The concern and debate about the ethical issues of a third party tracking and selling PC users online habits is not new in the Internet age. Yet the debate on personal Internet privacy is dramatically heating up in 2010 and gaining worldwide attention from civic and governmental organizations around the globe. The impetus for renewed focus on standardized levels of consumer online privacy is largely fueled by new technologies in cookie tracking tools that is garnering a name for itself in some industry circles as “super cookies.”
To understand the latest round in the online privacy debate we must first get a brief, non-technical overview of what is a super cookie and how it differs from a standard browser cookie. The standard browser cookie is familiar to most PC users. It is a non-viral small piece of text that is stored on a user's computer by a web-browser primarily for authentication, session tracking, user preferences, shopping carts, etc. but also allows for personal information and preferences data capture. Web bugs are particularly sneaky cookies that can be deposited on your PC through your browser or via a small 1X1 pixel graphic that can be stored in a document or email that someone sends to you. Standard browser cookies are, for the most part, easy to identify and delete, if desired, through your browser's cookie management tools.
The new breed of super cookie transcends traditional environments and can be used for the same good or questionable purposes. What really differentiates a super cookie from a standard cookie is how they go about tracking a user's online activity, what they are storing, and the difficulty in identifying and managing a super cookie. Today's super cookies are synonymous with Adobe Flash and Microsoft Silverlight cookies, which are browser independent.
According to a WIRED.com article I read recently about a UC Berkeley report on Internet privacy, the phenomenal explosion of non-browser cookies created via tools such as Adobe Flash and Microsoft Silverlight should give us pause for thought. The article cites from the report that “More than half of the Internet's top web sites use Flash cookies to track users and store information about them.”
Adobe Flash software is estimated to be installed on roughly 98% of personal computers. So, when you visit a site like YouTube you're likely using a multi-media tool like Adobe Flash that can deposit a cookie on your system each time you visit. The cookie is not actually in your browser where you could normally find and delete it. They are browser-independent so even if you switched your browser, that cookie would still be on your system, following your next online visit and accumulating an ongoing profile of your habits. What is most alarming is that few sites acknowledge use of Flash in their privacy statements.
The fundamental concern is how much and to what extent of anyone's online habits can be stored for behavioral targeting and contextual online advertising when the user is unaware of how and what is being tracked? Especially when the user believes he is taking adequate steps to protect his privacy. Globally, the question on the table is “Who regulates the tracking and selling of personal and online purchase data?”
With the proliferation of super cookies, industry and government regulation is evolving as an agenda topic in the debate on Internet privacy as it relates to stored online activities. The “Do not call” telemarketing database protection of several years ago (and unsolicited FAX many more moons previously) is actually working to a great extent. It's not flawless but it does offer consumers some level of protection against invasion of privacy. The same applies to the CANSPAM laws for opting out of a company's unsolicited email. It's not OK to call me during dinner time if I explicitly ask not to be. Similarly, if I opt out of a company's email solicitations, I should expect no more emails from that company within a reasonable timeframe that allows the company to flag me as “no email” in their database. Yet now, our online habits are being tracked, bought and sold without our knowledge and subtly re-sold back to us in the way of our next “suggested” site visit or “contextual ad.”
The consumer privacy ramifications of super cookies are already on the radar for the Federal Trade Commission (FTC), many U.S government State offices, and global Internet privacy organizations. It will be interesting to follow the outcome of the recent FTC roundtable debates on this topic held in California in January 2010. Also, let's see how Barbara Anthony, the Undersecretary of Consumer Affairs in Massachusetts may break ground with her declaration that she wants similar consumer online data protection in her home state by March 1st. All we ask for when it comes to our online privacy is somewhat of a gentlemen's agreement relative to disclosure and recourse. We just want a level playing field, regulated by the industry or the government that protects us in an age of unscrupulous big business practices, identity theft and invisible personal data collection.
On the technology side, we know that there will be vast increases in the code and practices that spawn viruses and malware and spam. We also know that creative good-guy vendors will stay pretty close to the heels of the bad guys who create these vile things. But super cookies aren't coming from bad guys in an unidentified location. They're coming from large companies with heavy ties to the industry and deep-pocket access to government lobbyists.
The online user is at a disadvantage because super cookie management technology seems to be largely in its infancy. Even if there is government or industry self-regulation in the coming months and years, the user needs a comprehensive tool to auto manage and manually adjust all types of permissible and non-permissible cookies according to their personal data protection requirements. With all the renewed global discussion about online privacy, especially since the recent proliferation of super cookies, 2010 will likely be a watershed year for positive changes in online consumer protection.