1
Big Browser Is Watching You!

• Personal Privacy Online

2
Cookies

• Code placed by web site you are visiting
• Placed by third party when you make call to
  banner ad on the site even if you dont click on
  it
• Often contain information on browsing software,
  screen size, and color preferences
• May also contain a unique identifier that tells
  the website which particular consumer is visiting
• Every cookie has a directory path on the website
  that tells where it was set

3
Why Cookies?

• Track user behavior over a period of time
• With a proper cookie scheme, sites can tell which
  demographic group goes where
• How many people are interested in a specific
  product or service
• Maintain a shopping cart
• Some websites do login authentication through
  HTTP cookies
• Cookies can be set in any scripting language

4
Cookies Are Easy to Bake

• By adding a set cookie line to the header
  sent to your computer, the server can deliver
  cookie information to your browser.
• This information is saved and sent back to the
  server the next time you visit

5
Session Vs. Persistent Cookies

• Some cookies store information only for the
  duration of the session
• Others store information (theoretically for 35
  years or longer) on the users hard drive that
  may be retrieved for future browsing sessions

6
Limitations to Cookies

• Your browser will only return this cookie
  information to the domain where the cookie
  originated
• 20 cookies per domain

7
Baking a Cookie
paul_cookiepmillisexpiresWed, 31-Dec-2036
000000 GMT
Result
8
Why Are Cookies Controversial?

• Cookies are used to track people.
• Checked any sites for pipe bombs, growing
  marijuana, (or AIDS or cancer research).
• Cookies are largely hidden from the users view.
• Sometimes membership passwords are stored
  unencrypted in cookies.
• Using a shared machine.

9
What Are Web Bugs?

• Covert or Surveillance cookies
• Invisible tracking devices embedded in source
  code of web pages in order to allow third parties
  to track consumers browsing behavior
• A bug is represented on a web page by a 1-pixel
  by 1 pixel dot
• Also known as pixel tags, spotlight tags,
  clear GIFs and invisible GIFs

10
Banner Ads Vs. Web Bugs

• With a banner you have some clue that theres
  someone on a site that might place a cookie
• Third-party sites read and write cookies when a
  browser is directed to receive an advertisement
  from a third party-server
• Whether or not you click on the banner ad
• The graphic file requested by a web bug is
  invisible to the consumer

11
Are They Ever Used Legitimately?

• Maybe they can tell companies how their site is
  being used in terms of which pages are most
  popular
• However, the site generally uses its own cookies
  to track how consumers browse within the site so
  bugs arent used for that
• Since cookies are served invisibly through bugs,
  the purpose is not to facilitate delivery of
  advertising

12
So, What Is the Purpose of Web Bugs?

• To cause a consumers computer to interact with a
  third party for the purpose of enabling
  monitoring of the consumers browsing habit

13
How Does It Work?

• Placement of a web bug on a cosmetics site, for
  instance, can identify a UID as belonging to a
  woman
• This same ID is joined with information that this
  woman is visiting sites that sell toys, support
  Jerry Fallwell and provide resume posting
  services
• Our UID is probably a right-leaning mother (or
  grandmother) who is looking for a new jobthink
  shell get that position at Greenpeace.

14
Whats the Issue?

• Pages we visit contain bugs that send information
  abut browsing habits back to the site itself
  AND/OR to a company the site has hired to collect
  information
• DoubleClick, Ad Knowledge
• No disclosure is made of these web bugs
• Considered a deceptive business practice
• You may never know who is keeping tabs on you and
  your business

15
Okay, So What?

• If you are surfing for guidance about a medical
  condition, should that be compiled and mined by
• Potential employers
• Potential insurers
• Nosy neighbors

16
Is Online Profiling More Acceptable Than Racial
Profiling?

• Because online ad services provide banner ads to
  thousands of pages, companies can compile a
  profile of the pages a user visits across
  websites and over time
• Linked to data that is personally identifiable
• Made available to advertisers, insurers,
  employers, and anyone else with 40.00

17
Is It Really Happening?

• By invisibly placing ID codes on computers that
  visit its clients WWW sites, Pharmatrak, inc.
  Can record consumers activity when the alight on
  thousands of pages maintained by 11
  pharmaceutical companies
• The company can tell when the same computer
  downloads info on HIV, a prescription drug or a
  companys profits
• They admit to being able to tell whether visitors
  are consumers, physicians, journalists or
  government officials

18
What Is Being Done?

• Michigan attorney general sued 8 web sits in
  mid-September of 2000 for failure to disclose the
  presence of web bugs

19
What Is the Basis of the Action?

• Violates Michigan Consumer Protection Act by
  placing little of information that can be used by
  tracking companies to trace future browsing habits

20
What Is the Relief Sought?

• Asking sites to explain to customers that once
  they visit companies home pages, the subsequent
  sites they visit and some information they enter
  become available to third party companies

21
Guide to Privacy Policies

• http//www.ag.state.mi.us

22
What Can You Do About Cookies?

• Block them
• Be warned
• Clear cookies after every session
• Cookies.Txt in Netscape
• C//windows//temporary internet files/
• C//windows//cookies
• For details, see
• Http//www.ag.state.mi.us/AGWebSite/inet_info/ii_c
  ookie01.Html

