The IT Law Wiki
Register
Line 37: Line 37:
 
== Benefits of cookies ==
 
== Benefits of cookies ==
   
{{Quote|The ability to place cookies is highly valuable to [[ad network]]s. In fact, [[advertiser]]s are willing to pay a premium of between 60 and 200 percent for [[targeted ad]]vertisements based on cookies.<ref>[[Cookies: Leaving a Trail on the Web]], at 13.</ref>}}
+
{{Quote|''The ability to place cookies is highly valuable to [[ad network]]s. In fact, [[advertiser]]s are willing to pay a premium of between 60 and 200 percent for [[targeted ad]]vertisements based on cookies.''<ref>[[Cookies: Leaving a Trail on the Web]], at 13.</ref>}}
   
 
Cookies can provide significant benefits to [[online user]]s. For example, [[website]]s often ask for [[user name]]s and [[password]]s when purchases are made or before certain kinds of [[content]] are provided. Cookies can [[store]] these [[username|names]] and [[password]]s so that consumers do not need to sign in each time they visit the [[website|site]]. In addition, many [[website|sites]] allow consumers to set items aside in an [[electronic shopping cart]] while they decide whether or not to purchase them; cookies allow a [[website]] to remember what is in a consumer’s [[shopping cart]] from prior visits. Cookies also can be used by [[website]]s to offer personalized [[home page]]s or other customized [[content]] with local news and weather, favorite stock quotes, and other material of interest to individual consumers. Individual [[online merchant]]s can use cookies to track consumers' purchases in order to offer recommendations about new products or sales that may be of interest to their established customers. Finally, by enabling businesses to monitor [[traffic]] on their [[website]]s, cookies allow businesses to constantly revise the design and layout of their [[website|sites]] to make them more interesting and efficient.
 
Cookies can provide significant benefits to [[online user]]s. For example, [[website]]s often ask for [[user name]]s and [[password]]s when purchases are made or before certain kinds of [[content]] are provided. Cookies can [[store]] these [[username|names]] and [[password]]s so that consumers do not need to sign in each time they visit the [[website|site]]. In addition, many [[website|sites]] allow consumers to set items aside in an [[electronic shopping cart]] while they decide whether or not to purchase them; cookies allow a [[website]] to remember what is in a consumer’s [[shopping cart]] from prior visits. Cookies also can be used by [[website]]s to offer personalized [[home page]]s or other customized [[content]] with local news and weather, favorite stock quotes, and other material of interest to individual consumers. Individual [[online merchant]]s can use cookies to track consumers' purchases in order to offer recommendations about new products or sales that may be of interest to their established customers. Finally, by enabling businesses to monitor [[traffic]] on their [[website]]s, cookies allow businesses to constantly revise the design and layout of their [[website|sites]] to make them more interesting and efficient.

Revision as of 05:05, 28 November 2014

Definitions

A cookie is

[a] small data file that is stored on a user's local computer for record-keeping purposes that contains information about the user that is pertinent to a Web site, such as a user preference.[1]
a small text file that a website's server places on a computer's web browser.[2]

Overview

The cookie transmits information back to the website's server about the browsing activities of the computer user on the site. This includes information such as pages and content viewed, the time and duration of visits, search queries entered into search engines, and whether a computer user clicked on an advertisement.

Cookies also can be used to maintain data related to a particular individual, including passwords or items in an online shopping cart. In some contexts, such as where a number of separate websites participate in a network, cookies can be used to track a computer user across different sites.

The cookie was developed to enable a website owner to keep track of a particular user’s activity within the site.[3] Cookie technology allows the website’s server to place information about a user’s visits to the site on the user's computer in a text file that only that website’s server can read.

Typically, a cookie comprises:

  • a name for the cookie (chosen by the website you are visiting); 

  • a value (unique number for the cookie) (determined by and stored by the website for future recognition and action); 

  • an expiration date; 

  • a valid path (details about the Web page(s) that the visitor was on when the cookie was sent); 

  • a valid domain (the name of the website that created and can retrieve the cookie); 
and
  • a secure connection requirement (if the cookie is marked "secure," it will only be transmitted if the visitor is connected to a secure website.

