Spilling Your Cookies
on the 'Net:
GEORGIA WAS NOT on the minds of some Internet users this week--but it should have been. From June 10 to 13, the Federal Trade Commission listened to testimony from people concerned with privacy on the Internet.
In an atmosphere of paranoia rivaling that of the House Un-American Activities Committee hearings of the 1950s, many of those testifying raised public concern about invisible enemy agents in our Web browsers, gathering personal information without our knowledge and using it presumably to undermine the American way of life. Advertisers testified for the right to gather this information as if their lives were at stake.
Left unsaid is the small amount of information actually culled by the "cookies," or files stored by a Web publisher on the hard drive of the visitor to the site, generally to display a banner ad more tailored to the taste of the viewer or to arrange pages on the site in order of popularity. "A cookie may contain information on a user's computer, an expiration date, path [taken to the site] and domain name," e-mails Joseph Lamport, publisher of Law Journal EXTRA!, the online affiliate of this paper. "The New Hacker's Dictionary likens it to the mundane ticket you get from the dry cleaners," continues Mr. Lamport. "When you return for your clothes, the dry cleaner matches up the tickets to ensure you get the right stuff back."
While the privacy of medical and pharmaceutical records-- which have nothing to do with Internet use--go wholly unprotected under federal law and are shared among insurers and employers with abandon, and while credit card companies amass and sell smorgasbords of personal information that make cookie data appear to be the crumbs they really are, well-intentioned groups such as the Electronic Privacy Information Center (www.epic.org) and the Electronic Frontier Foundation (www.eff.org) focus on the dangers of the Internet with a passion that borders on irresponsibility.
The data gleaned by most sites is meager. To see what you reveal, check out the Center of Democracy and Technology at www.cdt.org. What alarms people is that they are not familiar with the capabilities of the technology and did not know that information was being gathered at all. They sure know now.
Meanwhile, Atlanta's Georgia Institute of Technology has surveyed the concerns of Web users for seven years (www.cc.gatech.edu/gvu/user_surveys). While privacy is mentioned (and will remain a priority after these hearings), the main concern of Internet users this year was censorship. Among European users, censorship and ease of navigation were more important than privacy on the Internet.
"I think the concern is overblown," says Ken Bass, head of the Internet law/strategic business unit at Baltimore's Venable, Baetjer and Howard L.L.P. "Get Web TV if you're concerned." Mr. Bass runs two Web sites at his firm. "We log contacts on the sites to see what articles are being read. I look to see if our readership is changing from general access, to law schools, to high-tech industries...It's the same sort of stuff that TV networks use from Nielsen ratings." His nefarious purpose is to build sites that fit the interests of the visitors.
Mr. Bass acknowledges the legitimate privacy concerns of many Web users, particularly parents worried about their children, but he dismisses the fear-mongering focus on the Internet: "It seems like Chicken Little to me."
People are sometimes aware of the information they reveal on the Web. Many sites, such as the New York Times (www.nytimes.com), require users to complete a free registration form before they access the site for the first time. The questions are mundane: name, e-mail address, job, salary--much less than a credit card application. If you don't want anyone to know these facts, you can lie on a site registration form with no effect.
People knowingly disclose a startling amount of personal information in Usenet groups, electronic discussions that are open to the world; they are searchable by keyword from www.dejanews.com. It is useful to remind people to be more circumspect. But terrifying people about 'Net stalkers and pedophiles is overkill.
Obsessing about Internet privacy violations deters the use of a powerful and convenient tool whose primary purpose is to share information. It also ignores the unregulated markets in medical and credit data, which can affect insurance and employment, and the exposure of identifying information on public records, such as the use of Social Security numbers on court documents.
It's Not the 'Net
A typical anecdote told at the FTC hearings involved a man who could not get a job until he discovered his credit card numbers had been stolen and were used by someone with a criminal record who had assumed the man's identity.
This is deplorable. It also has nothing to do with the Internet. The real problem is that a person's credit history can be so easily, unknowingly--and permanently--blemished.
The Internet Engineering Task Force proposed that all Web browsers be programmed to reject cookies automatically unless the default is changed by the user. As Chicago's McBride, Baker & Coles notes in its excellent June 1997 Info/Tech Law Alert, the task force's suggestion, Proposal RFC 2109, would require massive reprogramming without offering substantially more privacy protection.
This article is reprinted with permission from the June 23, 1997 edition of The National Law Journal. © 1997 NLP IP Company.