK companies put this in their privacy policies but that was not good enough. The new law states that: “6. (1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment – (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) is given the opportunity to refuse the storage of or access to that information.”( Rooney) The new law has UK internet companies panicking because web developers use cookies for many other things than tracking users. Some people in the UK think it is a death sentence for UK internet companies.

Users themselves can use privacy tools on their own computers to protect themselves if they know how to use these tools. Most users are just “users” and are not computer savvy enough to block flash cookies. Most users know how to stop regular cookies in their browser settings but this does nothing to stop flash cookies being placed on your hard drive.  Adobe recommends using their settings manager to manage flash cookies. For most people it is very cumbersome. If you change your settings you really do not know which sites will be affected and which sites you may not even be able to visit. Flash is on 98% of all websites.

There is no easy answer with privacy concerns over cookies. Internet companies are in charge of policing themselves when it comes to cookies. Even if internet companies make it easier for the public to have more control over cookies placed on their computers, they really do not have control over third party advertisers and what they do with the data. Now that people are taking notice of these new “cookies” government officials are starting to get involved. Bloomberg Business week reported on September 27, 2011 that two US lawmakers, Representatives Edward Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican, wrote in a letter to the Federal Trade Commission “that they should investigate the use of so-called “supercookies” to track consumers online.”(Engleman) “I think supercookies should be outlawed because their existence eats away at consumer choice and privacy,” Barton said in a news release. (Engleman) “Companies should not be behaving like supercookie monsters, gobbling up personal, sensitive information without users’ knowledge,” Markey said. (Engleman) For the time being internet users are going to have to fend for themselves. They need to do a little research and see what they can do on their own computers. I am sure, that in the near future, changes will be made as in the UK. Cookies help web developers make better websites that keep us all from getting frustrated. As with anything else, you have to take the good with the bad.