Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Cookies as a privacy violation

By micco in Internet
Tue Jan 30, 2001 at 11:23:58 AM EST
Tags: Internet (all tags)
Internet

A bill has been introduced in the US Senate which would require web sites to get explicit permission before setting cookies on a user's browser. It is posed as a way to protect the user's privacy. In addition to being essentially useless for its stated purpose, it will be a burden to implement and a usability disaster.


US Senator John Edwards has introduced a bill that would require sites to get permission from the user before "before tracking their movements online" using cookies. This approach seems fundamentally flawed for two reasons:
  1. Properly implemented, cookies do not pose a privacy violation above and beyond what already exists in server logs, etc.
  2. Sites that need to track "state" for whatever reason use these methods as a matter of course. Whether they use cookies, data appended to the URL, or some other means is irrelevant, but the various options do not appear to be covered properly in the proposed law.

The obvious response to #1 is to contest the "properly implemented" language. However, this is specious since virtually any system or protocol which is not properly implemented poses a risk. The real question begged by #1 is: Is it a privacy violation for a site to keep track of a user within a site? If I want to browse K5 but I don't want K5 to know I'm there, then cookies and other state variables are the least of my problems.

If another site outside the site I'm browsing is also tracking my state, that could definitely be perceived as a privacy violation. The usual example here is DoubleClick. Many sites use DoubleClick to deliver banner ads, and those ads set a cookie from DoubleClick rather than from the site the user is viewing. This allows DoubleClick to track users across many sites. This could easily be seen as a privacy violation and legislation could be posed to protect users from this tracking by outside firms. However, the current bill as posed does not seem to make a distinction between state variables held by the site a user is visiting and multi-site tracking information held by a third-party. Banning (or limiting by way of requiring explicit permission) all state information just to solve the latter problem indicates that the lawmakers have a fundamental lack of knowledge about the real issue.

Many sites track session state for a user for many reasons, not the least of which is to provide the customization that users demand from high-quality sites. While all these sites could add a permission click-through splash screen, forcing them to do so for no good reason is burdensome. In addition to the effort required to implement, usability studies have shown that whenever a user is posed with a question, no matter how clearly worded, a certain percentage will fail to answer. In this case, another percentage will misunderstand and click "no", thinking that there really is a privacy issue at stake. With time, this kind of system will become as transparent to the user as banner ads are now, but initially it will provide a huge hurdle for some users entering a site.

Lastly, while this law might solve the real problem of third-party monitoring with overkill, it's not clear that it is sufficiently well worded to cover more than a few implementations of possible systems. For example, a site is obviously allowed to keep server logs, but can those logs be parsed on the fly to provide state information? Is a site allowed to keep logs only if they don't actually read them (in real time). The fact that there seem to be large loopholes in the law should not lead to a "go ahead and pass it, we'll just work around it" mentality. If the US government wants to pass a law regulating the use of state information to track website users, they need to address the real issues and pose a solution which will actually be effective.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Do cookies set by the site a user is viewing pose a privacy risk?
o Absolutely, they shouldn't even know I exist. 19%
o Yes, but only if my spouse/boss/clergy has access. 7%
o Yes, but I still want customization and all the shiny baubles anyway. 33%
o No, because I don't care. 25%
o No, because I use an anonymous proxy. 8%
o No, because I don't surf. 5%

Votes: 78
Results | Other Polls

Related Links
o introduced a bill
o Also by micco


Display: Sort:
Cookies as a privacy violation | 20 comments (18 topical, 2 editorial, 0 hidden)
Those crazy legislators (3.40 / 5) (#2)
by antizeus on Tue Jan 30, 2001 at 10:51:47 AM EST

While I haven't read the proposed legislation and thus shouldn't comment on it specifically, it sounds like yet another example of a legislator writing a law about an area which he does not really understand. It reminds me of when the US Congress passed a law imposing strict controls over one of the most useful plants in the world (hemp) because it had been cast as a dangerous narcotic with a different name (marihuana).

This illustrates one of the biggest flaws with government. Well-meaning but ignorant (or short-sighted) legislators will ban (or support) the most inappropriate things just because it sounds good on the surface. In the US, the federal government is supposed to be limited to certain essential functions by the US Constitution, but that seems to have been thrown out the window in the past century.
-- $SIGNATURE

What do you expect? (4.00 / 1) (#5)
by Seumas on Tue Jan 30, 2001 at 11:00:46 AM EST

Honestly, it's what we deserve when our senate and house are filled with people who are three, four and even five generations seperated from the current generation. Do you honestly expect people who are almost 100 years old like Stromm Thurman (who is completely under the control of his handlers, considering he can't even form a complete sentance without them uttering something in his wrinkled old ears) to pass judgement on things like this?

