Jack Schinasi discusses his recent working paper, Practicing Privacy Online: Examining Data Protection Regulations Through Google’s Global Expansion published in the Columbia Journal of Transnational Law. Schinasi takes an in-depth look at how online privacy laws differ across the world’s biggest Internet markets — specifically the United States, the European Union and China. Schinasi discusses how we exchange data for services and whether users are aware they’re making this exchange. And, if not, should intermediaries like Google be mandated to make its data tracking more apparent? Or should we better educate Internet users about data sharing and privacy? Schinasi also covers whether privacy laws currently in place in the US and EU are effective, what types of privacy concerns necessitate regulation in these markets, and whether we’ll see China take online privacy more seriously in the future.

Download

Related Links

• Practicing Privacy Online: Examining Data Protection Regulations Through Google’s Global Expansion, SSRN
• Journal of Transnational Law, Columbia University

Robert Scoble, Startup Liaison Officer at Rackspace discusses his recent book, Age of Context: Mobile, Sensors, Data and the Future of Privacy, co-authored by Shel Israel. Scoble believes that over the next five years we’ll see a tremendous rise in wearable computers, building on interest we’ve already seen in devices like Google Glass. Much like the desktop, laptop, and smartphone before it, Scoble predicts wearable computers represent the next wave in groundbreaking innovation. Scoble answers questions such as: How will wearable computers help us live our lives? Will they become as common as the cellphone is today? Will we have to sacrifice privacy for these devices to better understand our preferences? How will sensors in everyday products help companies improve the customer experience?

Download

Related Links

• Age of Context: Mobile, Sensors, Data and the Future of Privacy , Amazon
• Naked Conversations: How Blogs are Changing the Way Businesses Talk with Customers, Amazon
• The Rackspace Blog & Newsroom, Scoble

Alice Marwick, assistant professor of communication and media studies at Fordham University, discusses her newly-released book, Status Update: Celebrity, Publicity, and Branding in the Social Media Age. Marwick reflects on her interviews with Silicon Valley entrepreneurs, technology journalists, and venture capitalists to show how social media affects social dynamics and digital culture. Marwick answers questions such as: Does “status conscious” take on a new meaning in the age of social media? Is the public using social media the way the platforms’ creators intended? How do you quantify the value of online social interactions? Are social media users becoming more self-censoring or more transparent about what they share? What’s the difference between self-branding and becoming a micro-celebrity? She also shares her advice for how to make Twitter, Tumblr, Instagram and other platforms more beneficial for you.

Download

Related Links

• Status Update: Celebrity, Publicity, and Branding in the Social Media Age, Marwick
• Engineered Performances Alice E. Marwick’s ‘Status Update’, The New York Times
• Biography, Marwick

Declan McCullagh, chief political correspondent for CNET and former Washington bureau chief for Wired News, discusses recent leaks of NSA surveillance programs. What do we know so far, and what more might be unveiled in the coming weeks? McCullagh covers legal challenges to the programs, the Patriot Act, the fourth amendment, email encryption, the media and public response, and broader implications for privacy and reform.

Download

Related Links

• Snowden: NSA snoops on U.S. phone calls without warrants, McCullagh
• Snowden: Feds can’t plug leaks by ‘murdering me’, McCullagh
• Feds: Power grid vulnerable to cyber threats, McCullagh

Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”)

Testimony of Adam D. Thierer before the Senate Committee on Commerce, Science & Transportation hearing…

Some of My Recent Essays on Privacy & Data Collection

1. A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
2. On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
3. Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
4. Two Paradoxes of Privacy Regulation – Aug. 25, 2010
5. Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
6. When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
7. Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
8. Who Really Believes in “Permissionless Innovation”? – March 4, 2013 (condensed from Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”)
9. The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
10. Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

I’ve always viewed web traffic numbers with great suspicion, if for no other reason than they are all over the board. But the amazing Carl Bialik, the Wall Street Journal’s “numbers guy,” does us another great service today in his latest column, “The Trouble With Web-Traffic Numbers,” by walking us through exactly how big of a mess these numbers really are. Carl is the closest thing we have to a statistical ombudsman for the Internet as he repeatedly illustrates in his column how numbers can deceive and distort.

