Menu
Posted: Jul 01 1995 | Revised: Jan 16 2019
- Cookie 5 7 7 – Protect Your Online Privacy Concerns At Work
- Cookie 5 7 7 – Protect Your Online Privacy Concerns Act
- Cookie 5 7 7 – Protect Your Online Privacy Concerns Act
1. Online Tracking
2. Mobile Apps
3. Privacy Policies
4. Accessing the Internet
5. Passwords
6. Wireless Networks and Wi-Fi
2. Mobile Apps
3. Privacy Policies
4. Accessing the Internet
5. Passwords
6. Wireless Networks and Wi-Fi
- Dec 11, 2017 Freedom from Flash, and Silverlight. Cookie is adept at eliminating Flash and Silverlight cookies, especially large and persistent types of cookie. Impressive results with minimal effort. By consolidating all your cookie controls into an easy interface, Cookie makes maintaining your browsing privacy a cinch.
- How to protect your privacy with third party cookies In order to enjoy some of the conveniences of the modern day internet you’re going to have to put up with some cookies. Many sites use third party cookies as a way to boost their revenue, so it’s likely they’ll block you from seeing content until you accept third party cookies.
Cookie 5.7.8 – Protect your online privacy. Cookie prevents third parties from hijacking your browsing experience. The sites you visit store. Manage your passwords responsibly. Do not use the same password among all websites you join. Make sure that the password you use for encrypted or secure sites are different from less secure sites you visit. Don't use the same password you use for your credit cards or bank accounts for your online accounts and vice versa.
1. Online Tracking
Almost every major website you visit tracks your online activity. Tracking technology can follow you from site to site, track and compile your activity, and compile all of this into a database. Generally, tracking utilizes a numerical identifier, rather than your real name. This information is used to personalize the content that you see online.
The good news is that almost all browsers give you some control over how much information is revealed, kept and stored. Generally, you can change the settings to restrict cookies and enhance your privacy. Most major browsers now offer a 'Private Browsing' tool to increase your privacy. However, researchers have found that 'Private Browsing' may fail to purge all traces of online activity.
Most browsers also provide a Do Not Track (DNT) setting. DNT is a way to keep your online activity from being followed across the Internet by advertisers, analytics companies and social media sites. When you turn on the DNT setting in your browser, your browser sends a special header to websites requesting that don’t want your activity tracked. Unfortunately, honoring the DNT setting is voluntary. Individual websites are not required to respect it. While a few websites will honor DNT, most websites will ignore your preference.
Some of the tools that are used to track you online include cookies, flash cookies, and fingerprinting.
Cookies. When you visit different websites, many of the sites deposit data about your visit, called 'cookies,' on your hard drive. Cookies are pieces of information sent by a web server to a user's browser. Cookies may include information such as login or registration identification, user preferences, online 'shopping cart' information, and so on. The browser saves the information, and sends it back to the web server whenever the browser returns to the website. The web server may use the cookie to customize the display it sends to the user, or it may keep track of the different pages within the site that the user accesses.
For example, if you use the internet to complete the registration card for a product, such as a computer or television, you generally provide your name and address, which then may be stored in a cookie. Legitimate websites use cookies to make special offers to returning users and to track the results of their advertising. These cookies are called first-party cookies. However, there are some cookies, called third-party cookies, which communicate data about you to an advertising clearinghouse which in turn shares that data with other online marketers. These third-party cookies include 'tracking cookies' which use your online history to deliver other ads. Your browser and some software products enable you to detect and delete cookies, including third-party cookies.
Disconnect is a browser extension that stops major third parties from tracking the webpages you go to. Every time you visit a site, Disconnect automatically detects when your browser tries to make a connection to anything other than the site you are visiting. You can also opt-out of the sharing of cookie data with members of the Network Advertising Initiative.
Flash cookies. Many websites utilize a type of cookie called a 'flash cookie' (sometimes also called a 'supercookie') that is more persistent than a regular cookie. Normal procedures for erasing standard cookies, clearing history, erasing the cache, or choosing a delete private data option within the browser will not affect flash cookies. Flash cookies thus may persist despite user efforts to delete all cookies. They cannot be deleted by any commercially available anti-spyware or adware removal program. However, if you use the Firefox browser, there is an add-on called Better Privacy that can assist in deleting flash cookies.