There needs to be more, younger, blood in legislature so that you're not stuck with a bunch of people who didn't even have electricity and running water and had to wipe themselves with a page out of the old Sears catalogue when they were growing up. This is also why career politicians are such a bad idea. When your only experience is running a big business or being a lawyer and sitting in legislative sessions your whole life, how are you going to grant knowledgable decisions about technologies and aspects of life that are beyond your scope of comprehension?
--
I just read K5 for the articles.
[ Parent ]

RE: What do you expect? (4.00 / 1) (#11)
by j on Tue Jan 30, 2001 at 12:34:08 PM EST

[...]so that you're not stuck with a bunch of people who didn't even have electricity and running water and had to wipe themselves with a page out of the old Sears catalogue when they were growing up.
You had catalogues? We had to use rocks!

Seriously, though: To the best of my knowledge, you do not have to demonstrate any understanding of a topic you wish to pass a law on - and that is a tremendously BAD thing. Not only when it comes to not-quite-outdated-yet technology.
WASPs passing laws on minority rights, singles passing laws on family issues... something seems wrong here.

As to the cookie problem: Say I put a cookie on your machine indicating your favourite fruit. How is anyone ever going to prove whether I am using this cookie to track your movement within my site? Not like I have to store anything specific in there in order to track you.
In the end, people would have to stop using cookies altogether - which would seriously castrate many legitimate pieces of software that use them to keep track of session information.
But then again, the keeping of session information would probably be illegal, anyway.

[ Parent ]

How Stupid (4.16 / 6) (#3)
by Seumas on Tue Jan 30, 2001 at 10:56:00 AM EST

How is it an invasion of privacy? And if I am able to set a cookie on the user's browser, then haven't I already received their permission to do so? Disabling cookies is a matter of four mouse clicks from start to finish in Navigator and it isn't much harder in any other browser.

This is like saying that I must receive permission from you before calling your telephone number. If you pick the phone up and answer it, then you've obviously already decided you don't mind getting a phone call. Otherwise, you'd have unplugged your phone, left it for the answering machine or simply left it to ring.

This is a perfect example of promiscuous ignorance in legislation.

Besides, won't I have to set a cookie to track their choice if they tell me they don't want cookies?! What's next -- requiring permisson to log GET requests from their IP when they access my website?!
--
I just read K5 for the articles.

Its up to the customer. (4.00 / 1) (#13)
by squigly on Tue Jan 30, 2001 at 01:11:09 PM EST

I quite agree. Although I feel that Doubleclick style tracking cookies could be perceived as an invation of privacy, generally speaking the things are useful and invisible. And since there are a number of free products available which will block cookies from specific addresses, legislation seems highly inapropriate.

--
People who sig other people have nothing intelligent to say for themselves - anonimouse
[ Parent ]
HAH (2.83 / 6) (#4)
by regeya on Tue Jan 30, 2001 at 10:57:39 AM EST

Of all the things that elected officials could have gone after in the advertising world, they had to pick the most benign of all tracking methods. How stupid.

[ yokelpunk | kuro5hin diary ]

mm cookies (2.45 / 11) (#7)
by rebelcool on Tue Jan 30, 2001 at 11:08:35 AM EST

if any cookies with raisins get put on my browser, im pretty unhappy because I dont like raisins. I'm all for chocolate chip.

Keep legislation out of our bakeries!

COG. Build your own community. Free, easy, powerful. Demo site

Email Senator John Edwards (4.33 / 3) (#8)
by Seumas on Tue Jan 30, 2001 at 11:09:24 AM EST

If you want to share your comments with Senator John Edwards, email him from this form on his site: http://www.senate.gov/~edwards/mailform.html.

By the way, after running through a few pages of his website, they do not appear to set any cookies. Not that it matters, but I thought we should be sure he was practicing what he was preaching.
--
I just read K5 for the articles.

consider snail mail (4.50 / 2) (#9)
by Anonymous 242 on Tue Jan 30, 2001 at 11:35:16 AM EST

From Contact Senator John Edwards:
Senator John Edwards
United States Senate
225 Dirksen Office Bldg.
Washington, DC 20510

In my experience politicians (and other executives) are far more likely to pay attention to an old fashioned letter than an email. Perhaps this needs to change, however, it hasn't changed yet. Your ten minutes printing, addressing and sending hard copy is likely to be far more effective than using his email form.

Also bear in mind that unless one lives in North Carolina, it is likely to be far more effective to contact the senators (and representatives) from your state of residence. (As always, non-US citizens will likely be ignored by everyone in the US Senate.)

Find your state senators on this list.

