Advisen FPN

You are in: Front Page News Headlines -> Advisen Contributor Content: Cookie Crumbs: Mitigating the Risk of Behavioral Data Tracking

Did You Know

Advisen Contributor Content: Cookie Crumbs: Mitigating the Risk of Behavioral Data Tracking

Publication Date:

02/21/2011

Source:

Advisen

Cookie Crumbs: Mitigating the Risk of Behavioral Data Tracking

Advisen

Cookie Crumbs

Mitigating the Risk of Behavioral Data Tracking

By Judi A. Lamble

Advertisers subsidize the internet. Don’t believe us? Just take a look at your ten favorite sites. To target their messages, advertisers rely on electronic tools like cookies to track internet users’ behavior and develop user profiles. The computer code that comprises cookies carts data from a user’s computer to the source of the cookie—which may be a retail website, a third party advertiser, or a marketing metrics firm.

But there are good cookies and bad cookies. Good cookies allow us to fill an electronic shopping cart, store website login information, and view recommended book titles. “Bad” cookies spy on us and convey our viewing habits to people whose business it is to mine that data. Who’s following the cookie crumbs? Consumers, regulators, legislators, IT professionals, data security experts, and class action lawyers, among others. Browser cookies were declared permissible in 2001.^¹ But with the advent of flash cookies came a host of class action lawsuits against marketing metric, online content accessing, social networking, and media companies.^² Another class action suit was filed shortly thereafter against a marketer using html5 storage capabilities to collect data.^³ After the Wall Street Journal’s 2010 multi-part “What They Know” exposé on behavioral data tracking on the internet,^⁴ and the December 2010 consumer privacy report by the Federal Trade Commission (FTC),^⁵ we can expect even more inflamed consumers and inspired lawyers.

Cookies Explained

Good cookies are run-of-the-mill http or browser cookies. “Session cookies,” a kind of browser cookie, carry our data to a website during a single visit and are a functional necessity for users and site hosts. Other browser cookies carry data during multiple visits, but still only to one site. Dangers lurk, of course, when website hosts pass the user information they obtain through the cookies to others, when cookies are sent in unencrypted clear text^⁶ from the user’s computer to the website, when session fixation^⁷ occurs, or when cookies are sidejacked^⁸ as they travel between a user’s computer and a website. But at least browser cookies are usually disclosed in online privacy policies. They also reside in a computer’s browser software where they can be easily detected and deleted with appropriate anti-spyware software.

“Bad” cookies, on the other hand, record varying degrees of information about our internet usage across multiple sites. So far, flash cookies,^⁹ evercookies,^¹⁰ and zombie cookies^¹¹ fall into this category. They are kissing cousins to html5 storage technology^¹² and second cousins to web bugs, beacons, and tags.^¹³ They are friends with scraping^¹⁴ and the GPS monitoring sent to advertising servers by over half the applications available to smartphones.^¹⁵ They may be employed by websites or by third party advertisers on those sites. Indeed, website hosts may not even know their advertisers are placing these cookies on the computers of those who visit the host’s site. “Bad” cookies are rarely disclosed in website privacy policies. They reside in different, sometimes multiple files on a computer’s hard drive that are not policed by privacy-protecting software. They are also pernicious little creatures, designed to spawn duplicates of removed cookies (good and bad) so that the effort to delete cookies is a vicious, fruitless cycle.

“Bad” cookies are not, however, in the same category as sinister malware like viruses and worms (which are not cookies at all). Flash cookies and their kin are widely used to supply more accurate data about specific customers and to allow the accumulation of demographic and behavioral data about groups of customers to support those advertisers upon which so many internet sites depend. These cookies may be purchased from marketing metric companies via licensed widgets;^¹⁶ they may be specially created mashups;^¹⁷ they may be created in-house from open source code like the evercookie.

Cookie Risks

The risks inherent in using, permitting, or even unknowingly hosting cookies depend on what data is gathered, whether that collection is confined to a single internet session on a single website or crosses sessions and sites, and what happens to the data. Significantly, though, the FTC deems website hosts accountable not only for their own data collection, but also for third party data tracking; in its view, a website host’s ignorance is tantamount to “willful blindness.”^¹⁸ (While the FTC has not promulgated binding rules on behavioral data tracking, its position may be cited by privacy advocates and their counsel.)

What data is gathered? Data security experts will tell you there is no standard governing the data collected by cookies. Session cookies may record personally identifiable information (PII).^¹⁹ For example, an online healthcare provider may require a birth date. Online retailers will need an address for shipping. Financial institutions may request social security numbers. Flash cookies, on the other hand, may collect a computer’s IP (Internet Protocol) Address and information about what sites the computer user has visited. The information gathered may be generic or application specific. Data aggregators compile both PII and non-PII from multiple sources to assemble sophisticated consumer profiles. While marketers opine that the collection of non-PII is harmless, the FTC believes—in part because of the proliferation of data aggregating—that the difference between PII and non-PII is no longer meaningful.^²⁰ Consequently, if a website collects data, PII or non-PII, it may stand in the crosshairs of the next privacy suit.