Fingerprinting. A device fingerprint (or machine fingerprint) is a summary of the software and hardware settings collected from a computer or other device. Each device has a different clock setting, fonts, software and other characteristics that make it unique. When you go online, your device broadcasts these details, which can can be collected and pieced together to form a unique 'fingerprint' for that particular device. That fingerprint can then be assigned an identifying number, and used for similar purposes as a cookie.
Fingerprinting is rapidly replacing cookies as a means of tracking. Tracking companies are embracing fingerprinting because it is tougher to block than cookies. Cookies are subject to deletion and expiration, and are rendered useless if a user decides to switch to a new browser. Some browsers block third-party cookies by default and certain browser add-ons enable blocking or removal of cookies.
Unlike cookies and flash cookies, fingerprints leave no evidence on a user's computer. Therefore, it is impossible for you to know when you are being tracked by fingerprinting.
![Protect Protect](https://42j5n3qsc7s15qb4q29vnw01-wpengine.netdna-ssl.com/wp-content/uploads/2019/03/icon-damages.png)
You can test your browser to see how unique it is based on the information that it will share with the sites that you visit. Panopticlick will give you a uniqueness score, letting you see how easily identifiable you might be as you surf the web.
Unfortunately, fingerprinting is generally invisible, difficult to prevent, and semi-permanent. There's no easy way to delete fingerprints that have been collected. Computer users determined to prevent fingerprinting can block JavaScript on their computer. However, some parts of a website (for example, video and interactive graphics) may not load, resulting in a blank space on the webpage.
One way to block JavaScript is to use the Firefox browser with the “add-on” program called NoScript. The combination of Firefox and NoScript can stop JavaScript on websites. Disabling JavaScript stops many forms of browser fingerprinting, because it prevents websites from detecting plugins and fonts, which are necessary to effectively fingerprint a device.
Cross-device tracking. Cross-device tracking occurs when companies try to connect a consumer’s activity across their smartphones, tablets, desktop computers, and other connected devices. The goal of cross-device tracking is to enable companies to link a consumer’s behavior across all of their devices. While this information serves many purposes, it is particularly valuable to advertisers.
To engage in cross-device tracking, companies use a mixture of both “deterministic” and “probabilistic” techniques. The former can track you through an identifying characteristic such as a login. The later uses a probabilistic approach to infer which consumer is using a device, even when a consumer has not logged into a service.
For example, a company called BlueCava is able to identify and track users online across multiple devices. They can associate multiple devices to the same person or household, by attaching an IP address to a BlueCava identifier and by recognizing and collecting information about the various computers, smartphones, and tablets that people use to connect the internet. Thus, your behavior on one device can be associated with other devices from both your home and office. This information can be very valuable for marketing purposes.
BlueCava's technology enables them to recognize computers and devices by collecting information about your screen type, IP address, browser version, time zone, fonts installed, browser plug-ins and various other properties of your screen and browser. This information is put into a “snapshot” and is sent to their servers to create a unique ID for every browser and to “match” the snapshot to the snapshots they receive from their marketing partners. When they use snapshots to create a unique ID, they are also able to group related screens into “households” based on common characteristics among the snapshots, such as IP addresses. BlueCava allows you to opt out of tracking.
If you are interested in some of the more technical aspects of online tracking, the Princeton Web Census measures cookie-based and fingerprinting-based tracking at one million websites and evaluates the effect of browser privacy tools.
2. Mobile Apps
If you use a smartphone or other mobile device to access the Internet, chances are that you may be using mobile applications (apps) rather than an Internet browser for many online activities. An app is a program you can download and access directly using your mobile device. There are hundreds of thousands of apps available, including numerous free or low-priced choices. Unfortunately, apps can collect all sorts of data and transmit it to the app-maker and/or third-party advertisers. This data may then be shared or sold.
Some of the data points that an app may access from your smartphone or mobile device include:
- your phone and email contacts
- call logs
- internet data
- calendar data
- data about the device’s location
- the device’s unique IDs
- information about how you use the app itself
Many apps track your location. There are location-based services like Yelp and Foursquare that may need your location in order to function properly. However, there are also apps (such as a simple flashlight) that do not need your location to function and yet still track it.
