FCC Meets To Investigate Cookie Abuse

PreacherTom writes to tell us BusinessWeek is reporting that the FCC and the Center for Digital Democracy plan to meet in order to discuss abuses with regard to cookies. From the article: "Online advertisers have a sweet tooth for cookies. Not the kind you bake, but the digital kind — those tiny files that embed themselves on a PC and keep tabs on what Web sites are visited on which machines. But cookies could have a bad aftertaste for consumers. Privacy advocates say the files are being force fed in large quantities to computer users, and they're demanding that the government put some advertisers on a diet."

Alright, I'll Cut Back!

FCC Meets to Investigate Cookie Abuse

Jeez, lay off me, ok? My doctor's been bustin' my balls about it, the last thing I need is the government on my back.

I'm sorry, I'm sorry! But when you leave a box of those girl scout confections next to me, what do you think I'm going to do? They're gone after a few lines of coding and I don't even remember eating them!

*breaks down sobbing

I'm a sick man! I need help! Someone just check me into the Betty Crocker clinic already!

Suggested tag: thinkofthecookies

FCC Meets to Investigate Cookie Abuse

[GillBates0]

Thousands of children arrested for crumbling cookies and drowning them in milk.

When contacted for comment on this...

[spiritraveller]

Cookie Monster replied, "Me not guilty. Cookie goooooooooooood!"

Re:When contacted for comment on this...

[scottschiller]

Another cookie article, and yet more cooking/baking analogies. Someone should write a cookie monster Greasemonkey script which brings up that particular character ("And now, me eat cookie! Owmwowmowmwowmowmwmowm...."), before setting document.cookie to null.

Many sites stuff advertising and tracking-related data in there alongside your login/auth information in cookies, so it seems you can't win if you need to browse with credentials etc. Blocking 3rd-party cookies is probably the safest bet against ads and so on at this point though, without disrupting cookies required just to browse/authenticate.

Are you kidding?

[spencerogden]

Is this really an area we need more laws about? The dangers of cookies have been overblown for a long time. Not to mention that fact that all browsers give the user more than adequate control over their cookies.

If this is the best thing the FCC can find to waste their time on, then they have become worthless.

Re:Are you kidding?

[neoform]

Headline should have read:

"FCC Meets to Over-Assert Itself Once Again"

Re:Are you kidding?

[Shawn+is+an+Asshole]

Agreed. The cookie "threat" is overblown by the media. If you're really concerned about it, every modern browser has built in protections.

In Firefox's preferences (2.0) click on the "Privacy" tab and change "Keep until" to "I close Firefox". Then whenever you close the browser, all the cookies are gone. For sites you want to be able to persist (bank, slashdot, etc), put them in the exceptions. I've been doing it this way for years. You can also set it to block cookies for certain sites (I block google, for example).

The summary is an understatement.

[jZnat]

Try browsing with cookies on an "ask me every time" sort of basis. Even the most unlikely websites will demand a cookie. What ever happened to sane usage of cookies where they'd only be set if you did something on the site that initiated a cookie transfer (e.g. logging in, starting a shopping cart, storing your preferences)?

Re:The summary is an understatement.

[RingDev]

I've seen some that are limits on advertising. They track when the last time you had an add on the page so that you only see adds every few minutes, instead of constantly.

Cookies are a tool. They can be used for cool things, or crappy things.

-Rick

Re:The summary is an understatement.

[TodMinuit]

What ever happened to sane usage of cookies where they'd only be set if you did something on the site that initiated a cookie transfer (e.g. logging in, starting a shopping cart, storing your preferences)?

Oh man, remember those good old days? Before every site was covered in AdSense. When MySpace was the glimmer in some nerds eye. Before every moron lip-synced horrible songs on YouTube. When email was used for communication. When people actually used correct English. When Pluto was still a planet.

I remember!!! Flobble-de-flee!

Oh criminy

[A+nonymous+Coward]

Just disable cookies in the browser by default. Or make them session cookies, that's a good enough second best.