In terms of bogus web traffic numbers, there’s plenty of distortion going on. He quotes Erin Pettigrew, marketing director for Gawker Media, as saying that “For an industry that relies so heavily on accurate data and numerical accountability, relying on an estimate is embarrassing, antiquated.” Too true.  Of course, with so many people frequently deleting their cookies and now accessing websites from different machines, it’s not surprising that the numbers are such a jumble.

One of the reasons it’s so important to try to improve web traffic metrics is because it is essential to the advertising business, which powers the web and all the great content and services we consume online. More accurate web traffic metrics can help better direct and target ads across the web. But it won’t be easy.

Anyway, read Carl’s piece for all the details. And thank you Carl for always reminding us that there are “lies, damned lies, and statistics.”

As I noted here a few days ago, the Federal Communications Commission held a workshop on Tuesday about “Speech, Democratic Engagement, and the Open Internet.”  It was a shockingly one-sided affair with the deck being stacked almost entirely in favor of advocates of Net neutrality regulation. Worse yet, those advocates shamelessly made up spooky stories about a future of “private censorship” that could only be remedied by using the First Amendment as a club to beat private players into submission. The token opposition at this Chicken Little circus was Robert Corn-Revere, a Partner at the law firm of Davis Wright Tremaine LLP in Washington, D.C.   Bob set the record straight–both in terms of baseless accusations that were flying that day as well as the revisionist histories of the First Amendment that were being put forward. I’m happy to report that Bob allowed PFF to reprint his remarks as a new white paper entitled, “The First Amendment, the Internet & Net Neutrality: Be Careful What You Wish For.”

In his essay, Corn-Revere discusses the relationship between the First Amendment and regulatory policy, particularly the treatment of new communications technologies, and he warns that government regulation of broadband networks could “provide the vehicle for advancing new First Amendment theories for media regulation” and online speech and expression more generally.  “It should not be forgotten,” he argues, “that the federal government’s initial impulse was to censor the Internet and to subject it to a far lower level of First Amendment protection. It pursued this agenda for more than a decade but was blocked by a series of First Amendment rulings.”  The Communications Decency Act and the Child Online Protection Act are just two notable examples. Luckily, the courts determined that “the open Internet would be at great risk if the government is allowed to exercise such power,” he notes, and they struck down such laws.

But we must be vigilant in defending our free speech rights, Corn-Revere warns. He notes that, “the constitutional ramifications of the network neutrality debate extend far beyond the question of whether the FCC should or should not adopt a given set of rules. On a doctrinal level the question is whether technological convergence should also lead to regulatory convergence, where the least common denominator of First Amendment protection becomes the governing rule.”

“The First Amendment, the Internet & Net Neutrality: Be Careful What You Wish For” is available on the PFF website and can also be viewed down below in a Scribd document reader. I want to also recommend that everyone take a look at the brief remarks that FCC Commissioner Robert McDowell delivered at the opening of that FCC event that Corn-Revere spoke at. “Efforts to advance ‘First Amendment values’ through additional government regulation risks turning over two hundred years of First Amendment jurisprudence on its head,” McDowell rightly argued. And that’s also consistent with the outstanding address delivered last week by Kyle McSlarrow, President & CEO of the National Cable & Telecommunications Association, on the same issue, in which he correctly noted that, “the First Amendment is framed as a shield for citizens, not a sword for government.” “By its plain terms and history, the First Amendment is a limitation on government power, not an empowerment of government,” McSlarrow said.

Thank God a few people in this town are still taking a stand for the real First Amendment.

Robert Corn-Revere Remarks at FCC Workshop on Speech and Democracy http://d1.scribdassets.com/ScribdViewer.swf?document_id=24208240&access_key=key-2h2o9rho7g9qr414utqi&page=1&version=1&viewMode=list

On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

You really have to hand it to the folks over at the (Un)Free Press with their endlessly shameful attempts to use doublespeak to remake the entire media, communications, and Internet landscape in their preferred Big Government image.  Their latest bit of charlatanism is the so-called “Stop the Internet Rip-Off of 2009” campaign.  It’s another one of their computerized “stuff-the-FCC-and Congressional-complaint-box-with-electronic-form-letters” efforts that involves getting their merry band of radical reformistas to encourage lawmakers to sign on to Rep. Eric Massa’s (D-NY) newly-introduced “Broadband Internet Fairness Act.”

