Privacy on the Internet 2010 – "Super Cookies" and the global debate

The concern and debate about the ethical issues of a third party tracking and selling the online habits of PC users is not new in the Internet age. However, the debate about personal privacy on the Internet is heating up dramatically in 2010 and attracting global attention from civic and government organizations around the world. The impetus for a renewed focus on standardized levels of consumer online privacy is largely driven by new technologies in cookie tracking tools that are earning a name in some industry circles as “super cookies.” .

To understand the latest round of the online privacy debate, we must first get a short, non-technical overview of what a super cookie is and how it differs from a standard browser cookie. The standard browser cookie is familiar to most PC users. It is a small non-viral text that is stored on a user’s computer through a web browser mainly for authentication, session tracking, user preferences, shopping carts, etc. but it also allows the capture of preference data and personal information. Web bugs are particularly sneaky cookies that can be deposited on your PC through your browser or via a small 1X1 pixel graphic that can be stored in a document or email someone sends you. Standard browser cookies are, for the most part, easy to identify and delete, if you wish, through your browser’s cookie management tools.

The new generation of super cookies transcends traditional environments and can be used for the same good or questionable purposes. What really differentiates a super cookie from a standard cookie is how they track a user’s online activity, what they are storing, and how difficult it is to identify and manage a super cookie. Today’s supercookies are synonymous with Adobe Flash and Microsoft Silverlight cookies, which are browser independent.

According to a WIRED.com article I recently read about a UC Berkeley report on Internet privacy, the phenomenal explosion of non-browser cookies created through tools like Adobe Flash and Microsoft Silverlight should give us pause. The article quotes from the report that “More than half of the major Internet websites use Flash cookies to track users and store information about them.”

Adobe Flash software is estimated to be installed on approximately 98% of personal computers. Therefore, when you visit a site like YouTube, it is likely that you are using a multimedia tool like Adobe Flash that can place a cookie on your system each time you visit it. The cookie is not actually found in your browser, where you could normally find it and delete it. They are independent of the browser, so even if you change your browser, that cookie will remain on your system, after your next online visit and accumulating a continuous profile of your habits. Most alarmingly, few sites acknowledge the use of Flash in their privacy statements.

The fundamental concern is how much and to what extent anyone’s online habits can be stored for behavioral targeting and contextual online advertising when the user does not know how and what is being tracked. Especially when the user believes that he is taking adequate measures to protect his privacy. Globally, the question on the table is “Who regulates the tracking and selling of personal and online shopping data?”

With the proliferation of supercookies, industry and government regulation is evolving as an agenda item in the internet privacy debate as it pertains to stored online activities. The “Do Not Call” telemarketing database protection from several years ago (and unsolicited FAX many more moons previously) is working to a great extent. It’s not flawless, but it does offer consumers some level of protection against invasion of privacy. The same applies to CANSPAM laws to opt out of receiving unsolicited email from a company. It’s not okay for them to call me at dinner if I explicitly ask them not to. Similarly, if I choose not to receive email requests from a company, I should not expect any further emails from that company within a reasonable time that allows the company to mark me as “no email” in their database. However, now, our online habits are being tracked, bought and sold without our knowledge and are subtly resold to us in the way of our next “suggested” visit to the site or “contextual ad”.

The consumer privacy ramifications of super cookies are already on the radar of the Federal Trade Commission (FTC), many state offices of the US government, and global internet privacy organizations. It will be interesting to follow the outcome of the recent FTC roundtable discussions on this topic held in California in January 2010. Also, let’s see how Barbara Anthony, the Massachusetts Under Secretary for Consumer Affairs can begin with her statement that she wants similar consumers online data protection in their home state before March 1. All we ask for when it comes to our privacy online is something of a gentlemen’s agreement regarding disclosure and recourse. We just want a level playing field, regulated by the industry or the government that protects us in an era of unscrupulous big business practices, identity theft and invisible collection of personal data.

On the technology side, we know that there will be huge increases in the code and practices that generate viruses, malware and spam. We also know that creative marketers of the good guys will stay very close to the bad guys who create these vile things. But super cookies don’t come from baddies in an unidentified location. They come from large companies with strong ties to industry and pocket access to government lobbyists.

The online user is at a disadvantage because super cookie management technology appears to be in its infancy. Even if there is government or industry self-regulation in the coming months and years, the user needs a comprehensive tool to automatically manage and manually adjust all types of allowed and disallowed cookies according to their personal data protection requirements. With all the renewed global discussion about online privacy, especially since the recent proliferation of super cookies, 2010 will likely be a watershed year for positive changes in online consumer protection.