Are cookies hazardous to your privacy? Cookies allow businesses to collect information about Internet users, but some question whether they are valuable records or unethical tracking mechanisms. (NetWise).
* Defines cookies and their uses
* Poses questions about cookies and privacy
"Good morning, we have four new books that may interest you ..."
A moment ago you arrived at a Web site, and suddenly that Web site not only knows your name but your interests as well. You're impressed; they may make a sale. But how did they find out that you were visiting their Web site, and how did they learn what you were interested in?
Hidden inside virtually every Internet browser are tiny files that may allow others to invade a user's privacy. These files enable companies to track users' Internet surfing, record their online purchases, and greet them by name when they visit a Web site. They are "cookies."
A cookie is a piece of information passed between an Internet server and a user's Web browser. This information is used by the server to track the specific Web browser (and thus, the user) that is making a specific request of the server. Generally, this bit of information is a string of text. The text includes an identifier for the server leaving the cookie with the user and a unique identifier for the user (in some cases by name) or his or her computer.
When the server answers the request and sends the cookie, it also often obtains some information about the user and his or her computer. For example, if the user has logged into the site, his or her login information (and whatever information he or she has associated with that login) can be (but typically is not) associated with the cookie identifier. At bare minimum, the Web server will be able to determine the user's Internet Protocol (IP) address, the type of Web browser being used, and the computer's operating system.
There are many uses for cookies. A cookie may be used to track the "login" status of a user for both the current session and future sessions. This conveniently eliminates the need for the user to continually enter his or her name and password or other identifiers.
It is possible to avoid cookies while surfing the Internet. Unfortunately, avoiding cookies may prevent a user from accessing information or obtaining services. Most Internet browsers have a feature that allows the user to "turn off" cookies. In Netscape Navigator, the user should go to "Preferences," and then open the "Advanced" settings. In the "Advanced" window, the user has a number of choices. The user can elect to "Accept all cookies," "Accept only cookies that get sent back to the originating server," completely "Disable cookies," or "Warn me before accepting a cookie." In the last case, the user will get a message asking if he or she wants to accept a cookie whenever one is encountered. This can get annoying as cookies are found on virtually every site.
In Microsoft Internet Explorer, select Internet "Options," then open the "Security" tab. Selecting a "High" security level automatically turns cookies off. If a custom level of security is selected, choices depending upon the nature of the cookies are offered. If the cookies are "persistent" (the cookies are stored on the PC for a period of time), the user may select a choice of "Enable," "Disable," or "Prompt." Likewise, cookies that are session-specific (used only while the browser is open) have the same choices.
The major browser programmers have thus recognized that users should have control over cookies and their storage. In addition, there are a variety of software packages available that can assist in preventing and purging unwanted cookies.
Making Decisions About Privacy
In general, it is probably helpful to understand what information is being tracked about Internet use. Internet users should be aware of cookies and how particular Web sites use the information gathered. Users should further be aware when unrelated third parties gather information about them. This point is of particular concern.
Most Web sites today feature gaudy banner advertising, "pop-up," or "pop-under" advertising. These ads are placed by a variety of companies, and tracking demographics and "click throughs" is critical to their business model. Organizations paying for advertising on the Internet are paying for unique "clicks" on their ad.
Tracking the uniqueness of the viewers became the first job of cookies. What advertisers found, however, is that cookies also are a good way to gather demographic information--and target advertising to the user. Because advertising on the Internet is ubiquitous these days, it is not difficult for an advertising company to track the travels of a particular cookie. From that tracking, a profile can be built. From that profile, targeted advertising can be delivered to the user. If a user is seen to frequent Web sites about dogs, that user can be targeted with ads for dog food. If a cookie is seen frequenting travel-related sites, the user may be presented with advertising from airlines or online travel agencies. In most cases, however, the specific user behind the cookie is unknown and anonymous. It requires no giant step, however, to match the cookie to an individual once that individual shares his or her information with the advertiser or the advertising agency.
