Internet users are becoming increasingly savvy and familiar with the environment in which they work, socialise and play, demanding increased functionality, convenience and relevance, whilst also displaying fickle browsing behaviours and insisting increased privacy.

Are we willing to give up our “privacy” in order to have easier-to-use websites?  Before debating these ethical, political and increasingly legal quandaries, the key denominator should be discussed, i.e.; ‘privacy’, which in the context of this paper has been defined as the use of cookies to monitor the behavior of online users around the site(s) that they browse.

Cookies are defined as being; “commonly used to ‘maintain the state’ of the session as a user browses around the site. The shopping cart is an example. You can place an item in the cart, switch to another page or even another site, and when you come back, the site knows who you are, and you can continue with the order, [see amazon.com or ebay.ca]. Without cookies, the site would not be able to identify you automatically because the Internet is ‘stateless’”, (thefreedictionary.com). [iv]  A more technical description is “An HTTP cookie consists of a piece of information stored on a user’s computer to add statefulness to web-browsing”, (Wikipedia, March 30^th 2008). [v]

 Whilst both questions will be analyzed in isolation it’s important to distinguish the difference.  The first question discusses the use of cookies to aid ease-of-use, convenience and relevance on a particular site/host site [singular].  The second question investigates the use of cookies to assess user behavior and interaction across numerous sites by parties other than the host site.  Thus it’s poignant to establish the disparity between these cookies or to use their recognized definition; 1^st party cookies and 3^rd party cookies.  Further explanation follows:

 -  First-Party Cookies
The default settings in your Web browser typically allow “first-party” cookies, but not “third-party” cookies. First-party cookies are created by the web site you are visiting and are necessary to keep track of your preferences and the current session, (thefreedictionary.com). [vi]

 -  Third-Party Tracking Cookies
Third-party cookies are created by a web site other than the one you are currently visiting; for example, by a third-party advertiser on that site. The purpose of such cookies is usually to track your surfing habits, which is why third-party cookies are considered an invasion of privacy and riskier than first-party cookies, (thefreedictionary.com). [vii]

Online ads that are generated from the data captured by 3^rd party cookies, are similar in nature to junk-mail, spam or telesales calls.  The latter three are all designed and targeted at ‘profiled’ consumers based upon data that, in the majority of cases, the user has knowingly provided to an organization.  Moreover the user also has the option to ‘opt-out’ of providing the data.  Often online users don’t consciously supply this data and only recently have they been given the ability to ‘opt-out’ or ‘block’ 3^rd party cookies!

In the same way that product managers, new product designers and buyers create, promote, manage and at times, rationalize their product portfolios.  Online marketing managers build, extend, dissect and re-build their websites to better suit their target audience, whose utopian website exceeds their expectations, provides maximum functionality, easy-of-use and speed.

Changes to websites are made based upon data received from a plethora of sources, including the information from 1^st party cookies.    Other tools such as page tags and log files enable marketers to understand the journey that visitors take around their websites, inparticularly where sites experience drop-off, [via a process known as Funneling].  Thus enabling marketers to trial alternative scenarios, [A/B testing], and ultimately provide a better user experience for their visitors.  1^st party cookies provide reference settings, convenience and relevance by enabling sites to store key information, such as shopping basket items and anticipate associated items of interest, i.e.; products, special offers, bespoke pricing, based upon previous buying patterns and user-profiling.  Without the use of 1^st party cookies none of these user features/benefits would be possible.

However the use of cookies should be put into context.  Whilst providing users with a better site-experience, their placement onto users’ PC’s, the interpretation of the data collected and the storage duration of said data are all managed by website marketers with little, or often, no interaction or approval from the user themselves.  This has numerous ramifications including privacy issues and the debate over a browsers ‘right’ to anonymity.  Pausing for a second on the latter, how anonymous do browsers need to be?  People with only a casual concern for internet privacy need not achieve total anonymity, thus there’s the suggestion that a reasonable degree of anonymity could and should be given to browsers, yet does total anonymity open-up the internet to less-scrupulous visitors?