Is data gathered during a single session or across sites? First party data collected by one site during a single internet session is less controversial than data collected across multiple sites and over multiple sessions. Consumers expect the former—it facilitates their use of a site, as, for example, when an online music store recommends .mp3 tracks based on the immediately preceding search. Consumers may also tolerate, as has the FTC in the past, third party use of “contextual” data about the content of a particular site or search query to deliver a related advertisement.^²¹ To privacy advocates, however, data collection beyond that necessary for the immediate delivery of a search result or related content connotes surreptitious surveillance. It also tends to rely on nearly-impossible-to-delete and therefore more suspect types of cookies.

What happens to the data? The data collected by cookies is hopefully encrypted—but that’s not always the case. In addition, session cookies, if not properly secured for the session (for example through restriction to the host’s specific internet domain), can relinquish their data to third party data collection tools. An internet user’s data will be stored—but for how long? First-party data that expires in thirty days is more secure than data warehoused for a year. A limit on the retention of data collected by other parties also has obvious privacy benefits.^²² Then there’s the $64,000 question: who has access to the data? Data collected on cookies is routinely sold to data aggregators who sell it to brokers who sell it to others.^²³ Unless a website host is refusing to sell or share its first-party data and is able to prohibit third party data tracking from its site, it is likely that its users’ data is ending up in an aggregator’s database.

Mitigating Cookie (and other behavioral data tracking) Risks

Behavioral data tracking is controversial. Until courts determine that it is an acceptable activity, or set the boundaries on what tracking is permissible, companies need to mitigate the risks of privacy litigation inherent in all forms of data tracking, including first-party tracking and that done by third-party advertisers. Numerous online resources exist to provide further guidance to business.^²⁴ For its part, while the FTC wrestles with its response to consumer privacy concerns, it has already offered four guiding principles for acceptable behavioral data tracking: (1) transparency and consumer control; (2) reasonable security and limited retention for consumer data; (3) affirmative express consent for material changes to existing privacy promises; and (4) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising.^²⁵ These principles and good management practices suggest:

For both individual session data and data collected about multiple site visits and sessions, tell your website visitors in a conspicuous, consumer-friendly manner what data you are gathering – and let them opt out of that process.
Secure your cookies; for example:

encrypt session cookies and ensure they cannot be re-created;
restrict session cookies to your domain, for example by deploying cookie flags like “domain”, ‘httponly,” or “secure” within the http header; and
do not enable JavaScript, used by many third parties to identify specific computers, on your site.

Test all third party web applications for security vulnerabilities. The Open Web Application Security Project (“OWASP”) provides standards for securing applications.
Retain collected data only as long as necessary to accomplish your business purpose.
Update your online privacy policies to disclose the existence of both first-party and third-party data collection, as well as the possibility of unknown third-party data tracking. Consider deploying Platform for Privacy Preferences (“P3P”), a protocol enabling websites to express privacy practices in an automatically retrieved and easily interpreted standard format.^²⁶
Don’t commingle data you collected under one of your more restrictive privacy policies with data collected under a less restrictive policy unless you have the user’s permission.
Get express user consent to track and share sensitive information – and define “sensitive” broadly. Note that getting that consent may require you to limit the extent of your data sharing.
If you license flash cookies, or any device that contains them (like widgets), or other electronic tracking tools, seek to transfer the risk of privacy liability to the licensor via an indemnity provision.
In contracts with those who purchase advertising space on your site, seek to transfer the risk of privacy liability to the purchaser via an indemnity provision.
Pay heed to international data privacy regulations, which currently are more stringent than those in the U.S.^²⁷

To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Lloyd Takata, Vice President of OneBeacon Technology Insurance at ltakata@onebeacon.com or (706) 474-9003.

Lamble is vice president of technology and international claims at OneBeacon Technology Insurance, a member of the OneBeacon Insurance Group.

This article is provided for general informational purposes only and does not constitute and is not intended to take the place of legal or risk management advice. Readers should consult their own counsel or other representatives for any such advice. Any and all external websites or sources referred to herein are for informational purposes only and are not affiliated with or endorsed by OneBeacon Insurance Group. OneBeacon Insurance Group hereby disclaims any and all liability arising out of the information contained herein.

Advisen Contributed Content

This article appears in Advisen’s Front Page News because our editors determined that it had a measureable appeal to our FPN audience of 100,000 commercial insurance underwriters, brokers, risk managers and other insurance professionals. We track readership and open-rates associated with every FPN article in order to continually fine-tune our FPN production and editorial decision-making.

If you would like to see your Contributed Content appear in Advisen’s Front Page News, please send your submission in Word format to editors@advisen.com for consideration. In addition to our main Front Page News edition, we have dedicated editions for Europe, Healthcare, and Environmental. Our new Property edition debuts in March 2011, and our new Management Liability edition launches in early Q2. Thank you for reading FPN.