Ah yes, “Internet fairness.”  Who can possibly be against it?  Well, before you rush to click send on that UnFree Press form letter, let’s be clear what this effort is really all about.  Free Press claims that the Massa bill is needed because “phone and cable giants [are] weighing schemes to hike prices, shut down the free-flowing Web and keep user innovation in check.”  How are those companies doing that?  Tiered pricing!   Rep. Massa says that, “Time Warner has announced an ill-conceived plan to charge residential and business broadband fees based on the amount of data they download.”  Oh my God, no… you mean some people might be charged for the costs they impose?  What’s next?  Are we going to force people to pay for their own energy use by metering gasoline, electricity, or water?  Think of the horror!  (This is sarcasm, folks.  All those things are metered currently. And yet, somehow, the Earth hasn’t spun off its axis.)

Like all the other propaganda produced at the Free Press techno-spin factory, their latest crusade is based on a combination of outright lies and blatant economic ignorance.  Metering broadband access is not an effort “to restrict Internet use,” as Free Press claims. Rather, like every other metered system under the sun, it’s an effort to price a scarce resource in such a way so as to maximize use.  Broadband operators don’t sit around all day scheming to find ways to decrease network usage.  They wouldn’t make any money that way!!  They need to find business models that encourage increased uptake while also investing in and growing their networks to meet new demand and competitive challenges.

Moreover, there are other pro-consumer reasons for companies to consider metering options.  Unless it is your goal to allow some particularly aggressive users to be subsidized by all other users, it is sometimes sensible to price usage based on demand.  If you don’t, you potentially create a perverse incentive for a small handful of over-grazers to to be feeding at the trough at everyone else’s expense. As economist Russell Roberts aptly noted in the title of a famous 1995 Wall Street Journal editorial, “If You’re Paying, I’ll Have Top Sirloin.”  Thus, you would never want to make the “all-you-can-eat” pricing model the only option for the provision of a scarce resource. Even if you choose not to deploy it, it is useful to have the metered pricing model available in case you need to charge the over-grazers at some point.

As I’ve pointed out before, part of the reason broadband operators have been cautious about metering of the pipe so far is that they knew it would likely encounter a great deal of resistance–from both consumers and potentially even policymakers.  (Time Warner found this out the hard way when they began a recent experiment with metering.)  I made this point in this older essay on networking pricing:

First, broadband operators are probably concerned that such a move would bring about unwanted regulatory attention. Second, and more importantly, cable and telco firms are keenly aware of the fact that the web-surfing public has come to view “all you can eat” buffet-style, flat-rate pricing as a virtual inalienable right. Internet guru Andrew Odlyzko has correctly argued that “People react extremely negatively to price discrimination. They also dislike the bother of fine-grained pricing, and are willing to pay extra for simple prices, especially flat-rate ones.” And George Gilder, another famous Net guru, noted in his book Telecosm that, “Everyone wants to charge different customers differentially for different services. Everyone wants guarantees. Everyone wants to escape simple and flat pricing. Forget it.” Gilder basically argues that simple and flat pricing is almost always preferable from a consumer perspective and, therefore, network providers should avoid more complicated pricing schemes.

I understand where Odlyzko and Gilder are coming from, but I do not think that means we need to give up on metered pricing altogether. What I think would be the most efficient and pragmatic solution is what economists call a “Ramsey two-part tariff.” A two-part tariff (or price) would involve a flat fee for service up to a certain level and then a per-unit (or metered) fee over a certain level of use. I don’t know where the demarcation should be in terms of where the flat rate ends and the metering begins; that’s for market experimentation to sort out. But the clear advantage of this solution is that it preserves flat-rate, all-you-can-eat pricing for casual to moderate bandwidth users and only resorts to less popular metering pricing strategies when the usage is “excessive,” however that is defined.