Whether it’s a surfers ‘right’ to total anonymity is a larger discussion.  Whilst users shouldn’t ‘opt-out’ of receiving 1^st party cookies due to functionality, relevance and convenience implications, surfers can manually delete their cookies – if required.  This leads to further debate “should surfers be asked if they want to accept cookies on a site-by-site basis?” – this is certainly the case when consumers complete offline applications for credit cards, store cards or magazine subscriptions.

Alongside privacy comes security.  Identify theft is one of the World’s fastest growing crimes and associates phishing as a tool for identity thieves.  In a 2007 Canadian report, the CAFCC reported identity theft losses of over $72million and over 24,000 victims. [viii]  Moreover the APWG received nearly 328,000 reports of phishing alone during 2007, (APWG, December 2007). [ix]  Whilst many vendors follow ‘best practice’ procedures, there are many less scrupulous operators on the web.  The exploitation of cookies can lead to a number of attacks such as phishing, (above), cross-site scripting, cookie poisoning, cross-site cooking, spyware, web bugs and social engineering.

Taking a step back and looking at the main reason for using cookies.  Cookies are used to make site preferences possible.  Otherwise users would have to remember the products they want to purchase, purchase them individually and complete the check-out process transaction by transaction – you get the drift!  The interpretation of cookie information also allows organizations to profile their customers in order to improve the user experience.  Website marketers utilize an assortment of tools such as cookies, web logs and page tagging allowing visitor profiling, journey statistics and abandonment to be assessed.  However cookie data can be misleading due to IP address abnormalities, the deletion of cookies or any website log-in requirements.  In fact Comscore MediaMetrix suggests that “frequent cookie deletion by 3 out of 10 U.S. internet users leads to overstatements in audience sizes by a factor as high as 2.5”. [x]  Therefore are there alternative ways to extract this information and could these alternatives provide a more secure, more accurate, less obtrusive browsing environment?

Finally there’s the issue of duration. There is a significant difference between Persistent and Session cookies, the latter being ‘alive’ for the duration of the session, whilst the former is stored on your hard drive, potentially indefinitely.  Webopedia.com describes them as:

-  Persistent Cookie: Also called a permanent cookie, or a stored cookie, a cookie that is stored on a user’s hard drive until it expires (persistent cookies are set with expiration dates) or until the user deletes the cookie. Persistent cookies are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific Web site, (Webopedia.com, April 2008). [xi]

-  Session Cookie: Also called a transient cookie, a cookie that is erased when the user closes the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from the user’s computer. They typically will store information in the form of a session identification that does not personally identify the user, (Webopedia.com, April 2008). [xii]

Very few users take umbrage with session cookies as they provide convenience during a particular search/transaction/operation.  Yet persistent cookies have a more heinous side.  The fact that they’re stored for longer increases the security risks, encompasses the whole notion of ‘big brother’ tactics and implicates the user to forgo privacy unless they want to manually cleanse their systems time-and-time again.  Plus what about the data that’s collected from cookies, even ‘best practice’ organizations such as Google and Yahoo keep personalized user data for 18 months, before they anonymise it! [xiii]  What if the data’s lost or stolen before it’s anonymised, which certainly happens, ask TJ Maxx, NY Transit and the British government! 

[i] Data taken from domaintools.com/internet-statistics on April 7^th 2008.

[ii] Extract taken from comscore.com, May 4^th 2006.

[iii] Search Behaviour Analysis White Paper, mondosoft.com, extracted April 11^th 2008.

[iv] Definitions taken from thefreedictionary.com, April 11^th 2008.

[v] Extract taken from Wikipedia.org, Internet Privacy, page last modified on March 30^th 2008.

[vi] Definitions taken from thefreedictionary.com, April 11^th 2008.

[vii] Definitions taken from thefreedictionary.com, April 11^th 2008.

[viii] The Canadian Anti-Fraud Call Centre, (CAFCC), Monthly report for December 2007, December 2007.

[ix] Anti-Phishing Working Group (APWG), Phishing Activity Trends Report, December 2007.

[x] Taken from Cookie-based counting overstates size of web site audiences, comscor.com, April 11^th 2008.

[xi] Taken from Webopedia.com, persistent cookie definition, extracted April 11^th 2007.

[xii]  Taken from Webopedia.com, persistent cookie definition, extracted April 11^th 2007.

[xiii] Taken from Search engines warned over data, bbc.co.uk, April 7^th 2008.