What's the government supposed to do next, make it illegal for anyone to download a virus?

Honestly, some people won't be satisfied until the government publishes a 500 page manual on how to wipe your ass and makes it illegal to do it in any other way.

Re:Oh criminy

[ajs]

No, you're hyperbolizing. Some people (myself included) won't be happy until the government sets limits on how personal information can be used by corporations. I don't like the fact, for example, that my mother's phone company shares personal information with her Internet provider who then buys information derived from cookies to develop a package that allows telemarketers to target her based on what Web sites she uses. This is not what the Internet is there for, and I personally want a stop put to it. Limiting abuse of cookies (especially cross-site hand-offs that are used specifically to track broad activity across disconnected sites) would be a good first step, and one that should have happened years ago when certain companies which NDAs prevent me from naming (not related to my current company, thankfully) started the practice.

Re:Oh criminy

[kenj0418]

Honestly, some people won't be satisfied until the government publishes a 500 page manual on how to wipe your ass and makes it illegal to do it in any other way.

I wouldn't mind if the government gave me a 500 page manual for wiping my ass. As long as the pages were soft - that is.

Re:Oh criminy

[ajs]

None of these are "personal information." At no point was your mother's hair color revealed.

It was if she was shopping for hair dye. It was if she was a frequent poster to the "blondes have more fun after 50" message boards.

But that's not interesting. What's interesting is that she usually follows links that talk about hair, or that she spends over $50 only on sites that have distinctly senior-citizen pitch. This requires examination of her behavior in a larger context.

That information, when tied to a telephone number by your phone company, through records from your ISP are invaluable, even if limited to a zip-code's worth of demographics. I'm not actually comfortable with that kind of infromation being handed around freely by companies with which I do business. What's worse is the fact that it's usually not those companies that you KNOW you're interacting with that hand out this information (though it's only slightly less distasteful when it is). It's usually companies that offer them their advertising services or user-tracking, and they have very sophisticated ways of tracking usage, some of which don't even require cookies, and many of which abuse techniques that integrate with the company's own cookie scheme.

My browser has several security settings:
Accept Cookies () Always, () Never, () Only from sites you navigate to

The default was the last one, which makes a fair amount of sense to me.

If you navigate to a site, YOU are sending THEM the cookie information. This is your problem/fault. You have the options to either () Not visit the site, () Disable Cookies, () Clear your cookies between visits.

First, there are ways to subvert your setup, and I guarantee that it's already being done without your knowledge. Handing off cookies between two sites that you visit, without issuing a cookie from a foreign site was a technology perfected in 1999 (maybe before, but that's when I first saw it in a technical document).

Second, even without handing off cookies, there are many abuses of your personal privacy that companies you deal with can engage in. All that is being said here is that there's a line you don't cross in terms of selling information about people's behavior. We're not even talking about going as far as the EU does (and boy, do they go to lengths to protect privacy!)

The solution is not a legal one, it is a technical one. It is available. It is easy. The law should not get involved, and if it does, it will simply drive web hosting to china.

Hosting doesn't matter. A US company that abuses the privacy of US citizens in a way that contradicts US law must answer for that abuse. The fact that they placed the servers in China has no brearing on that.

Re:Oh criminy

[hairpinblue]

> What's worse is the fact that it's usually not those companies that you KNOW you're interacting with that hand out this information (though it's only slightly less distasteful when it is)

Several years ago I conducted an experiment with this. My official address, as per the post office, was "200M Pinewood Drive". When filling out applications for bank accounts, insurance, ordering things online, etc., I would often mix and match with things like "200 Pinewood Unit M" or "200M Pinewood" or "200 Pinewood Drive Apt M", etc. and then watch what address would be on incoming junk mail. The result was that, after ordering things like software or magazine subscriptions (online), I saw no significant increase in spam snail mail with the correlating address. However, after signing up for bank accounts and auto insurance (both of which have very strict privacy policies on their applications), I would see a corresponding rise in spam snail mail with the correlating address.

