Every silver lining has a dark cloud: Cookies, Consumers and Consent

This post is a bit unusal for me for two reas­ons; it’s long, and the con­tent was ori­gin­ally cre­ated for another pur­pose — my assign­ment in an online Ana­lyt­ics course I’m tak­ing at UBC. So, rather than just repost it, I’m going to tweak it so it makes sense as a blog post.

To sum­mar­ize, we take a look at cook­ies; the pros and the cons, and delve a bit into privacy.

And away we go…

This assign­ment poses two questions:

• Are you will­ing to give up your “pri­vacy” in order to have easier-to-use websites?
• Are you will­ing to give up your “pri­vacy” so that the ads you see on web­sites are likely to be more rel­ev­ant to you?

I’ll answer them below, but first I’d like to post briefly on what I’ve dis­covered research­ing this topic.

Maybe I’m a bit more para­noid than some of my class­mates, as their posts in the dis­cus­sion forum seem to be a bit too much on the side of embra­cing cook­ies, but in the cur­rent big brother envir­on­ment, I’m not too sure that the bene­fits provided through the use of cook­ies out­weigh their poten­tial for abuse when you con­sider the big picture.

But before I get into the light and dark side of cook­ies, they require a bit of a definition.

Since a cookie has been defined far bet­ter pre­vi­ously in this thread, and on line, I’ll briefly summarize;

• A cookie is a small file that is stored on your computer.
• A cookie is sent to the com­puter from a website.
• Two types of web­sites send cookies.
  • A First Party cookie came from the site that the vis­itor was view­ing when the cookie was saved.
  • A Third Party cookie was sent by a web­site other than the one the vis­itor was view­ing when the cookie was saved. These are often called track­ing cook­ies, and served by advert­ising networks.
• Cook­ies are unique to the com­puter they are stored upon.
• Cook­ies may only be read (for the most part) by the web­site that sent them to the users computer.
• Cook­ies are no longer secure and may be read by third parties employ­ing a ’Cookie Theft’ strategy. Wiki­pe­dia lists a host of other issues sur­round­ing cook­ies, secur­ity and pri­vacy.
• Cook­ies come in two fla­vours, ses­sion (tem­por­ary) and persistent
  • Ses­sion cook­ies expire when the vis­itor leaves the site that sent the cookie
  • Per­sist­ent cook­ies remain on the vis­it­ors com­puter until the user deletes them, or their expiry date has passed.

Ok, that wasn’t so brief…sorry about that. So, back to my thoughts, then on with my answers to the assign­ment questions.

Yes, in my opin­ion, cook­ies can provide bene­fits, both to web­site vis­it­ors and to web­site owners.

For the vis­itor cook­ies help per­son­al­ize the web exper­i­ence by allow­ing the web­site to present highly rel­ev­ant inform­a­tion, based on the user’s past on line beha­viour and activity.

• Cook­ies make it easier to enter the site by stream­lin­ing the login pro­cess res­ult­ing in faster access to the inform­a­tion or product.
• They enable the web­site to remem­ber user pref­er­ences (themes and fonts) and other user entered data (billing address, ship­ping address, waist size).
• And cook­ies (when paired with other stand­ard login secur­ity an data­base func­tion­al­ity) enable the web­site to main­tain a data­base of pre­vi­ous activ­ity and pref­er­ences (past pur­chases, pay­ments), and based on that know­ledge, dis­play more rel­ev­ant news and inform­a­tion, such as a new book by the author that the user has pre­vi­ously purchased.

So, a cookie is a tiny little file with lots of poten­tial, for good or for abuse. I’ve only touched on the good, let’s step on over to the dark side.

Cook­ies have a dark side when they are not used to enhance the users exper­i­ence, rather the dark side mani­fests when cook­ies are used to mon­itor and track beha­viour unbe­knownst to the user.

This can and does hap­pen every day. For example, online advert­ising net­works place Third Party cook­ies on com­puters at the request of advert­isers. If many ads (placed by the same ad net­work) have placed cook­ies on the same com­puter, then the ad net­work can build a pro­file of the surf­ing activ­ity that’s occurred on that computer.

Double­Click, an on line advert­ising net­work, was called out for plan­ning to link user data and user iden­ti­fic­a­tion:

In a widely-reported mea culpa, Double­Click Chief Exec­ut­ive Kevin O’Connor said in a state­ment, “We com­mit today, that until there is agree­ment between gov­ern­ment and industry on pri­vacy stand­ards, we will not link per­son­ally iden­ti­fi­able inform­a­tion to anonym­ous user activ­ity across Web sites.”
O’Connor admit­ted that he had “made a mis­take by plan­ning to merge names with anonym­ous user activ­ity across Web sites,” but emphas­ized that the com­pany had never imple­men­ted the plan.

…ECo­m­mer­ce­Times

Or, the CIA or NSA could store cook­ies on com­puters that visit their pub­lic sites. Then, based on web­server log­files and the cookie data, they could develop usage pro­files of indi­vidual com­puters reveal­ing what keywords were searched, when, and by whom “ track­ing back to the ISP and the com­puter IP address.

