FCC Meets To Investigate Cookie Abuse

PreacherTom writes to tell us BusinessWeek is reporting that the FCC and the Center for Digital Democracy plan to meet in order to discuss abuses with regard to cookies. From the article: "Online advertisers have a sweet tooth for cookies. Not the kind you bake, but the digital kind — those tiny files that embed themselves on a PC and keep tabs on what Web sites are visited on which machines. But cookies could have a bad aftertaste for consumers. Privacy advocates say the files are being force fed in large quantities to computer users, and they're demanding that the government put some advertisers on a diet."

Oh criminy

[A+nonymous+Coward]

Just disable cookies in the browser by default. Or make them session cookies, that's a good enough second best.

What's the government supposed to do next, make it illegal for anyone to download a virus?

Honestly, some people won't be satisfied until the government publishes a 500 page manual on how to wipe your ass and makes it illegal to do it in any other way.

Re:Oh criminy

[ajs]

None of these are "personal information." At no point was your mother's hair color revealed.

It was if she was shopping for hair dye. It was if she was a frequent poster to the "blondes have more fun after 50" message boards.

But that's not interesting. What's interesting is that she usually follows links that talk about hair, or that she spends over $50 only on sites that have distinctly senior-citizen pitch. This requires examination of her behavior in a larger context.

That information, when tied to a telephone number by your phone company, through records from your ISP are invaluable, even if limited to a zip-code's worth of demographics. I'm not actually comfortable with that kind of infromation being handed around freely by companies with which I do business. What's worse is the fact that it's usually not those companies that you KNOW you're interacting with that hand out this information (though it's only slightly less distasteful when it is). It's usually companies that offer them their advertising services or user-tracking, and they have very sophisticated ways of tracking usage, some of which don't even require cookies, and many of which abuse techniques that integrate with the company's own cookie scheme.

My browser has several security settings:
Accept Cookies () Always, () Never, () Only from sites you navigate to

The default was the last one, which makes a fair amount of sense to me.

If you navigate to a site, YOU are sending THEM the cookie information. This is your problem/fault. You have the options to either () Not visit the site, () Disable Cookies, () Clear your cookies between visits.

First, there are ways to subvert your setup, and I guarantee that it's already being done without your knowledge. Handing off cookies between two sites that you visit, without issuing a cookie from a foreign site was a technology perfected in 1999 (maybe before, but that's when I first saw it in a technical document).

Second, even without handing off cookies, there are many abuses of your personal privacy that companies you deal with can engage in. All that is being said here is that there's a line you don't cross in terms of selling information about people's behavior. We're not even talking about going as far as the EU does (and boy, do they go to lengths to protect privacy!)

The solution is not a legal one, it is a technical one. It is available. It is easy. The law should not get involved, and if it does, it will simply drive web hosting to china.

Hosting doesn't matter. A US company that abuses the privacy of US citizens in a way that contradicts US law must answer for that abuse. The fact that they placed the servers in China has no brearing on that.

2 questions

[Lord+Dreamshaper]

I set my browser to "Ask me everytime" On rare occasions, I need to allow cookies that I'd previously blocked. Problem is that my block list is hundreds deep and the names aren't always obvious. How do I find the one cookie permission I need to reset, short of erasing all permissions and starting over again? Along those lines, when I do allow cookies to keep me logged into a website, for example, how do I tell which cookies from that website are needed to keep me logged in and which ones are unnecessary (trial-and-error often creates the previous problem)?

cookie problem

[ajs318]

It's up to users to fight back. I have configured Firefox to ask me about cookies every time one is offered. If I see the dreaded __utma or RMID, I will block all cookies from that site. Others I will accept for the session only. I don't mind the odd PHPSESSID (even had one of them from a site pretending to be .asp once -- wonder if that was done for legacy compatibility reasons [keep the old filename even after upgrading to a better server platform] or by some smart IT bods getting paid to develop a site for a Microsoft server, then hosting it on a proper one and pocketing the money?)

If you're smart, you won't be tracked by cookies. But I've seen scary stackloads of cookies on machines running Microsoft crap. Come to think of it, even Firefox accepts all cookies by default.

Making browsers default to a safer cookie setting (disabled, or session-only) would be a step in the right direction, and so would simply outlawing data-mining (not that I expect anyone would take any notice of such a ban); but ultimately, it's still no substitute for users having some smarts.

Under the Radar

If you use the Flash Plugin make sure you set the
local storage settings to 0 KB.

(Right click a flash banner and select "Settings..")

You can set cookies in Flash and it doesn't get deactivated
when you turn off cookies in your browser.

Advertisers haven't really started fully utilizing Flash's
ability to store data in a local sandbox, but don't worry they will.
And it goes completely underneath the browser cookie control radar!
There is so much flash content these days (banners, video) it is
bound to be exploited sooner than later.

AAFC (Anonymous Aware Flash Coder)