[ Parent ]
Also... (none / 0) (#10)
by Seumas on Tue Jan 30, 2001 at 12:15:02 PM EST

I agree, but since it is apparently his legislation, he is the very first person to rant to, followed by your own legislators.
--
I just read K5 for the articles.
[ Parent ]
Government Idiocy (3.25 / 4) (#12)
by Phyrkrakr on Tue Jan 30, 2001 at 12:53:04 PM EST

This is why geeks should run for office. Now, I know that seems like a major leap, but consider the situation. The world is becoming more and more technologically advanced, with more and more legislation being proposed to control it. Why are we allowing people who don't know the issues, who don't even know what it is that they are legislating, make decisions that affect the entire country? Allowing politicians to make laws about things they know nothing about is both dangerous and stupid. Getting them to find out about these issues is a long process, especially since the geek community doesn't find out about the legislation (it seems) until it is almost too late. So, we need people who know about this stuff in place BEFORE the issue comes up. Hence, geeks should run for office. I know this sounds hypocritical, (why don't you do it?) but this is just my opinion. Since I am only a teenager, however, I'm not really able to follow through with it.

Sorry about the rant.


Smith & Wesson: The Original Point and Click
Same problem, different issue (3.50 / 2) (#14)
by micco on Tue Jan 30, 2001 at 02:44:10 PM EST

I agree that it would be nice to have more geeks in office, but thinking this would solve all the problems is just wrong.

If geeks ran government, then the doctors would be saying "why are we letting people who know nothing about medicine make laws affecting health policy". The truckers would complain that we don't understand transportation issues. Every non-geek group would feel "we" didn't have the expertise to regulate their issues.

What we need is not smarter politicians, but politicians who are willing to admit that they are ignorant on an issue and take the time to get up to speed. We need leaders who are willing to learn. And we need people who can educate them in objective terms without falling off into demagoguery.

If a geek got elected to office, he might vote "right" on this issue, but he'd either be voting ignorance or struggling to get up to speed on a lot of other issues. One geek can make a disproportionate difference if he sends a letter to a few members of Congress to help educate them about how things really work and why a particular bill is or is not workable. If you take the time to give background and realistic analysis to your representative instead of just shouting "oppose that bill!", change could come swiftly.

Is it naive to believe our reps will listen? I hope not. Certainly no more naive than thinking that the average geek could get elected to high office.

[ Parent ]

cookies vs. server logs (2.00 / 2) (#15)
by Delirium on Tue Jan 30, 2001 at 03:53:32 PM EST

While I agree that such legislation is not the right answer, you're understating the problem a bit. Cookies do provide for more tracking ability, even properly implemented, over server logs. The majority of internet users are on connections with dynamically allocated IP addresses, so server logs can only track each visit. Cookies can track visitors across separate visits over the course of months and years.

Re: cookies vs. server logs (none / 0) (#19)
by micco on Wed Jan 31, 2001 at 08:21:42 AM EST

...server logs can only track each visit. Cookies can track visitors across separate visits...

Of course that's true, and it's even worse than that. Many proxy servers will report different IPs from one request to another and/or report the same IP for many users (e.g. AOL). In these cases, the IP reported in the HTTP header cannot even be used to correlate a specific user from click to click.

So of course there's a difference between server logs and cookies. If there weren't, cookies would never have been invented. The point is that IMO, having the site you're visiting place a cookie in your browser does not pose much of a privacy violation and if you disagree, the tech is already in place for you to set your browser to disallow it. In fact you could set your browser to prompt you before accepting every cookie and you would be enforcing on the client side the same kind of system that Sen. Edwards would like to mandate on the server side.

The privacy advocates want to draw a line between what a site can and cannot do without permission. I fully support that, but I think Sen. Edwards draws that line in a bad place. I would put "on site" cookies on the same side of the line as server logs (i.e. implicitly allowed) and maybe draw the line to restrict "off site" cookies to an opt-in.

[ Parent ]

Edwards is a political up and comer (5.00 / 1) (#16)
by yankeehack on Tue Jan 30, 2001 at 06:08:11 PM EST

I'm seeing alot of the "how stupid", "what a moron" posts and just needed to point out the political reasons for this bill.

For those of you who don't follow US presidential politics too closely. John Edwards was Al Gore's initial pick (was heavily lobbied for by ALGORE's advisors) for VP during the 2000 race. He was disqualified because he only won office in 1998, was considered inexperienced and is very young (in relation to other Senators). In addition, this guy made millions being a trial lawyer, and once won a huge civil suit concerning pool drains that killed a little girl.

So, the short story being that John Edwards is considered a up and comer in the Democratic Party. He has nothing to lose (no matter how technically inane this is) by sponsoring this bill.