Actu­ally, accord­ing to US Law, cook­ies aren’t sup­posed to be used on gov­ern­ment web­sites, but they were, by the CIA in 2002 and the NSA in 2005.

Here in Canada, cook­ies have a dif­fer­ent taste, and they go great with a Tim Hor­tons extra large double double.

Accord­ing to a decision by the Fed­eral Pri­vacy Com­mis­sioner regard­ing a com­plaint about an airline’s use of cook­ies, before a cookie is served, the recip­i­ent must con­sent to receiv­ing it. I’m assum­ing that this applies only to web­sites oper­at­ing within Canada, con­trolled by Cana­dians, or have a primary audi­ence of Cana­dians. It would be hard to enforce otherwise.

But this level of engage­ment is, in my opin­ion, good…as it allows me to be a bit more com­fort­able with my answer to the two ques­tions posed way back at the begin­ning of this discussion:

• Are you will­ing to give up your “pri­vacy” in order to have easier-to-use websites?

Yes. Because I have a modicum of con­trol over the level of my pri­vacy inform­a­tion I am choos­ing to dis­close. I give my con­sent to sites I choose, and do not store cook­ies of sites I don’t trust. Any rela­tion­ship I have with an online mer­chant is not reli­ant on cook­ies. They are an enabling tech­no­logy, but cook­ies are not a require­ment. Prac­tic­ally, this means that after I purge my cook­ies, I do have to take an extra moment to log into my Amazon.ca account. But since I do have a small amount of con­trol, I am com­fort­able exer­cising that control.

• Are you will­ing to give up your “pri­vacy” so that the ads you see on web­sites are likely to be more rel­ev­ant to you?

No. In my case, pri­vacy and view­ing online ads are not related. I see very few on line ads. I have always con­sidered intrus­ive advert­ising (Radio/TV com­mer­cials, pop-up, splash screen and ban­ner ads) to be a det­ri­ment to my on line exper­i­ence. I’ve always util­ized tech­no­logy to cir­cum­vent advert­ising. Through plu­gins, Fire­fox has an excel­lent suite of tools to browse con­tent advert­ise­ment free, for the most part. So I am not giv­ing up any­thing. I con­trol the advert­ising I’m exposed to, and my pri­vacy isn’t related to that advertising.

Back to the big pic­ture I men­tioned at the start of this not-so-brief dis­cus­sion. Cook­ies are merely a tech­no­logy, one with bene­fits and flaws. There are cum­ber­some altern­at­ives to cook­ies, but ulti­mately, cook­ies are a pre­dom­in­ant tech­no­logy. We are respons­ib­il­ity for the secur­ity of our own pri­vacy data, and it’s going to be an uphill climb.

There is too much data that we leave every­where in our lives. The data trails we leave behind, col­lec­ted over time, exists, out there in the ‘Mat­rix’, and there’s noth­ing we can really do about it because that data is not under our con­trol. Oth­ers are build­ing pro­files based on our past beha­viour, read­ing our old online resumes, our forum, Com­puServe, and blog posts. Or they can.

With tools like Google Groups (the old UseNet archives) and Archive.org, noth­ing in the pub­lic realm is really lost.

Then there’s the private side of data col­lec­tion. Who knows what data exists out there in the private data archives of insur­ance com­pan­ies, banks, and gov­ern­ments. If you’ve ever returned a war­ranty card to a man­u­fac­turer, you’re prob­ably in their database.

The best we can do is reduce the amount of data we leave. We can’t elim­in­ate it, we can’t turn back the clock, but we can reduce the amount we gen­er­ate in the future and the amount we will­ingly dis­close, when it’s really not necessary.

Ref­er­ences:

• Wiki­pe­dia: HTTP_Cookie
• Wiki­pe­dia: Cookie_theft_2
• Wiki­pe­dia: Drawbacks_of_cookies
• Wiki­pe­dia: Privacy_and_third-party_cookies
• Wiki­pe­dia: Pur­pose
• Eco­m­mer­ce­Times: Double­Click Caves in To Save its Cookies
• CBSNews.com: CIA Caught Sneak­ing Cookies
• The New York Times: Spy Agency Removes Illegal Track­ing Files
• Office of the Pri­vacy Com­mis­sioner of Canada, Commissioner’s Find­ings, PIPEDA Case Sum­mary #162 Find­ings,
  Cus­tomer com­plains about airline’s use of “cook­ies” on its Web site
• Industry Canada, Pri­vacytown Overview
• Office of the Pri­vacy Com­mis­sioner of Canada, Fact Sheet, A Day in the Life
• Google Groups: groups.google.ca
• Archive.org

Tech­nor­ati Tags: Ana­lyt­ics, Web, Blog, Pri­vacy, Cook­ies, Per­mis­sion, Advert­ising, Mar­ket­ing, Course