Smartphones and other mobile devices may ask you for specific permissions when you install an app. Read these and think about what the app is asking for permission to access. Ask yourself, “Is this app requesting access to only the data it needs to function?” If the answer is no, don’t download it. Learn where to go on your particular phone to determine what you will allow the app to access, and if you are at all suspicious do more research on the app before you download.
Mobile apps generally do not provide ad networks with the ability to set a cookie to track users. Instead, ad networks may use your phone's mobile advertising identifier. These identifiers have different names depending on the brand of your phone. For example, on Android devices they are called Google Advertising ID. On iOS, they are called Identifiers for Advertisers. You can find your device's options to set an opt-out flag using these instructions.
3. Privacy Policies
One way to protect your privacy online is to understand how a site or app will use and share your personal information. Websites and apps generally provide this information in their privacy policy.
California's Online Privacy Protection Act (CalOPPA) requires commercial websites or mobile apps that collect personal information on California consumers to conspicuously post a privacy policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information. The privacy policy must also provide information on the operator’s online tracking practices. CalOPPA is the first law in the United States to impose disclosure requirements on website operators that track consumers’ online behavior. As a practical matter, CalOPPA applies nationwide as long as the site operator collects personal information from California consumers.
According to the California Attorney General, a website, app, or other online service may violate this law if:
- it lacks a privacy policy
- its privacy policy is hard to find
- its privacy policy does not contain all the information required by law
- it does not follow its own privacy policy, or
- it does not notify users of significant changes to its privacy policy
The California Attorney General operates an online complaint form that consumers may use to report violations.
4. Accessing the Internet
You are likely to access the internet using one or more of these services:
- An Internet Service Provider (ISP)
- A Mobile (Cellular) Phone Carrier
- A Wi-Fi Hotspot
If you use a computer to access the internet and pay for the service yourself, you signed up with an Internet Service Provider (ISP). Your ISP provides the mechanism for connecting to the internet.
Each computer connected to the internet, including yours, has a unique address, known as an IP address (Internet Protocol address). It takes the form of four sets of numbers separated by dots, for example: 123.45.67.890. It’s that number that actually allows you to send and receive information over the internet.
Depending upon your type of service, your IP address may be 'dynamic', that is, one that changes periodically, or 'static', one that is permanently assigned to you for as long as you maintain your service.
Your IP address by itself doesn’t provide personally identifiable information. However, because your ISP knows your IP address, it is a possible weak link when it comes to protecting your privacy. ISPs have widely varying policies for how long they store IP addresses. Unfortunately, many ISPs do not disclose their data retention policies. This can make it difficult to shop for a “privacy-friendly” ISP. Some ISPs may share their customers’ internet activity with third parties and/or collect your browsing history to deliver targeted advertisements.
When you visit a website, the site can see your IP address. Your IP address can let a site know your geographical region. The level of accuracy depends upon how your ISP assigns IP addresses.
You can block your IP address by utilizing a service such as Tor which effectively blocks this information. Another alternative is to use a Virtual Private Network (VPN). A VPN replaces your IP address with one from the VPN provider. A VPN subscriber can obtain an IP address from any gateway city the VPN service provides. You will have to pick a VPN provider very carefully. Unfortunately, experts can’t agree upon which VPN services are best. Some VPNs have potential security flaws that could put your data at risk. It can be difficult to determine how secure a VPN is, and precisely what it is doing with your data. Most experts advise avoiding free VPNs, which may monetize your data in exchange for the free service.
If you access the internet with a phone or other mobile device, you may access the internet using a data plan tied to your cellular phone service. If you have a data plan, your service provider (such as AT&T, Sprint, Verizon, and T-Mobile) collects data about your usage.
5. Passwords
Whenever you have an opportunity to create and use a password to protect your information, make sure that you use a strong password. Passwords are the first line of defense against the compromise of your digital information. Revealing the data on your phone, your banking information, your email, your medical records, or other personal information could be devastating. Yet many people fail to follow proper practices when selecting the passwords to protect this important information. Many websites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require a password for protection. However, password-protected websites are becoming more vulnerable because often people use the same passwords on numerous sites. Strong passwords can help individuals protect themselves against hackers, identity theft and other privacy invasions.