23
Is There a Downside?

• Some websites insist that you accept cookies for
  their websites to work properly
• NY times
• Asking to be warned every time you get a cookie
  will make your online experience cumbersome
• Erasing cookies will require you to remember ids
  and passwords you only used once

24
What Other Nasties Are Out There?

• Search engines that scour the web for any mention
  (negative) of any of the companys executives,
  products or financial matters
• This is analogous to having hidden cameras and
  spies tracking peoples movements and
  communications on the web. The lack of privacy
  rules on the web is the number one barrier to
  people getting better health-care information,
  because theyre afraid.of the consequences
• Janlori Goldman, director of the Health Privacy
  Project at Georgetown University

25
E-mail Security?

• Non-existent without encryption

26
Web-based Mail

• Can deliver web pages
• Netscape Messenger, Outlook Express, Eudora 4.0,
  Hotmail
• Tags make standard HTML calls to the companies
  providing the web pages
• Exchanging text-only messages and exchanging HTML
  entail different levels of information exchange

27
What Are Your Rights?

• Common law right to privacy that protects you
  from offensive intrusions upon seclusion and
  private affairs
• Privacy right to no have their names, likenesses,
  identities and personal information
  misappropriated for commercial advantage
• Protected property interest in their valuable
  personal information
• Right to be free from trespass on their property
  (in this case cookies trespassing on their hard
  drives

28
What Else?

• Consumers are protected under doctrine of
  promissory estoppel from breaches of promises
  made to them by businesses on which they
  detrimentally rely

29
State and Federal Law

• Michigan Fraudulent Access to Computers Act
• Protects against altering or acquiring property
  or using services (personal info / cookies)
• Electronic Communication Privacy Act
• Interception of communications or unauthorized
  access to stored communications
• Computer Fraud and Abuse Act
• Protects computers used in interstate commerce
• Childrens Online Privacy Protection Act
• Obtaining personal info from those 13 and under

30
Fair Information Practice Privacy

• There are several essential elements that should
  be included in any privacy policy. Basically, a
  good privacy policy should provide notice of what
  information is collected, who collects it, for
  what purpose the information is collected, and
  for what use the information is collected. In
  addition, a good policy should give users a
  choice about whether the information is collected
  and what is done with that information, provide
  users with access to any information that is
  collected, and provide adequate security for any
  information that is collected. The latter two
  categories only apply if information is
  collected. Finally, the policy should discuss the
  effect of changes in the policy and give users
  adequate contact information.

31
Personally Identifiable Information

• Any information that could reasonably be used to
  identify you personally as personally
  identifiable information. This includes, but is
  not limited to
•  1. Your name
• 2. Your address
• 3. Your email address
• 4. Your social security number
• 5. Your password
• 6. Bank account information
• 7. Credit card information
• 8. Any combination of data that could be used to
  identify you such as your birth date, your zip
  code and your gender.

32
What Types of Privacy Policies Exist?

• (1) basic privacy policy - no information is
  collected.
• (2) intermediate privacy policy - no personally
  identifiable information is collected, does not
  use cookies.
• (3) intermediate privacy policy - no personally
  identifiable information is collected, does use
  cookies.
• (4) detailed privacy policy - personally
  identifiable information is collected.

33
What Clauses Are Good?

• Any information that is collected is only used in
  aggregate to determine whether improvements can
  be made in our service. The information is not
  permanently stored and not used for any other
  purpose.
• On any page that you are asked to submit
  personally identifiable information, you will
  find a link to that companys privacy policy and
  the choice to affirmatively consent.
• Placement of an opt-out cookie

34
How Does an Honest Policy Sound?

• Any information that we collect may be sold,
  rented, or leased to third parties that may have
  an interest in contacting you with special offers
  that we believe may be of interest to you. By
  giving us information about yourself, you are
  agreeing to allow us to disseminate that
  information to third parties. Those third parties
  are not restricted in their use of that
  information except to the extent that we restrict
  its use. By allowing us to market your personal
  information in this manner, you allow us to keep
  the costs associated with our website low and
  allow us to pass the savings on to you, the
  consumer. However, in order to pass these savings
  on to you, we need your permission to allow us to
  use the information. If you follow this link to
  our affirmative consent page, you will allow us
  to market information about you.

35
Anti-terrorism Legislation

• Among other things, the bills would
• Allow FBI to seize any and all stored records
  (medical records, educational records, stored
  e-mail) in intelligence cases without a search
  warrant.
• Allow computer system operators to authorize
  government surveillance without a court order
  (the computer trespasser provision).
• Authorize roving taps in intelligence cases
  without clear guidelines, allowing government to
  monitor pay phones, library computers, cell
  phones without first determining who is using the
  device.
• Allow secret searches (searches without notice
  at the time of the search) in all criminal cases.
• Extend government surveillance under minimal
  standards to broad categories of internet data -
  all "routing, addressing and signaling
  information" (the "pen register" provision).