Also irony abounds in that one of the nations largest tech centers, Research Triangle Park (think Red Hat and IBM among other corporations), is located in North Carolina. In addition to the University of Chapel Hill, Duke, and of course, North Carolina State University.


No one who was bad in bed has ever been good in life (i.e. liberals, I've never had sex with a liberal woman who knew how to use her body.) Keeteel :-P I'm *right*!

Government unbecoming (4.00 / 1) (#17)
by sil on Tue Jan 30, 2001 at 08:57:35 PM EST

How typical is it for the US government attempt at intervening on world politics. No one from any other country has to comply with any of the US' guidelines so this to me is a bunch of nonsense which sounds like a lame attempt by a pol(e) to gain attention.

I agree that some sites go a bit with their information gathering, but I also know about the option to DISALLOW cookies on my own, now either this guy is a rancid moron who's never used a browser to know that cookies can be blocked, or this guy is a rancid moron trying to jump on the 'infohighway` bandwagon a bit too late.

John Ashcroft ousted?"

I'm amused. (5.00 / 1) (#18)
by static on Tue Jan 30, 2001 at 09:49:17 PM EST

If the original cookie specification had not allowed anything other than text/html to set cookies, we would probably not have the size of the problem that we do have. Certainly DoubleClick would have had to build a different tracking model.

Hmm. Sounds like a good hack for JunkBuster...

Wade.

My few cents (5.00 / 1) (#20)
by kcarnold on Wed Jan 31, 2001 at 10:17:23 AM EST

First, the average computer user doesn't care about privacy as much as [s]he cares that the site works, looks pretty, and has all the information it needs, when it needs it. Legislation requiring confirmation is only making it harder on the user and harder on the programmer to present the choice in a friendly manner. Most decent browsers already provide mechanisms to accept/reject cookies on a per-site or per-domain basis, or reject cookies not from the site currently being visited, which easily blocks out the *.doubleclick.net and similar. Requiring government intervention to force this is not the way to go. Here's my proposed solution:

First, if you don't know about cookies and privacy, you're using Internet Explorer or Netscape. Both vendors involved will happily implement cookie-confirmation interfaces, and in fact already have (all that is necessary is changing the default behavior). No laws required. In general, I'd be concerned with government regulation of computer programs, especially something as big as a browser. Worded improperly and you may need to confirm every time you click a link. It's best to leave the regulation to the user interface designers who know best how to deal with user issues like privacy associated with cookies.

Also, the proposed requirement to "disclose what information they gather, allow visitors to view and correct the data, and safeguard the information from unauthorized access" could conceivably present many problems. First, there is a false sense of security because most users would ignore or not worry about a field that is "just a unique number assigned to you", though this is the primary identification key for a single user on a site. doubleclick.net also might, for example, describe its GUID field as "providing customized advertisements suited to the user's personal interests", and this looks fairly innocent to the untrained eye, where it is actually allowing doubleclick to track your every move on every site displaying one of its ad banners. My point through all this is that the interface is not the issue; the browser must sensibly decide the meanings and acceptability of all cookies and present custom decision dialogs based on what it finds. My personal preference would be that it just ask me before accepting any cookies, and this is exactly what Konqueror does, also allowing me to reject all cookies from a domain in one click and allowing me to view (though not modify; perhaps I should file a bug report on this) a cookie before I accept it. However, this interface can be quite confusing to the inexperienced user, for whom the many fields and data values in cookies can be intimidating. In this case, the browser distributer should come up with a standard for "acceptable" cookies and prompt, with overly adequate explanation and a dialog without a simple Yes/No that the user will just click without reading and thinking, for the rest. For example, I would consider a session cookie sent to one site to be acceptable, as well as a login cookie received immediately after sending a username and password, where the user has actually typed text into corresponding fields (this to prevent abuse by sending hidden fields marked Username and Password to defeat the logic). This would take care of many applications of cookies, including personal finance and electronic trading sites that are frequent [ab]users of cookies to track logons (it would still be a responsibility of the site to ensure that the user knows that anyone with access to the computer can log in to the site with the stored authentication). It should also deny, by default, any cookies not sent to somewhere within the same domain name as the page that the user is viewing in the primary window (to prevent window.open() abuses). Just about everything else is a questionable item. The browser should also watch the cookies and URLs for any outgoing data that matches personal data such as address, phone number, email, or credit card numbers, that the user may not want to be sent out without permission (how the site gets this data in the first place should also be a cause for concern); some proxies already do this, but it is important enough to be integrated into the browser in a "dumb-user" interface.

All for now.

Cookies as a privacy violation | 20 comments (18 topical, 2 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!