Here are some password “dos” and “don’ts” that can help you to maintain the security of your personal data.
- Do use longer passwords. Passwords become harder to crack with each character that you add, so longer passwords are better than shorter ones. A brute-force attack can easily defeat a short password.
- Do use special characters, such as $, #, and &. Most passwords are case sensitive, so use a mixture of upper case and lower case letters, as well as numbers. An online password checker can help you determine the strength of your password.
- Don’t 'recycle' a password. Password-protected sites are often vulnerable because people often use the same passwords on numerous sites. If your password is breached, your other accounts could be put at risk if you use the same passwords.
- Don’t use personal information (your name, birthday, Social Security number, pet’s name, etc.), common sequences, such as numbers or letters in sequential order or repetitive numbers or letters, dictionary words, or “popular” passwords.
- Don’t feel obligated to change your passwords frequently, unless you believe that your password has been stolen or breached. Conventional wisdom considered changing passwords to be an important security practice. Recent research suggests that people who change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways. Of course, if you believe that your password has been breached or compromised, it is essential to change it immediately.
- Don’t share your passwords with others.
- Do enable two-factor authentication (when available) for your online accounts. Typically, you will enter your password and then a code will be sent to your phone. You will need to enter the code in addition to your password before you can access the account. Twofactorauth.org has an extensive list of sites and information about whether and how they support two-factor authentication. It's best to use an option that isn't SMS-based, such as an authentication app on your smartphone.
- Don’t write down your passwords or save them in a computer file or email. Consider a password manager program if you can’t remember your passwords. Alternatively, keep a list of passwords in a locked and secure location, such as a safe deposit box.
Password recovery methods are frequently the 'weakest link', enabling a hacker to reset your password and lock you out of your account. Be sure that you don’t pick a question which can be answered by others. Many times, answers to these questions (such as a pet’s name or where you went to high school) can be ascertained by others through social networking or other simple research tools. It's also a good idea to have your password resets go to a separate email account designed for resets only.
6. Wireless Networks and Wi-Fi
Cookie 5 7 7 – Protect Your Online Privacy Concerns At Work
Households and businesses establish wireless networks to link multiple computers, printers, and other devices and may provide public access to their networks by establishing Wi-Fi hotspots. A wireless network offers the significant advantage of enabling you to build a computer network without stringing wires. Unfortunately, these systems usually come out of the box with the security features turned off. This makes the network easy to set up, but also easy to break into.
Most home wireless access points, routers, and gateways are shipped with a default network name (known as an SSID) and default administrative credentials (username and password) to make setup as simple as possible. These default settings should be changed as soon as you set up your Wi-Fi network. In addition, some routers are equipped by default with 'Guest' accounts that can be accessed without a password. 'Guest' accounts should be disabled or password protected.
The typical automated installation process disables many security features to simplify the installation. Not only can data be stolen, altered, or destroyed, but programs and even extra computers can be added to the unsecured network without your knowledge. This risk is highest in densely populated neighborhoods and office building complexes.
Home networks should be secured with a minimum of WPA2 (Wi-Fi Protected Access version 2) encryption. You may have to specifically turn on WPA2 to use it. The older WEP encryption has become an easy target for hackers. Also, do not name your home network using a name that reveals your identity. Setting up your home Wi-Fi access point can be a complex process and is well beyond the scope of this fact sheet. To ensure that your system is secure, review your user's manuals and web resources for information on security.
The number of Wi-Fi hotspot locations has grown dramatically and includes schools, libraries, cafes, airports, and hotels. With a Wi-Fi connection you can be connected to the Internet almost anywhere. You can conduct the same online activities over Wi-Fi as you would be able to at home or work, such as checking email and surfing the web. However, you must consider the risks to your privacy and the security of your device when using a Wi-Fi hotspot. Most Wi-Fi hotspots are unsecured and unencrypted. Even the expensive pay Wi-Fi service available in many airplanes may be as insecure as the free Wi-Fi offered at your corner coffee house. Therefore, you must take additional steps to protect your privacy.
