Internet Cookies: When Is Permission Consent?

• Publication year: 2021
• Citation: Vol. 85

85 Nebraska L. Rev. 383. Internet Cookies: When is Permission Consent?

383

Max Stul Oppenheimer(fn*)

Internet Cookies: When is Permission Consent?

TABLE OF CONTENTS

I. Introduction ...................................................... 383
II. Technological Background ......................................... 386
III. The Nature of Consent
........................................... 390
IV. Absence of Consent: The Risks
.................................... 391
A. Trespass to Chattel
........................................... 391
B. Criminal Liability for Unauthorized Access
.................... 396
C. Government Cookies: Searches and Takings?
..................... 403
D. Accessory/Secondary Liability
................................. 406

V. Whose Law? Whose Courts?
.......................................... 411

VI. Solutions
....................................................... 413

I. INTRODUCTION

Consent is the Philosophers' Stone(fn1) of the law: it can transmute an unconstitutional search into a lawful one, a criminal act into a legal one, or a tort into a contract. As technology has evolved, so has this fundamental legal concept. New forms of communication call for new ways to obtain and manifest consent. Examples include shrink-wrap licenses,(fn2) click-to-accept licenses,(fn3) faxed signatures,(fn4) e-mails,(fn5) and esignatures.(fn6) Each of these forms, however, requires some affirmative

384

action by the person sought to be bound. An emerging issue is whether permissions granted by a computer program can constitute consent on behalf of the computer's owner, particularly where the permissions are set by default in the distributed form of the program rather than by a conscious decision by the owner to set them.

On November 8, 2005, the Boston Globe reported that Computer Associates International had concluded that Sony BMG was distributing music compact discs which contained not only the music that purchasers wanted, but also code which would run on the purchaser's computer, collect information about the purchaser, and report that information back to Sony.(fn7) On November 18, 2005 (following Microsoft's decision to classify the Sony program as spyware and provide tools to remove it),(fn8) Sony recalled the CDs and offered to replace those that had already been sold.(fn9)

On December 29, 2005, the New York Times reported that the National Security Agency had used cookies in transactions on its website(fn10) in violation of agency guidelines which had been in place since at least as early as 1999.(fn11) On January 6, 2006, CNET reported that

385

"[s]ixty-six politicians in the U.S. Senate and House of Representatives are setting permanent Web cookies even though at least 23 of them have promised not to use the online tracking technique."(fn12) These are clear examples, and probably isolated instances, of violations of computer users' rights. There are, however, widespread uses of similar technology that pose significantly more far-reaching issues.

Cookies are files stored on a user's computer (the client) on instruction from a second computer (the server) when the client's web browser software (browser) communicates with the server's website. These files typically contain encrypted information relating to the transaction between the client and server. By default, current browsers "accept cookies," that is, they allow the server to write these files to the client and to store them for a period of time determined by the server. Since the data in the file is under the control of the server, it can be used to record and monitor the transactions between the client and server. If the server has appropriate decrypting capability, it can also monitor transactions between the client and other servers. The use of cookies without consent of the user raises a number of issues:

rst, does the use of cookies constitute a trespass on the client computer?

cond, when the server is controlled by a private party, does its use of cookies constitute unauthorized access to a computer in violation of criminal law?

ird, when the server is controlled by a government agency, does its use of cookies constitute (in addition to the above violation of

386

rights) an unlawful search in violation of the Fourth Amendment or an unlawful seizure of property in violation of the Fifth Amendment?

d fourth, if the use of cookies without permission violates criminal law, individual constitutional rights, or other rights, is there potential secondary liability for the providers of the browser software under the principles announced by the Supreme Court in MGM v. Grokster?(fn13)

Technically, a browser will not accept a cookie from a website unless its permissions have been set to do so. Does this technical answer--cookies are used only when permission has been given in a technical sense--equate to "consent" in the legal sense sufficient to authorize the transaction and insulate the setter of the cookie from the above types of liability?

If the answer is "no," then websites which set cookies are at risk for civil and criminal liability, government websites which set cookies further risk violating constitutional rights, and the distributors of web browsers face potential secondary liability for the use of their products.

II. TECHNOLOGICAL BACKGROUND

A cookie(fn14) is a text file embedded in an HTTP file exchanged between a server and a web browser running on a client, and it is retrievable by the server.(fn15) When a user browses a webpage, the website sends an image of the webpage as an HTML file using HTTP. If the user's computer is set to allow cookies, the webpage may embed a cookie in the HTML file, and the cookie is then stored on the user's computer. When the user next contacts the website, the user's computer sends a request for an HTML file and the cookie is embedded in the request. In this fashion, a website can track information relating to prior transactions with the user's computer. This process is referred to as "setting" a cookie. The server site sets the cookie, which typically contains client information, on the client computer, from

387

which the server can retrieve it during a web browsing session.(fn16) Cookies are useful in streamlining transactions by reducing the need for repeated transfer of redundant information in exchanges between clients and servers over the Internet. Cookies can store data so that a server can be provided with information about the client's settings, past browsing history, authentication, or preferences without the user's needing to reenter the data; cookies can encode information so that only a small coded file needs to be transferred in order to convey larger amounts of information.(fn17) A common use of cookies is to maintain a shopping basket on a commercial website--the user can provide authenticating information and a credit card number once during a session, sequentially select items for purchase, and then execute a single purchase instruction.(fn18) The resulting efficiency is especially im

388

portant when bandwidth is a limiting factor, as for example when retrieving large files over modem connections. The cookie may be stored in the client's random access memory (RAM) (in which case it disappears when the client computer is turned off, the user's browser is closed, or, at the server's option, when the transaction with the browser ends), or it may (again, at the server's option) be stored on the client's hard drive (in which case the duration of the cookie is determined by the server).(fn19) A cookie which is stored in RAM or erased from the client's hard drive at the end of the transaction is referred to as a "temporary" or "session" cookie; a cookie which remains on the hard drive after the session is closed is referred to as a "persistent" cookie.(fn20)

In addition to cookies set and retrieved by the server from which the client has requested a webpage, third-party cookies may be set and retrieved. For example, a server may provide information to an advertising website(fn21) advising of the client's interests (as evidenced by the webpages the client has requested) so as to enable the advertising website to select targeted advertising to be presented to the client.(fn22)

Theoretically, the ability of a server to set a cookie is controlled by the user. All common browsers have settings which allow the user to block (at the user's option) some or all cookies. However, the default setting is to allow cookies; browsers do not conspicuously advise users that cookies are being accepted, and the process for changing the default settings requires sufficient sophistication to navigate through

389

several layers of commands.(fn23) The most ubiquitous browser running under the Windows operating system, Microsoft's Internet Explorer, defaults to allow all cookies and provides user control under the "Tools"/"Internet Options"/"Privacy" menu, where the user can select levels of privacy which restrict the ability of selected servers to set cookies--hardly a straightforward process for many users. The Mozilla-based browsers(fn24) provide greater user control(fn25) but still require navigation,(fn26) and are set to allow all cookies by default.(fn27)

The server's website may be designed to refuse access to a client if the client's browser is set so that cookies are not allowed. Assuming that the owner of the server is under no obligation to provide access,(fn28) using this power does not run afoul of the law. If the user's browser is set to reject cookies and the server's website is set to refuse access where cookies are disabled, the user will need to make a conscious decision whether access to the site is worth the price of allowing cook

390

ies. If a legally competent user makes the decision to accept cookies, there...