Regardless, what we need right now is more experimentation with various business / pricing models. We should not be foreclosing such innovation with misguided bills like the “Broadband Internet Fairness Act,” which is tantamount to a price control regime for the Internet.  It’s not surprising that UnFree Press would favor such a destructive notion, but let’s hope Congress doesn’t follow their misguided lead.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

Here’s a terrific piece by Harry McCracken over at Technologizer asking “Whatever Happened to the Top 15 Web Properties of April, 1999?”  McCracken goes through the hottest web properties of April 1999 and asks, “How many of 1999’s Web giants remain gigantic today — assuming they still exist at all?”  Instead of reproducing his entire list here, I’ll just encourage you to go over to Technologizer and check it out for yourself, especially because McCracken also compares the old list to today’s top 15 Web properties.  Anyway, here’s the key takeaway from his piece:

to summarize, four of April 1999’s top Web properties remain in the top fifteen (plus AltaVista, Excite, and GeoCities, which are extant and part of top-10 properties). Four more are in the top 50, or are part of properties that are. Two exist but have fallen out of the top 50. And two (Xoom and Snap) no longer exist. Bottom line: If you were one of the Web’s biggest properties a decade ago, chances are high that you remain in business in some form in 2009… but you probably aren’t still a giant.

In other words, it’s a dynamic marketplace with a lot of churn and creative destruction. Sure, some big dogs from the late 90s remain (Microsoft, AOL, Yahoo, and CNet). But they have all been humbled to some extent.  Moreover, lots and lots of other players were driven from the top ranks or disappeared altogether. (GeoCities, Lycos, Excite, AltaVista, Xoom, Snap).  And there have been new technologies, platforms, and players that have come out of nowhere in a very short time to become the household names of 2009 (Google, Facebook, MySpace, Wikipedia).  But, as McCracken points out, it’s anyone’s guess which of today’s top Web properties will still be booming in 2019.   Anyway, I encourage you to check out McCracken’s very interesting essay, and if you find this sort of restrospective piece interesting, you might also want to check out my essay from earlier this year, “10 Years Ago Today… Thinking About Technological Progress“.

A classic piece here by Farhad Manjoo of Slate about how “the Internet of 1996 is almost unrecognizable compared with what we have today.”  It’s a fun look back at just how far the Internet has come over the past 13 years.  I love this passage:

We all know that the Internet has changed radically since the ’90s, but there’s something dizzying about going back to look at how people spent their time 13 years ago. Sifting through old Web pages today is a bit like playing video games from the 1970s; the fun is in considering how awesome people thought they were, despite all that was missing. In 1996, just 20 million American adults had access to the Internet, about as many as subscribe to satellite radio today. The dot-com boom had already begun on Wall Street– Netscape went public in 1995 — but what’s striking about the old Web is how unsure everyone seemed to be about what the new medium was for. Small innovations drove us wild: Look at those animated dancing cats! Hey, you can get the weather right from your computer! In an article ranking the best sites of ’96, Time gushed that Amazon.com let you search for books “by author, subject or title” and “read reviews written by other Amazon readers and even write your own.” Whoopee. The very fact that Time had to publish a list of top sites suggests lots of people were mystified by the Web. What was this place? What should you do here? Time recommended that in addition to buying books from Amazon, “cybernauts” should read Salon, search for recipes on Epicurious, visit the Library of Congress, and play the Kevin Bacon game.

God, do you remember those days?  I sure do.  I penned a piece last month about the amazing technological progress we have witnessed over the past decade.

Meanwhile, we have a whole town full of clowns here in DC looking to regulate the Internet and digital technology for one reason or another.  All these would-be regulators need to step back and appreciate just how well markets have been working and why regulation would be a disaster for technological progress. Viva la (Technology) Revolution!

As a means of introducing myself to TLF readers, this is an article that I wrote for the PFF blog in September that has not been previously mentioned on the TLF. Most of my other PFF blog posts have been cross-posted by Adam Thierer or Berin Szoka, but I’ve taken ownership of those posts so they appear on my TLF author page.