Because the network at a Wi-Fi hotspot is unsecured, Internet connections remain open to intrusion. Hackers can intercept network traffic to steal your information. There are 3 major privacy threats in a Wi-Fi hotspot:
- Man-In-The-Middle Attack refers to the act of intercepting the connection between your computer and the wireless router that is providing the connection. In a successful attack, the hacker can collect all the information transferred and replay them on his computer.
- Eavesdropping refers to the act of using sniffer software to steal data that is being transmitted over the network. A sniffer is an application or device that can read, monitor, and capture network data. This is particularly dangerous when conducting transactions over the internet since sniffers can retrieve logon details as well as important information such as credit card numbers.
- Looking over the shoulder is the simple act of others looking over your shoulder to see your activities.
There are various ways to help protect your privacy when using Wi-Fi. Begin with basic common sense. Look around to see if anyone is surreptitiously trying to look at your computer. Do not leave your computer unattended. Never conduct unsecured transactions over unsecured Wi-Fi. When entering sensitive information (such as your Social Security number, password, or credit card number), ensure that either the webpage encrypts the information or that your Wi-Fi connection is encrypted. Disable your wireless adapter if you are not using the Internet. Otherwise, you leave your computer open to vulnerabilities if it accidentally connects to the first available network.
VPN (Virtual Private Network). This is the first line of defense against vulnerabilities created by Wi-Fi. A VPN provides encryption over an unencrypted Wi-Fi connection. This will help ensure that all web pages visited, log-on details, and contents of email messages remain encrypted. This renders intercepted traffic useless to the hacker. You can obtain software to set up a VPN through your office or home computer, or you can use a commercial provider’s hosted VPN service.
Secure surfing/SSL. When checking your email or conducting any important transaction, adding an “s” after “http” may give you a secured connection to the webpage. Many webmail services provide this feature. This ensures that your login details are encrypted thereby rendering it useless to hackers. Although your email login may be encrypted, some webmail providers may not encrypt your Inbox and messages.
Check for SSL (Secure Sockets Layer) certificates on all websites on which you conduct sensitive transaction. SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely.
Wi-Fi settings. Ensure that your computer is not set to automatically connect to the nearest available Wi-Fi access point. This may not necessarily be a legitimate connection point but instead an access point on a hacker’s computer.
Disable file-sharing. Ensure that file sharing is disabled on your computer to ensure that intruders cannot access your private files through the network.
Firewall. Install a firewall on your computer and keep it enabled at all times when using Wi-Fi. This should prevent intrusion through the ports on the computer.
Security updates. Keep your computer’s software and operating system up-to-date. This will help plug security holes in the software or operating system.
Welcome To All About Cookies.orgCookie 5 7 7 – Protect Your Online Privacy Concerns Act
Privacy Concerns on Cookies
As we've mentioned in several areas of this website, cookies are inherently harmless. Cookies are simple uncompiled text files that help coordinate the remote website servers and your browser to display the full range of features offered by most contemporary websites. These features include hassle-free automatic logins and authentication, shopping cart functionalities, third party ad serving, ad management, preference setting, language setting, among many others. As cookie technology evolves along with website publishing and advertisement technology, privacy issues are sure to arise time and again.
Storing Personal Information and Tracking User Behavior
While cookies by themselves cannot dig or research your information or search your computer, they do store personal information in at least two ways—form information and ad tracking. This personal information is not generated by the cookies themselves but by your own input into websites' order forms, registration pages, payment pages, and other online forms. Often used for ecommerce, this information is often encoded and protected from hacking by the remote server through limited interaction via security features like secure sockets layers (SSL) certified pages and similar network security schemes.
Cookie-based ad tracking has evolved through the years. From simple operations like counting ad impressions, limiting popups, and preserving ad sequence, third party ad serving cookies have evolved to user profiling/website preference tracking. This latter group of activities—ad tracking, that has attracted a lot of controversy among online consumer privacy groups and other concerned parties. Many of the largest websites online use large-scale third-party ad serving networks which cover many sites. One of the largest is Google's Adsense/Adwords ad serving network. Literally, millions of pages run Adsense ads. For every click a valid user makes on a Google-served ad on their site, site owners make money ranging from pennies to dollars.
