Cybertelecom Federal Internet Law & Policy An Educational Project

Privacy: Cookies

Derived From: - Know the Rules Use the Tools, Privacy in the Digital Age: A Resource for Internet Users, US Senate Judiciary Committee, p. 4-5 (n.d.)

"Many consumers have the mistaken impression that their conduct on the Internet is anonymous. This is often not the case. Many websites utilize various technologies, such as “cookies,” to collect information from consumers as they visit the website. “Cookies” are electronic tags that are placed on the hard drive of an individual user’s computer by Internet sites while the individual is on the Internet. Cookies can store information about the individual user, such as the user’s name, credit card numbers, websites visited, e-mail addresses, personal preferences or spending patterns. Although, this information generally is collected and stored (on the hard drive in a cookie file), and is used benignly to personalize a consumer’s visit to a website, it is often collected without the knowledge or consent of the user. Once a cookie is in place, the user’s Internet browser checks every time the user visits a particular site to see if there are any cookies for that site. If there are, the browser sends the cookie information to the site. The Cookie Central website provides a brief outline of the different ways companies utilize cookie technology:

• Targeted Marketing: Cookies allow sites to build a profile on where individuals go while on the Internet, the advertisements they click on, and their primary interests, and then target specific advertisements to particular consumers based on the profile.
• Website Tracking: Using cookies allows sites to track where consumers go while on the web, enables them to count accurately how many people have visited a site (distinguishing between 25 individuals and one person hitting the reload button), and lets sites see which users may have left the site because there were no interesting links.
• Online Ordering Systems: Known as “shopping baskets,” some cookies store information on individual buying preferences. When a consumer enters a site and spends time selecting items but exits abruptly without ordering, the items selected will be stored in cookies for weeks or even years.
• Site Personalization: Cookies also are used to customize websites, such as news sites, for the user. These cookies allow a user to select articles in subject areas of interest, such as news or sports.

See also Network Neutrality Deep Packet Inspection

"In addition to these widely used and often beneficial applications of cookie technology, other uses are conceivable and have been reported. For example, cookie technology could track and enable the sale of information regarding an individual’s Internet research on sensitive matters, such as a medical condition. The World Wide Web Consortium has explained:

Cookies cannot be used to “steal” information about you or your computer system. They can only be used to store information that you have provided at some point. To give a benign example, if you fill out a form giving your favorite color, a server can turn this information into a cookie and send it to your browser. The next time you contact the site, your browser will return the cookie, allowing the server to alter background color of its pages to suit your preferences.

However cookies can be used for more controversial purposes. Each access your browser makes to a website leaves some information about you behind, creating a gossamer trail across the Internet. Among the tidbits of data left along this trail are the name and IP address of your computer, the brand of browser you’re using, the operating system you’re running, the URL of the Web page you accessed, and the URL of the page you were last viewing. Without cookies, it would be nearly impossible for anyone to follow this trail systematically to learn much about your web browsing habits. They would have to reconstruct your path by correlating hundreds or thousands of individual server logs. With cookies, the situation changes considerably.

Timeline

• 2001: Kristol, David; HTTP Cookies: Standards, privacy, and politics, ACM Transactions on Internet Technology, 1(2), 151–198, 2001,
• 2000:
  • D. Kristol, L. Montulli, HTTP State Management Mechanism, IETF RFC 2965 (Oct. 2000)
  • White House prohibits use of cookies except in certain circumstances
• 1998
  • USPTO grants cookie patent US5774670 Persistent client state in a hypertext transfer protocol based client-server system, Lou Montulli
  • Dept. of Energy, Computer Incident Advisory Committee, issues information bulletin I-034 (1998): Internet Cookies, archived "Vulnerability Assessment: The vulnerability of systems to damage or snooping by using web browser cookies is essentially nonexistent. Cookies can only tell a web server if you have been there before and can pass short bits of information (such as a user number) from the web server back to itself the next time you visit. Most cookies last only until you quit your browser and then are destroyed. A second type of cookie known as a persistent cookie has an expiration date and is stored on your disk until that date. A persistent cookie can be used to track a user's browsing habits by identifying him whenever he returns to a site. Information about where you come from and what web pages you visit already exists in a web server's log files and could also be used to track users browsing habits, cookies just make it easier."
• 1997: D. Kristol, L. Montulli, HTTP State Management Mechanism, IETF RFC 2109 (Feb. 1997) (“This document specifies a way to create a stateful session with HTTP requests and responses. It describes two new headers, Cookie and Set-Cookie, which carry state information between participating origin servers and user agents.”)
• 1996: Financial Times publishes article on cookies. Jackson, T "This Bug in Your PC is a Smart Cookie". Financial Times (02-12-1996).
• 1995
  • Internet Explorer incorporates cookies
  • First FTC Workshop on Internet and Privacy discusses privacy implications of cookies
• 1994:
  • Louis J. “Lou” Montulli, Netscape, invents cookies. Netscape browser incorporates cookies.
  • Persistent client state HTTP cookies: Preliminary specification". Netscape. 1994 Archive.com (“Cookies are a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection. The addition of a simple, persistent, client-side state significantly extends the capabilities of Web-based client/server applications.”)
• Pre-1994: Lou Montulli, The Reasoning Behind Web Cookies, The irregular musing of Lou Montulli, (May 14, 2013) (“One of the problems faced in the early years of the web was how to create websites that had "memory" for individual users. The uses of "memory" on a website are many: shopping carts for shopping, personalized content, logging in, and many other interactive features require memory. The problem in 1994 was a lack of mechanisms to identify a user individually. HTTP was designed to be fast and efficient and part of its design was to connect to a website, grab a document and then disconnect. This freed up the website to serve other customers, but it also meant that there was no concept of a session. Without a session, each time a user clicked to move to a different page they would become just another random user with no way to associate them with an action they had done just moments ago. This is a bit like talking to someone with Alzheimer disease. Each interaction would result in having to introduce yourself again, and again, and again.”)