1 In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d (S.D.NY, 2001).

2 Agruirre, et al. v. Quantcast Corp., No. CV10-5716 (C.D.CA); Intzekostas, et al. v. Fox Entertainment Group, No. CV10-6586 (C.D.CA); Rona, et al. v. Clearspring Technologies, Inc., No. CV10-7786 (C.D.CA); Valdez, et al. v. Quantcast Corp., No.CV10-05484 (C.D.CA); White, et al. v. Clearspring Technologies, Inc., No. CV10-5948 (C.D.CA).

3 Aughenbaugh and Weber v. Ringleader Digital, Inc., et al., No. 8:2010cv01407 (C.D.CA).

4 “What They Know,” Wall Street Journal, July 30, 2010 – Oct. 25, 2010.

5 Preliminary FTC Staff Report, “Protecting Consumer Privacy in an Era of Rapid Change,” December 2010 at 66.

6 See whatis.techtarget.com/definition/0,,sid9_gci1206264,00.html.

7Session fixation is a method of obtaining a valid session identifier, which allows someone to impersonate a user to gain access to her session on a site. See blogs.sans.org/appsecstreetfighter/2009/06/14/session-attacks-and-aspnet-part-1/.

8 Sidejacking over wireless connections has become easier with an open source plugin for the Mozilla Firefox browser known as Firesheep, made public at the end of October 2010. See codebutler.com/firesheep.

9 Flash cookies, aka “local shared objects” (LSOs), are collections of computer code that function like cookies but are found on the ubiquitous Adobe Flash Players, stored on the hard disk. Unlike traditional cookies, flash cookies can contain 250% more information than http cookies, they do not have default expiration dates, and they are not stored on a browser, so they are not amenable to conventional anti-spyware tools. Soltani, et al., “Flash Cookies and Privacy,” Social Science Research Network, Aug. 10, 2009.

10 Samy Kamkar’s evercookie is a javascript application programming interface that stores cookie data in (currently) 13 different places on a user’s computer. If one of the 13 cookie mechanisms is removed, the evercookie recreates it using the other 12. samy.pl/evercookie, Sept. 20, 2010.

11 “Zombie cookies” appears to be a colloquial category encompassing cookies that don’t go away even when they are deleted, such as flash cookies and evercookies. See, e.g., arstechnica.com/web/news/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness.ars.

12 Html5 is the fifth version of Hypertext Markup Language, used to create web pages, “New Web Code Draws Concern Over Privacy Risks,” New York Times, Oct. 10, 2010.

13 Web bugs, beacons, and tags are objects (typically a one-pixel GIF image) embedded in a web page or e-mail that pass information from a user’s computer to a third party website. zdnet.com/search?q=web+bug.

14 Scraping is extracting data intended for the screen or a printer rather than from original files or databases.
pcmag.com/encyclopedia_term/0,2542,t=scraping&i=57344,00.asp.

15 Arstechnica.com/security/news/2010/09/some-android-apps-found-to-covertly-send-gps-data-to-advertisers.

16 A widget is a small application that can be installed and used within a web page such as the PayPal icon or clocks, stock market tickers, daily weather bulletins. See everybodysagenius.com/2008/03/14/easy-widget-definition-and-examples/. A widget may contain (and install on users’ computers) cookies to enable the collection of user data.

17 Mashups are usually client applications that combine data or functionality from multiple sources to produce enhanced results, such as aggregated data. See, e.g., ibm.com/developerworks/xml/library/x-mashups.html. For example, a mashup might create a map of best pizza parlors by aggregating map data with pizza restaurant reviews.

18 FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising, Feb. 2009; comments of Peder Magee, Esq., Division of Privacy and Identity Protection, FTC, at Minnesota State Bar Association’s Computer & Technology Law Institute, Minneapolis, MN, Oct. 28, 2010; Preliminary FTC Staff Report, supra note 5, at 42.

19 PII includes information linked to a specific individual, such as name, birthdate, social security number, postal address, email address, and driver’s license number. FTC Staff Report, supra note 18, at 20 n.47.

20Preliminary FTC Staff Report, supra note 5, at 35-38.

21 Id. at 29-30.

22 Id. at 38, commending companies that have reduced the length of time their data is retained.

23 See, for example, consumerist.com/2010/06/giant-list-of-data-brokers-to-opt-out-of.html.

24 See, e.g., networkadvertising.org and ftc.gov/inforsecurity.

25 FTC Staff Report, supra note 18, at 46-47. The FTC’s December 2010 Preliminary Staff Report on consumer privacy, supra note 5, provides an overview of privacy vulnerabilities generally and a proposed framework for handling consumer data, emphasizing (1) “privacy by design,” (2) “simplified choice” and (3) “greater transparency.” While the preliminary report suggests more rigorous regulation (governmental and self-imposed) of data collection may be required, at this stage it is focused on inviting public comment.

26 w3.org/P3P/. P3P will provide site practices in machine- and human-readable formats and, where appropriate, will automate decision-making based on those practices.

27 See Article 5(3) of EU Directive 2002/58 (the E-Privacy Directive), to be implemented in the national laws of EU member states law by June 2011, and the EU Directive 95/46/EC.