Maximizing advertising effectiveness through cookie-based user profiling
Google's ad-serving platform embodies many of the technological innovation used by other ad serving companies—it uses a user profiling system that tracks and models a particular user's browsing and ad clicking habits. Google has long provided contextual advertising—ads are triggered by the words on a page. Google's ad serving system has added another layer to this technology—user preference modeling/tracking.
Simply put, when a user visits particular websites or reads particular content, Google's ads will try to serve ads to that user that matches their content browsing preferences. The preferences are not consciously or explicitly set by the user but modeled after the user's browsing history, page viewing, and ad clicking history. Accordingly, when a user reads “dog training” pages and moves on to another Google ad-powered page that might not be related to dog training, dog training ads might follow the user to the new page. There is no obvious notice or notification sent to the user that the user's actions online are being tracked for ad-serving purposes.
As observed by some online consumer privacy groups, this ubiquitous tracking and ad-specificity increase the effectiveness of ads. However, they urge that such increased ad effectiveness must be weighed against the impact on user privacy and the fact that there is no obvious consent given for such tracking. Given the rapid evolution of cookie-based ad-serving and behavior-tracking technology, consumer privacy activists are urging a reconsideration of the default standards for cookies. The rise and fall of flash cookies intensified the privacy debate.
Flash cookies: a cause for concern
In addition to user behavior tracking and browsing history-based ad serving, online consumer groups are also concerned at the rising level of cookie anonymity. While browser-based cookies are easy to detect and delete, many consumers are not very familiar with “flash-based” cookies. Also called “Local Shared Objects” (LSO), flash-based cookies are not stored on your computer like browser-based cookies.
As a result, they are harder to find and delete. Banks and online finance sites use flash-based cookies precisely for this reason. Since they are harder to detect and delete and are less known than browser-based cookies, banks/finance sites store flash cookies on their users' computers to authenticate account owners and prevent fraud since fraudsters would merely have a user's login and password but no access to the user's computer. The flash cookie acts as a second level of authentication supplementing the user's login and password. Once again, there's no explicit notice sent to the user that a flash cookie has been planted on the user's computer.
Due to the increasingly vocal concerns raised by consumer groups and privacy groups, flash-based cookies are being phased out on a technical level. Newer versions of Adobe Flash notify users that a cookie is being planted and explicitly asks users if they consent to storing website server information on their computer. Users can either choose to install or cancel the installation process. Regardless, the rise, widespread use, and fallout resulting from flash-based cookies does raise a fundamental question at this stage of cookies' technological evolution—are current privacy protection processes enough?
P3P: Inadequacy in the face of the Internet's Evolution?
Cookie 5 7 7 – Protect Your Online Privacy Concerns Act
P3P stands for 'Platform for Privacy Preferences Project'. It is a project by the Internet standards setting body, the World Wide Web Consortium (W3C), which aims to help consumers manage their privacy while navigating websites which have differing privacy policies (ie., what information is collected, what duration is set, among others). Users set their privacy preference in their P3P-enabled browsers.
Before a user loads a site, the browser's P3P agent checks the privacy policy of the website being loaded. If the site falls within the user's preset privacy settings, the site loads automatically. If the site's privacy policy doesn't match the user's settings, the user is prompted.
Critics of P3P note that it offers weak protection against the highly evolving pace of website content, only a small fraction of websites complies with P3P or even have a privacy policy, and there's no legal compulsion for websites to enforce their privacy policies. In essence, the P3P, its critics charge, is a well intentioned failure—a toothless tiger.
For more information click here
Opt-in cookies versus Opt-out cookies
For much of the history of the Internet and cookie-enabled websites, most websites planted cookies and dealt with user information on a purely opt-out basis. By default, websites are free to load their cookies onto your computer. If you don't like it, you can always search for the cookie files and delete them or set your browser to prompt you when a cookie is being planted. Moreover, there are websites like networkadvertising.org that lists most of the large third-party ad serving services on the Internet and allows users to select the networks they'd like to opt-out from.
Proponents of the optout model tout the smooth navigation experience users have. Icash 7 8 15. You merely go from one website to another. There is no “gate” you have to pass through to read free content or use free tools. This makes the Internet easy to navigate and convenient to use.