This is the first in a series of articles that will focus directly on technology instead of technology policy. With an average age of 57, most members of Congress were at least 30 when the IBM PC was introduced in 1981. So it is not surprising that lawmakers have difficulty with cutting-edge technology. The goal of this series is to provide a solid technical foundation for the policy debates that new technologies often trigger. No prior knowledge of the technologies involved is assumed, but no insult to the reader’s intelligence is intended.

This article focuses on cookies–not the cookies you eat, but the cookies associated with browsing the World Wide Web. There has been public concern over the privacy implications of cookies since they were first developed. But to understand them , you must know a bit of history.

According to Tim Berners Lee, the creator of the World Wide Web, “[g]etting people to put data on the Web often was a question of getting them to change perspective, from thinking of the user’s access to it not as interaction with, say, an online library system, but as navigation th[r]ough a set of virtual pages in some abstract space. In this concept, users could bookmark any place and return to it, and could make links into any place from another document. This would give a feeling of persistence, of an ongoing existence, to each page.”[1. Tim Berners-Lee, Weaving The Web: The Original Design and Ultimate Destiny of the World Wide Web. p. 37. Harper Business (2000).] The Web has changed quite a bit since the early 1990s.

Today, websites are much more dynamic and interactive, with every page being customized for each user. Such customization could include automatically selecting the appropriate language for the user based on where they’re located, displaying only content that has been added since the last time the user visited the site, remembering a user who wants to stay logged into a site from a particular computer, or keeping track of items in a virtual shopping cart. These features are simply not possible without the ability for a website to distinguish one user from another and to remember a user as they navigate from one page to another. Today, in the Web 2.0 era, instead of Web pages having persistence (as Berners-Lee described), we have dynamic pages and “user-persistence.”

This paper describes the various methods websites can use to enable user-persistence and how this affects user privacy. But the first thing the reader must realize is that the Web was not initially designed to be interactive; indeed, as the quote above shows, the goal was the exact opposite. Yet interactivity is critical to many of the things we all take for granted about web content and services today.

Stateful Sessions

On the original World Wide Web designed by Berners-Lee (Web 1.0), Web servers responded to each client request without relating that request to previous requests. There was no need to remember what other pages the user had requested because the requests were for static pages. But if you’ve used a Web-based email system like Gmail, Hotmail, Yahoo! Mail, etc., you know that once you log in, the service remembers who you are as you click from message to message. When a website can keep track of a user as they move from page to page within a site it is called a “stateful session.” The website doesn’t necessarily need to know anything about the user, it just needs to be able to distinguish that particular user from all other users. For example, if you go to an online store and place a few items in your virtual shopping cart, the site still does not know your name, email address, or billing information. But it does know what you’ve placed in your cart–or more precisely, it knows what someone using your browser has placed placed in a particular cart. If you leave the site before buying anything and then go back an hour later, it’s possible that the site will have completely forgotten about you. In that case, the unique identifier persists during your “session” on the site, but it doesn’t persist between sessions.

URLs and HTTP Requests

Web 1.0 sites achieve Web page persistence by having a unique address or Uniform Resource Locator (URL) for each Web page, which is displayed in the address bar at the top of your browser as you browse the web. For example, http://www.pff.org/about/ is a simple URL pointing to a specific Web page. Every user that visits the PFF site at www.pff.org and clicks on the “About” link will be taken to the exact same page.

URLs can also store information about the user. For example, if you search for “test” on Google, the URL of the resulting page may look like the following: http://www.google.com/search?q=test&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a.[2. http://googlesystem.blogspot.com/2006/07/meaning-of-parameters-in-google-query.html] The URL contains a number of different pieces of data, separated by ampersands. There is the search query (“q=test”), the character encoding of the input (“ie=utf-8”), the character encoding of the output (“oe=utf-8”), the type and language of the client (“rls=org.mozilla:en-US:official”), and the Web browser used (“client=firefox-a”). None of this information can be used to uniquely identify the user, but this basic example illustrates how URLs can be used to specify more than simply static Web pages–and how some information can be remembered as a user navigates a website even without using cookies. Knowing how this works, you can create your own advanced searches or change the way the results are formatted (e.g., changing the language).