Large institutions, no matter how convincing their privacy policies are, have a thousand different ways of passing on your personal information. All of them, should you ever manage to put together a proper paper trail, are probably legal through some loophole or another in either their privacy policy or the law.

More laws != good laws

[daeg]

Laws don't always correct things. This isn't something you can legislate. The sheer number of exceptions would make this law more complicated than anyone could follow or enforce.

Don't like cookies? Don't visit the sites that use them.

Re:More laws != good laws

[KokorHekkus]

Sweden has had a law mandating full disclosure of how cookies are used since 2003. In practice this means there's a small notification to a static page on how they use cookies. So it's not exactly an undue burden for a website. Having a lot of exceptions would make this complicated? Then don't have any... we don't in Sweden. Nothing has crumbled and died here yet.

Get some new material

[jfengel]

Is there any thing we can do about cookie pun abuse?

Thanks, Business Week. I've never heard any of those before. Perhaps you can stick in a few "roadkill on the information superhighway" gags while you're at it.

International

[toetagger1]

So this, like many other toppics like this, raises the question:
The FCC only has so much juresdiction. Would this apply to webpages that are hosted in the US? How about webpages that are being viewed in the US? Or what if they are hosted and vewed outside the US, but go through some wire in the US (or even worse, some satelite above the US...)
Of course, you could always regulate businesses and the way they do business in the US, but that shouldn't really be the FCCs responsibility. Not to mention that a business on the Net isn't just in the "US", especially if it sells ideas, information, or services, which are non-physical things that don't always cross borders and such.
It'll be interesting how this will play out in the next couple of years.

Re:International

[EvilMoose]

The website says FTC. The slashdot post says FCC.
Harhar, I just nullified your +4 Insightful comment. I wonder, will this give me a +troll?

2 questions

[Lord+Dreamshaper]

I set my browser to "Ask me everytime" On rare occasions, I need to allow cookies that I'd previously blocked. Problem is that my block list is hundreds deep and the names aren't always obvious. How do I find the one cookie permission I need to reset, short of erasing all permissions and starting over again? Along those lines, when I do allow cookies to keep me logged into a website, for example, how do I tell which cookies from that website are needed to keep me logged in and which ones are unnecessary (trial-and-error often creates the previous problem)?

Re:2 questions

[Lord+Dreamshaper]

But if you're going to buy from Amazon (for instance), you're going to have to suck it up and accept their cookies to use the shopping cart.

Exactly. I agree to use their cookies to enable the shopping cart. I'll even accept that the cookies then allow Amazon to make better suggestions for the next book I purchase. That does not mean I agree to allow someone else to profile me because Amazon sold the information, in specific or in aggregate.

Don't patronise the website? Well damn, I'd have to stop using the internet because it's such a prevalent condition, and, as my original questions illustrate, even informed consumers don't have reasonably easy options. *That's* why it should be legislated, consumers don't have another viable option.

cookie problem

[ajs318]

It's up to users to fight back. I have configured Firefox to ask me about cookies every time one is offered. If I see the dreaded __utma or RMID, I will block all cookies from that site. Others I will accept for the session only. I don't mind the odd PHPSESSID (even had one of them from a site pretending to be .asp once -- wonder if that was done for legacy compatibility reasons [keep the old filename even after upgrading to a better server platform] or by some smart IT bods getting paid to develop a site for a Microsoft server, then hosting it on a proper one and pocketing the money?)

If you're smart, you won't be tracked by cookies. But I've seen scary stackloads of cookies on machines running Microsoft crap. Come to think of it, even Firefox accepts all cookies by default.

Making browsers default to a safer cookie setting (disabled, or session-only) would be a step in the right direction, and so would simply outlawing data-mining (not that I expect anyone would take any notice of such a ban); but ultimately, it's still no substitute for users having some smarts.

What you give them...

[singularity]

Cookies should only be able to store data you give a company. A cookie is not going through your computer and associate your cookie with your name, email address, credit card number, sexual proclivity, and so on.