Records Management Issues
There has been some interesting discussion about whether cookies are records. Much of the controversy has resided in the public sector, most notably in Cookeville, Tennessee, the seat of Putnam County. The Putnam Pit (www.putnampit.com), an online newspaper, has been seeking to obtain the cookie files of the local government for a number of years, claiming that the cookie files are public records subject to the state's open records law. The debate has been fairly acrimonious and somewhat political in nature, but this issue raises an interesting point. A browser retains a lot of information about the sites that its user has visited. The browser will retain cookies, a history list, a bookmark, or favorites file, and a cache of the pages and images that were on the pages visited. These features serve a variety of purposes for the user, but they may also serve as a type of record of the organization.
If an organization has restrictions about the nature of Internet sites that an employee can visit, both the employee's browser records and the records of the company's Internet firewall and/or Internet proxy server could be called into evidence in an employee termination proceeding. Likewise, the various files could be used in other civil and criminal proceedings. Authenticating the actual user of the computer is another matter, although session-specific cookies generated by a unique login would tend to point to a single user.
The decision of whether or not to treat cookies and other browser files as records is ultimately that of the particular organization and its legal counsel. Because cookie files and other browser-related files can be easily deleted, and because there may be instances where the identity of the computer user cannot be ascertained, it is important that an organization has a clear understanding of how these files should be retained and what evidentiary value they will provide.
It is often difficult, however, to set and implement a retention policy for browser-related files. The retention of the browser cache is usually set by the user or determined by available space on the computer's hard drive. In addition, the user can delete cached files without using the browser's command set to do so. Similarly, the user can delete history files at will and often has the ability to delete selected cookies. At the same time, much of this information is dynamic. Cached pages and graphics are superceded by new pages, and the old pages are deleted. History is updated with each subsequent visit to the Web site. The retention of cookies is often determined by the site administrator, who sets the "expiration" date for the cookie, after which, the file is deleted.
Are Cookies Truly Hazardous?
There is some risk. However, if cookies can not be used at all on the Internet, some other mechanism will need to be devised to enable a Web site to keep track of logins and purchases. This may be a necessary evolutionary step, but it likely will not come unless forced given the prevalence of cookies on the Internet today. The status of cookies and related browser-based information as records is still under review. It will likely take court cases to set some sort of precedent in this arena, as well as to determine the evidentiary value of cookies and similar information.
* Cookies are a mechanism to track a specific browser session with a specific Web server.
* Cookies lack clear status as public records and pose questions about whether they are evidentiary information.
"Use of Internet `Cookies' Targeted" Reuters.com, 13 November 2001.
Galil, Yair. "The Cookie Monster Strikes Back!" Internet Law Journal, 3 June 2001.
Kaplan, Carl S. "Fighting to Make a City's Cookie Files Public." The New York Times, 18 December 1997.
Kristol, David M. HTTP Cookies: Standards, Privacy, and Politics. Murray Hill, NJ: Lucent Technologies, 2001.
Mayer-Schonberger, Viktor. The Internet and Privacy Legislation: Cookies for a Treat?. 1 W. Va. J. L. Tech. 1.1 (1997). Available at www.wvu.edu/~wvjolt/Arch/Mayer/ Mayer.htm (accessed 11 April 2002).
Meadows-Klue, Danny. "Crumbling Cookies Could Cook the Net." The Guardian, 26 November 2001.
Metz, Cade. "What They Know." PC Magazine, 13 November 2001.
St. Laurent, Simon. Cookies. New York: McGraw-Hill, 1998.
Warner, Bernhard. "Trade Group Rallies to Save Internet's `Cookie'." Reuters.com, 31 October 2001.
Whalen, David. "The Unofficial Cookie FAQ." Version 2.54. Available at www.cookiecentral.com/faq (accessed 11 April 2002).
Patrick J. Cunningham, CRM, is Industry Leader, Information Management, at Hewitt Associates LLC in Lincolnshire, Illinois. He is responsible for Hewitt's global records and information management program. He may be reached at Pjcunnin@hewitt.com.
|Printer friendly Cite/link Email Feedback|
|Author:||Cunningham, Patrick J.|
|Publication:||Information Management Journal|
|Date:||May 1, 2002|
|Previous Article:||Privacy vs. cybersecurity: the advantages of doing business over the Internet are tremendous--but only if enterprises can ensure exchanging...|
|Next Article:||Chief privacy officer: your next career? CPOs are a necessity in today's business environment, but no one envies their challenging role of upholding...|