Caselaw / Enforcement

• FTC Approves Final Consent Order with Online Company Charged with Deceptively Tracking Consumers Online and Through Mobile Devices, FTC April 21, 2017
• FCC Settles Verizon "Supercookie" Probe, Requires Consumer Opt-In For Third Parties. Verizon Wireless to Obtain Affirmative Consent from Consumers Before Sending Unique Identifier Headers to Third Parties. EB [Kastrenakes, Jacob, "FCC fines Verizon $ 1.35 miillion over 'supercookie' tracking," TheVerge, March 7, 2016]
• Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003) (held use of cookies was illegal under ECPA because consent was not present on part of pharmaceutical websites where advertiser placed cookies)
• DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y 2001) ("held that using cookies to gather information for behavioral advertisements did not violate U.S. privacy law" ECPA, Wiretap Act, CFAA).

Papers

• USG
  • Know the Rules Use the Tools, Privacy in the Digital Age: A Resource for Internet Users, US Senate Judiciary Committee, p. 11-12 (n.d.
• Gunes Acar, Christian Eubank, Steven Englehardt2, Marc Juarez, Arvind Narayanan, Claudia Diaz, The Web Never Forgets: Persistent Tracking Mechanisms in the Wild ACM ("We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies and use of “cookie syncing” in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it. We then present the first automated study of evercookies and respawning and the discovery of a new evercookie vector, IndexedDB. Turning to cookie syncing, we present novel techniques for detection and analysing ID flows and we quantify the amplification of privacy-intrusive tracking practices due to cookie syncing.")
• Altaweel I, Good N, Hoofnagle C. Web Privacy Census. Technology Science. 2015121502. December 15, 2015. ("In 2011, we started surveying the online mechanisms used to track people online (e.g., HTTP cookies, Flash cookies and HTML5 storage). We called this our Web Privacy Census. We repeated the study in 2012. In this paper, we update the study to 2015.")
• SOLTANI , A., C ANTY , S., M AYO , Q., T HOMAS , L., AND H OOFNAGLE , C. J. Flash cookies and privacy, August 11 2009
• Chris Shaw, Cookies and the Internet: A Bad Batch? Georgia State University College of Law, Law & the Internet, Professor Patrick Wiseman Fall 2001
• Marc S. Roth, Beware of Cookies: Do Marketers That Track a User's Online Activities Threaten Privacy?, 23 Nat'l L.J. (August 20, 2001)
• David M. Kristol. HTTP Cookies: Standards, Privacy, and Politics. ACM Transactions on Internet Technology, 1(2):151{198, November 2001

Articles

• Susan Scutti, The Psychology of Privacy in the Era of the Internet of Things, CNN March 22, 2017
• Privacy Lawsuit Targets Net Giants Over 'Zombie' Cookies, Wired 7/28/2010
• Privacy lawsuit targets 'Net giants over "zombie" cookies, Ars Technica 7/28/2010
• You Deleted Your Cookies? Think Again, Wired 8/11/2009
• John Schwartz, Giving Web a Memory Cost Its Users Privacy, New York Times, Sept. 4, 2001,