Critics of the optout model point to the increasingly intrusive abilities of third-party ad tracking cookies which follow users from one network site to another. These cookies create dynamic profiles of the user which advertisers use to maximize their revenues at the expense of users who were neither notified nor gave their consent. The users are “surfing blind” because they do not know which information is being collected, the purposes of such collection, nor are they given a copy of the collected information.
Moreover, online behavior tracking might lead to group-based discrimination (e.g., people using a particular block of IP addresses, or people that came from particular websites). They also raise the danger of private groups collecting information which is later turned over to government authorities. Since constitutional protections only cover government actions, private data collecting poses particularly serious concerns.
Online consumer privacy groups urge a new default standard for cookies—OPT OUT. Under an opt out scheme, consumers are notified via an alert or window when they load a website. The user must consent to the notice before they can navigate the site and any cookies are planted. At a minimum, the notice is to contain the following: disclosure of information gathering practices, the uses for this information, and policies for processing and disposing of this data.
The user should be given the right to know if the information being gathered contains any personally identifying data, the right to get a copy of the data collected at an affordable price and in a form that the consumer can readily understand, and the right to request a correction of the data, and, most importantly, the right to have all data on the user's behavior/browsing pattern within the website destroyed.
Consumer privacy protection activists argue that given the huge evolution of websites like Facebook which pose extensive security concerns as well as the evolution of “hidden” cookie technology as exemplified by flash cookies, an opt out regime is the only effective way to safeguard user information.
Not so fast, says third-party ad servers, exemplified by no other than Google's ad department. Google argues that an OPT IN regime is unworkable because of the following:
Consumers, when they first arrive at a new website, don't know enough about the website to opt in. They don't know the features of the site and don't know the benefits to weigh against the costs to their privacy. It is, they argue, unrealistic to expect that the user can come up with an informed decision to opt in. It's arguably much better to plant the user tracking cookie when the user arrives at the site, so they can get a fuller understanding of the site's offerings and let them opt out at a later time if they wish. Now, at this point in time, it is argued, they would have enough information as to which features to opt out from.
An optin system forces marketers and websites to ask for more information than they would normally ask for since they have to compensate for the higher cost of each registered member. Since more users are turned away by the optin system, the cost per user increases and this forces website owners and/or third party ad servers to ask for more information which they can monetize later or ask the user to opt in to more areas/features of the site.
Compare this to an opt out system which incentivizes websites to offer consumers a feature by feature list they can opt out from. Sites and services are pushed to do this in a bid to retain the user. This incentive, arguably, isn't present in an opt in system.
If optin becomes the standard, the protections such a system is supposed to provide actually disappear because people will become desensitized to optin terms and conditions. Users will, as a habit, automatically click “I agree” without reading the details. So we end up with the same problem the optin system was supposed to fix--unprotected and exploited consumers. This is what happened to adware when Internet Explorer was updated to prompt users when installing applications.
Finally, optin imposes costs on website owners and marketers, since they filter out users that would normally navigate in and out of their site unobtrusively under an optout system. There might be a decrease in registrations as a percentage of users don't have enough information about the site to “risk” cookie planting/behavior tracking. Add to this cost of lower registration the fact that there's no “universal”registration form among websites.
The end result of these costs would be to incentivize websites and their affiliated ad-serving partners to create “walled gardens”--registration guarded sites that have a higher cost of exchanging information among each other. Walled gardens can severely limit user's abilities to smoothly and easily navigate from one website to another. This leads to a severe limitation of users' opportunities to experience new pages/websites outside of the “walled garden.” A key example of this is Facebook.
Cookies are Dead, Long Live Cookies
There are two kinds of cookies—cookies to help a site function and cookies for ad tracking/monetization. The divide between the two grows wider as the debate between the proper role of cookies and the user tracking/user information storage they make possible gets louder.
One thing is certain, cookies website-enhancing functions will remain in demand regardless of whether the cookie, as a file form, survives today's raging privacy debates. Cookies are at a tenuous yet crucial crossroad between public policy and technology. We have no doubt that in the future this impasse will be safely resolved—high levels of personal privacy while preserving full website functionality and advertiser monetization. It is just a matter of innovation.