Using cookies, a website assigns each user a unique identifier (not the actual identity of the user), so that the user may be recognized in subsequent visits to that site. On each return visit, the site can call up user-specific information, which could include the user's preferences or interests, as indicated by specific web pages or documents the user accessed in prior visits or items the user clicked on while visiting the site. Cookies can store information that facilitates the interaction between the user and the website.

Cookies may be placed on an individual's computer when an individual visits a website affiliated with the online advertisement supplier; however, the exact moment of cookie placement may be different when the relevant advertising partnership is between a user’s Internet service provider (ISP) and an online advertising provider. A 2010 survey indicated that almost 80% of online service providers interviewed are collecting data from cookies.[4]

An expiration date feature allows cookies to be set to remain on a user's computer either permanently (a persistent cookie) or for a specified length of time, such as for a single Web session (session cookie).

As an example of how a permanent or persistent cookie functions, consider the online version of a newspaper. If a subscriber whose native language is Spanish informs the website that he prefers to download the Spanish edition of the newspaper, the newspaper can store that information in a cookie file on the user’s hard drive. When the subscriber next visits the newspaper’s website, the site retrieves the language preference information from the cookie and automatically sends the Spanish-language edition to the user. Temporary cookies can be created during online shopping expeditions. The cookies can tag the shopper's intended purchases to facilitate the ordering process and then expire after a purchase is made.

Consumers can also delete the cookie files stored on their computers. Deletion will not erase any information stored on the advertiser's server, but it will prevent future Web activity from being associated with past activity through the identification number of the deleted cookie.

Benefits of cookies

The ability to place cookies is highly valuable to ad networks. In fact, advertisers are willing to pay a premium of between 60 and 200 percent for targeted advertisements based on cookies.[5]

Cookies can provide significant benefits to online users. For example, websites often ask for user names and passwords when purchases are made or before certain kinds of content are provided. Cookies can store these names and passwords so that consumers do not need to sign in each time they visit the site. In addition, many sites allow consumers to set items aside in an electronic shopping cart while they decide whether or not to purchase them; cookies allow a website to remember what is in a consumer’s shopping cart from prior visits. Cookies also can be used by websites to offer personalized home pages or other customized content with local news and weather, favorite stock quotes, and other material of interest to individual consumers. Individual online merchants can use cookies to track consumers' purchases in order to offer recommendations about new products or sales that may be of interest to their established customers. Finally, by enabling businesses to monitor traffic on their websites, cookies allow businesses to constantly revise the design and layout of their sites to make them more interesting and efficient.

Network advertisers' use of cookies and other technologies to create targeted marketing programs also benefits both consumers and businesses. Targeted advertising allows customers to receive offers and information about goods and services in which they are actually interested. Targeted advertising can also improve a consumer's Web experience simply by ensuring that she is not repeatedly bombarded by the same ads. Businesses benefit from the ability to target advertising because they avoid wasting advertising dollars marketing themselves to consumers who have no interest in their products. Additionally, targeted advertising helps to subsidize free content on the Internet.

Privacy issues

Once the cookie is in place, it gathers certain information related to that user’s online activity on a continuous basis and relays that information to the online advertising provider. Because the website owner determines what information is placed in a cookie, the cookie may contain personally identifiable information about the user, including bank account or credit card numbers.

The advertising provider assembles that data into an individual profile that is then used to target advertising to that user's interests. This information is often shared with third parties that are unknown to the user. This process is ongoing, but, in general, the user may opt out of continued monitoring at any point, assuming they are aware that it is occurring.

Cookies can in theory be used to infer damaging personal information about particular users, such as the fact that a user has a certain medical condition. Even less immediately controversial inferences, like the age of a user, can enable criminals to target the very young or elderly with fraudulent advertisements.[6]

In most types of behaviorally targeted advertising technology, the advertising firm gathers information about user activities on websites that are affiliated with the advertising firm. The online behavioral advertiser DoubleClick, for instance, operates on this model. Information on individual users is transmitted to DoubleClick by DoubleClick's clients.