So how did Google know I speak English and use Firefox? That information is included in the HTTP request that my Web browser sends to the Google Web server when it requests a page. HTTP requests specify (among a few other more technical things) the desired language and a “User-Agent” field that includes the name of the browser and sometimes your operating system. This information allows websites to customize their content for different Web browsers (e.g., to ensure that it displays properly). HTTP requests also include your IP address so the Web server knows where to send its response, and geotagging allows Web servers to associate an IP address with a geographic area (though the area is rarely more accurate than the country or state). HTTP requests can also contain HTTP cookies.

HTTP Cookies

URLs can be used to uniquely identify individual users and allow stateful sessions, but unless a user bookmarks the URL containing their unique identifier, there is no way for the site to associate the same unique identifier with the same user on subsequent visits. Another option is to have users create an account and then log in each time they access the site. The website could then include the user’s unique ID in the URL on subsequent pages, so that the user only needs to log in once per session. Having to bookmark or create an account on every site you want to remember you would quickly become unmanageable. It would be nice if mapping and weather websites, for example, just remembered your location. It would be nice if the blogs you follow remembered what post you last read and displayed only unread posts when you next visit their site. What was needed at this point in the Web’s evolution was a way for websites to automatically store a unique identifier on the user’s computer and send it back to the website automatically[3. A site could also try to uniquely identify users by the IP address of their computer, but this is unreliable as there can be many computers behind a firewall sharing a single IP address.]—which is precisely what a cookie does.

To quote Wikipedia,

“HTTP cookies, or more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a Web client (usually a browser) and then sent back unchanged by the client each time it accesses that server. HTTP cookies are used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts.”

A cookie can contain one or more pieces of data, a description and/or URL for an online description of the cookie, how long the Web browser should store the cookie, and the domain, path, and port that the cookie should be limited to. Cookies can be set to expire after a specified interval, or can be “session cookies” that will expire when the Web browser is closed. When a cookie expires, it is deleted by the Web browser. Unexpired cookies are automatically sent back to the originating Web server when the Web browser makes any subsequent requests to the same server (the same domain, path, and port).

Neither Web servers nor Web browsers are required to support cookies, but a server may refuse to work with a Web browser that does not return the cookie(s) it sends. Cookies do not contain any executable code and are extremely small in size. They only contain data sent by the website and the data is not changed by the client computer, so there generally should be no privacy concerns about sending a cookie back to the website that created it (“First-party cookies”).

First-Party and Third-Party Cookies

Cookies are normally only sent to the server setting them or a server in the same domain ( e.g., a cookie set by mail.google.com could be shared with calendar.google.com). These are called first-party cookies because they’re set by the site displayed in the address bar of the Web browser. These cookies are typically used to tailor the website for the user. Third-party cookies, on the other hand, are typically used by advertising networks to track users across multiple Web sites where the networks have placed advertising–which allows the advertising network to target subsequent advertisements to the user’s presumed interests and also to limit the number of times a user is shown a particular ad. This targeting allows the delivery of “smarter” advertising that is less annoying and more informative to the user–and therefore more valuable to the advertiser, who will be willing to pay websites more for their ad space. However, this targeting also raises privacy concerns.

It is trivial for a Web page to contain images or other components stored on servers in other domains (“third-party elements”). In fact, it is often easier to link to an image already hosted online elsewhere than it is to host an image on your own Website.

Examples:

• Typical first-party embedded image:
• Typical third-party embedded image:

Whenever a Web browser loads a Web page or component of a Web page, it will include in its request for that component any cookies already stored on the user’s computer that are associated with the domain hosting the content. The Web server, in turn, can send a cookie or update a cookie already existing on the user’s computer.