Now you can say that prevalent advertisers like doubleclick can make inferences based on what sites you go to that they serve ads for. This is one reason that I block anything to/from doubleclick. The fact that this also has the advantage of eliminating several ads as I browse the web? Outstanding. I fail to see how this should suddenly become illegal for doubleclick to do.

So then you can argue "Yeah, but if you sign up with the website, or make a purchase, they can associate a cookie with all the information they gave you!" Yes, and so can any brick-and-morter who wants to track purchases made with the same credit card. Or grocery stores that give you "Discount Cards" that require a name, address, and phone number. Use that discount card once with a credit card and they have even more information on you.

So I fail to see how data acquired through cookies is so bad we need laws "protecting" us. Any privacy nut is going to be willing to either block cookies from certain sites or just make them session-long. Anyone else is running with about the same loss of privacy that comes with using a credit card anyway.

If you do not want online companies to know who you are (and therefore track you), then do not give out information.

Cookies do not "embed themselves."

[Sloppy]

those tiny files that embed themselves on a PC and keep tabs on what Web sites are visited on which machines.

Cookies are passive content; they do not have the capapbility of doing anything. Web Browsers are what make the decision to download and store this purely optional advisory-only information.

If the cookie is not actively deleted or blocked by the Web surfer, it remains active on the computer for what could amount to years.

Again, you are describing a behavior of web browsers (and probably not all web browsers), not cookies.

I have always held that the software that I run, is my agent. If I run a web browser that essentially tells a web server what other pages I have visited, then by running that software, I have opted in. I guess the issue is that most computer users are not really aware of what they are running and what actions their agents are taking on their behalf, so they see the lack of making conscious decisions as "not opting out" rather than "opting in." I understand this and have some sympathy for this viewpoint, but it ultimately is technically incorrect, an illusion. I don't think you can't redefine the terms "opt out" and "opt in" to mean things they don't really mean, without having some undesirable consequences down the road.

The problem we face, is that we make unconscious or uninformed decisions, but that doesn't mean we aren't making those decisions; it merely means we're doing it poorly. I would much rather that users learn more about how their web browsers work and what the privacy risks are, than for new laws to be passed that micromanage what a web server admin is required to do, should their server be configured to send a certain header. It is ridiculous to have laws and regulations that get down to such detailed, technical levels, and I think that sort of thing is how we have managed to turn ourselves into a "lawyer society" where the law is so huge and complex that a layman is simply unable to know what the law is without expensive help from a specialist.

I hate cookies

[MeanderingMind]

I've browsed the internet with my ever changing browser of choice set to ask me about any and all cookies for years now. The number of cookies per site has been very steadily and rapidly increasing since their conception.

I hate it.

Back when they first appeared, they were there to help us maintain our logins through the website, not lose our shipping carts etc. It wasn't bad, it made sense. I was willing to let websites store my username and password so that I didn't have to keep logging back in constantly.

Honestly, I don't even see why we have cookies anymore. There should be far better ways to maintain a persistant login by now. Ways which don't threaten our privacy, or provide a medium for the same bastards that invented pop-ups and pop-unders to destroy common decency.

The first time I visit any website I am bombarded by cookies. This isn't just one cookie, this is as many as seven from a single page. Why in the name of Linux Torvalds do these sites need seven cookies to function? Clicking the next page bombards me again, and will keep bombarding me until I get through all 255 or more ad3.adserve.cookies.net like services. Only then can I finally visit the website in peace, until next month when a new advertiser joins the loop.

So now my cookie accept/block list is the size of New York's phone book. Heaven forbid in that barrage of cookies there was actually an important one. With all the obscure names they're given it's impossible to tell until you can't maintain your login. Now I get to play the age old 'Find the needle in the haystack' game, new millenium version.

This is beyond sanity. I don't know if the FCC has the right or the ability to do something about this, but something should be done. I don't have any idea what. Boycotting pages with cookies means 99.9% of the internet is off limits.

FTC, not FCC

[Bastian227]

I think a better question is: does the FTC have jurisdiction? The article as I see it says "Federal Trade Commission".