In a newly emerging behavioral advertising model, the advertising provider is attempting to partner with the users' ISP. This partnership will presumably grant the advertising provider access to all web activity in which an ISP's subscribers engage. Both of these types of potential partnerships raise a number of questions regarding potential violations of existing privacy protections in federal law.

"Information resellers can use the information in cookies to supplement information from their databases—matching information by individuals' name and e-mail addresses — to augment profiles on individual consumers. Third parties also can synchronize their cookie files with resellers' cookie files to obtain additional information to enhance consumer profiles. Some advertisers use so-called third-party cookies — placed on a visitor's computer by a domain other than the site being visited — to track visits to the various websites on which they advertise. Although not required by law, some web browsers, such as Apple's Safari and Mozilla's Firefox, have privacy settings that allow users to block third-party cookies or turn on do-not-track features. However, honoring the do-not-track setting is voluntary on the part of website operators."[7]

Security issues

Cookies vary in the amount of security they provide for the information they contain. Cookies often store data in plaintext, which could allow an unauthorized party that accesses a cookie to use or alter the data stored in it. Some websites create encrypted cookies, which protect the data from unauthorized access.

Most Web browsers can be configured to prompt users to accept or reject each cookie, or to accept or reject session cookies automatically but prompt users to accept each persistent cookie or reject persistent cookies automatically. Most Web browsers also can be configured to allow cookies to be set only for the website the user visited (known as first-party cookies), not for the websites of advertisers and other parties (known as third-party cookies). Permitting first-party cookies and blocking third-party cookies can be very helpful in reducing the number of tracking cookies placed onto a system.

The browsers' default setting, however, is to permit placement of cookies without any notification. Because many website require users to accept cookies in order to view their content, or make multiple attempts to place cookies before displaying content, the notification process may unacceptably frustrate consumers' ability to surf the Web efficiently.

Use of cookies on federal websites

Pursuant to a 2000 memorandum from the Office of Management and Budget,[8] there is a presumption that cookies will not be used on federal websites. Under this policy, cookies are not to be used on federal websites, or by contractors when operating websites on behalf of federal government agencies, unless, in addition to clear and conspicuous notice, the following conditions are met:

  • a compelling need to gather the data on the site;
  • appropriate and publicly disclosed privacy safeguards for handling of information derived from cookies;
  • and personal approval by the head of the agency.

In addition, it is federal policy that all federal websites and contractors when operating on behalf of federal agencies shall comply with the standards set forth in the Children's Online Privacy Protection Act of 1998 with respect to the collection of personal information online at websites directed to children.

References

  1. Privacy Technology Focus Group Final Report, App. B, at 52.
  2. Self-Regulatory Principles For Online Behavioral Advertising, at 2 n.3.
  3. In 1995, the Internet Engineering Task Force (IETF) initiated a standardisation process for cookies. In 2000, IETF published the RFC 29653: "HTTP State Management Mechanism," which specified a way to create a stateful session with HTTP requests and responses.
  4. ENISA, Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (2010) (full-text).
  5. Cookies: Leaving a Trail on the Web, at 13.
  6. Online Advertising and Hidden Hazards to Consumer Security and Data Privacy, at 13.
  7. Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, at 22-23.
  8. OMB Memorandum M-00-13.

Source

  • Privacy Law and Online Advertising: Legal Analysis of Data Gathering By Online Advertisers Such As Double Click and NebuAd.

External resources

  • Pam Dixon, "Consumer Tips: How to Opt-out of Cookies that Track You (World Privacy Forum 2009) (full-text).
  • David Kristol, "HTTP Cookies: Standards, Privacy, and Politics," 1 ACM Transactions on Internet Technology 151 (2001) (full-text).
  • Seth Schoen, "New Cookie Technologies: Harder to See and Remove, Widely Used to Track You" (Sept. 2009) (full-text).
  • Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas & Chris Jay Hoofnagle, "Flash Cookies and Privacy" (Technical report, Univ. of Cal. Berkeley 2009) (full-text).
  • U.S. Department of Energy Computer Incident Advisory Capability (CIAC), "I-034: Internet Cookies" (Mar. 12, 1998) (full-text).

See also