Although your Web browser will not send a third-party cookie to the first-party Web server (and it won’t send a first-party cookie to the third-party Web server), the first-party Web server can send information to the third-party Web server by embedding it in the URL for the third-party content. The most common form of this communication between the sites you visit and the sites they rely on for content or ads is called a “web bug”–a small (usually 1 pixel by 1 pixel) graphic not meant to be noticed by the user. Its purpose is to cause the user’s Web browser to load the third-party embedded content from the external Web server, which will allow the third party (usually an advertising network) to track the user.

• Example third-party embedded web bug:

While this all may seem scary and invasive,the fact that a website or ad network can uniquely identify your browser does not mean that they have any clue who you are. Even if you provide your name, email address, or other personally-identifiable information to the first-party Web site, most sites’ privacy policies state that they will not share this information with their advertising partners. To use a real-world analogy, third-party advertising is equivalent to a marketer in a mall watching you come out of a music store and then offering you a flyer for a concert: The marketer may know that you’re interested in music (because you were shopping at the music store), but they have no idea who you are. And as my colleagues Adam Thierer and Berin Szoka explained in their post on Adblock Plus, websites (especially smaller independent websites) depend on advertising as a source of revenue and to cover their overhead costs.

Alternatives to Cookies

Cookies are not the only way websites can do stateful sessions. As has already been mentioned, Websites can put unique identifiers in URLs. But custom URLs don’t last between sessions. Websites that need to remember users ( e.g., websites that charge a fee for access) can require users to create an account and log into the site every time they use it.

But most websites do not require users to create an account and log in every time. And more and more users are configuring their Web browsers to delete all cookies when they close the browser. In response, Web site operators have found other methods to uniquely identify users by storing a unique identifier on users’ computers.

The cookie alternatives listed below are not any more or less invasive of privacy than cookies if the user is aware of them and manages them the same way they manage cookies. But most Web browsers don’t give users the same amount of control over cookie alternatives that they do over cookies, and few users know about these alternatives.

Per-session cookie alternatives – These cookie alternatives are not saved to disk and thus are not accessible after you close your Web browser.

• Hidden form fields – Web pages can contain hidden Web forms that submit data back to the Web server when an on-screen button is pressed. This method is quite limited because it requires the user to click a specific button, and there is no method for saving data after you’ve navigated away from the site. Beyond these limitations, the only way to detect hidden form fields is to inspect the HTML code for a page. There is also no easy way to block hidden form fields.
• window.name – JavaScript embedded in a Web page can set or read the this internal value that’s not really used for anything else. The value can be up to 32 megabytes in size and once set a value can be accessed by any Web site. Although the only way to detect this is to inspect the HTML code for a page, you can disable JavaScript.

Persistent cookie alternatives – These cookie alternatives are like cookies in that they are saved on your computer and can be accessed even after you’ve closed your Web browser.

• Flash Cookies – Also known as Local Shared Objects, Flash cookies require Adobe Flash to be installed on your computer. Whereas HTTP cookies are limited to 4 kilobytes, Flash cookies can contain up to 100 kilobytes by default and can contain an unlimited amount of data if the user desires. To view and delete the Flash cookies stored on your computer, go to this page (although accessed via a Web page, the Flash cookies shown are stored on your computer). You can also permanently disable Flash cookies on that page.
• DOM Storage – DOM storage was designed specifically to allow Web 2.0 applications to work offline, saving data locally when they are unable to access the host website and to save data that would otherwise be lost if a page is accidentally reloaded. DOM storage is currently only implemented in Firefox (and Internet Explorer 8 Beta). If cookies are disabled, DOM storage is also disabled. Users can also manually disable DOM storage even when cookies are enabled.
• userData behavior – The userData behavior does for Internet Explorer what DOM storage does for Firefox. Each “document” is limited to 128 kilobytes of storage, with a per-domain limit of 1024 kilobytes. The data is stored in Internet Explorer’s cache and are deleted when you delete cookies using the Delete Browsing History dialog box.

Conclusion

This article should give you a better sense of what cookies are used for and how they work. You should now see that per-session cookies and cookie alternatives are completely harmless. Persistent cookies (and cookie alternatives) can make your Web browsing a bit easier, but deleting them will not (in most cases) cause any problems. If you are concerned about your privacy, you will need to do a bit more than just delete cookies–you also need to delete or disable the above-mentioned cookie alternatives.

I can’t believe we’re actually asking whether Obama—the candidate who promised to bring the Federal government (and perhaps everyone else) into the Web 2.0 era whether they like it or not—will have a “personal computer.”

The “webiness” of Obama’s predecessors is just embarrassing:   

Clinton famously sent only two e-mails while he was president, one to test whether he could push the “send” button and one to John Glenn, sent while the former Ohio senator was aboard the space shuttle… During his presidency, George W. Bush didn’t have a personal log-in to the White House Internet server, nor did he have a personal whitehouse.gov e-mail address. (He gave up his private e-mail account, G94B@aol.com, just before his first inauguration.) When he did go online, there were some things he couldn’t access. During Bush’s tenure, the White House’s IT department blocked sites like Facebook, YouTube, Twitter, and most of MySpace. The ability to comment on blogs was blocked, as was certain content that was deemed offensive. According to David Almacy, who served as Bush’s director for Internet and e-communications from 2005-07, only two people had access to the iTunes store during that period: Almacy, who had to upload speeches to the site, and the president’s personal aide, so that he could download songs for Bush’s iPod.

Pipes and tubes, pipes and tubes, my friends…  

If Obama decides not to implement whatever legal or technical changes would be required for him to do something so simple as having a computer on his desk, I suppose we’ll know that he’s not really all that interested—at least on a personal level—in all his rhetoric about the power of the Internet to make government more transparent and accountable.  Let’s hope that doesn’t happen.

Back in June, Adam Thierer and I denounced (PDF) Kevin Martin’s plans to create broadband utility to provide censored (and very slow) broadband for free to all Americans.  The WSJ reports that this scheme is now at the top of Martin’s December agenda:

The proposal to allow a no-smut, free wireless Internet service is part of a proposal to auction off a chunk of airwaves. The winning bidder would be required to set aside a quarter of the airwaves for a free Internet service. The winner could establish a paid service that would have a fast wireless Internet connection. The free service could be slower and would be required to filter out pornography and other material not suitable for children. The FCC’s proposal mirrors a plan offered by M2Z Networks Inc., a start-up backed by Kleiner Perkins Caufield & Byers partner John Doerr.

Adam’s August follow-up piece is also well worth reading.  

One could speculate as to how big an impact this service would really have.  Having just spent two weeks “wardriving” around Paris, Abu Dhabi and Dubai (looking for open wi-fi hotspots to try to get Internet access on my otherwise non-functional smart phone), I could certainly imagine scenarios in which some people might well use even a slow wireless service at least as a supplement to another provider–if their devices supported it.  But however useful the service might be to some people, and whether any company would actually want to build such a system in the first place if they have to give away such service, I think it’s a safe bet that if this is actually implemented, it will represent a victory for government censorship over content some people don’t like.

If this idea is still alive and kicking when the Obama administration has security escort Martin out of FCC headquarters in January–to hearty applause from nearly all quarters in Washington, no doubt–it will be interesting to see which impulse prevails on the Left, both within the new Administration and in the policy community.  Will the defenders of free expression triumph over those who see ensuring free broadband as a social justice issue?  Or will those on the Left who usually joining us in opposing censorship simply remain silent as the government extends the architecture of censoring the “public airways” onto the Net (where the underlying rationale of traditional broadcast regulation–that parents are powerless–does not apply)?  

Hope springs eternal.

See my take on the election and the prospects for capitalism in today’s Wall Street Journal:

If Barack Obama ran for president by calling for a heavier hand of government, he also won by running one of the most entrepreneurial campaigns in history. Will he now grasp the lesson his campaign offers as he crafts policies aimed at reigniting the national economy? Amid a recession, two wars, and a global financial crisis, will he come to see that unleashing the entrepreneur is the best way to raise the revenue he needs for his lofty priorities?

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

• Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
• Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
• Protecting online speech and expression both in the U.S. and abroad;
• Defending Section 230 immunity for Internet intermediaries;
• Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
• Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.