Read related articles on Anonymity, Security and Privacy
Read related articles on Anonymity, Security and Privacy
The World Wide Web has attracted both business and non-business sites that want to establish an online presence for reasons ranging from prestige to money-making. A common trait of many Web sites, however, is the need to monitor visitor use in order to know how the site is being used. For sites that wish for more information than can be provided by server log files, one option is to ask for visitor registration. Another option involves the use of cookies that can keep track of a user's visit and store other useful information. Registration and cookies have become prevalent on the Web at the same time that problems with these practices are being increasingly noted as a possible invasion of privacy. A study of 100 popular Web sites by the Electronic Privacy Information Center (EPIC) determined a baseline figure for the appearance of privacy policies as well as for use of visitor registration and cookies. The present study examined the same sites six months later in order to establish any changes in patterns of usage. This examination suggests that the Web has become more sensitive to the privacy concerns of its users while, at the same time, increasingly resorting to the employment of privacy-threatening registration and cookies.
Contents
Seeking Information with Web-Site Registration and Cookies
Discussion of Data-Collection Concerns on the Web
Surveying Web Sites for Privacy Concerns
Conclusion
Study Limitations and Suggestions for Further Study
Notes
Appendix A: Privacy Policies
Appendix B: Collection of Personally Identifiable
Appendix C: Use of Persistent Cookies
Seeking Information with Web-Site Registration and Cookies
To go beyond the information that could be collected from a log file (which gleans no personally identifiable information), many Web sites ask visitors to complete a registration form or fill out a guest book. Such a form can provide a site with the demographic data of visitors it so desperately seeks: age, sex, income, personal preferences, and so on. This registration can sometimes be obligatory for a user to access all or part of a Web site, or at least to complete a transaction on the site. In brief, information gained by a registration-form system can help a site create a theoretically accurate visitor profile.Another data-collecting option for a site is to pass a cookie to a visitor. Whereas a typical connection between a user and a Web site is stateless (each connection is considered new and no information on the visit is stored), cookies permit the maintenance of state information about the user gained during a session. The cookie can follow the visitor's movements at the site and make a record of the visit. This record includes, of course, any transaction that a visitor may have made or offered at the site, including registration information, credit card numbers, and other sensitive information. If the cookie is intended to be persistent (not immediately deleted once the visitor leaves the site), the Web server can store the collected information - usually unannounced - on the visitor's hard drive. In some cases, the server itself stores the data and gives the visitor a code instead. When the visitor returns later to the same site, the visitor's browser gives the cookie's information (or the code to access the information) back to the server, and the site can recognize the visitor, perhaps presenting a more personalized version of itself or specifically targeted advertisements.
Unfortunately, it is difficult to determine the scope of privacy-threatening registration and the passing of persistent cookies on the Web. In June 1997, the Electronic Privacy Information Center (EPIC) provided a baseline, so to speak, with a survey of sites taken directly from a monthly listing of 100 Web sites reputed to be the most popular by www.hot100.com [ 1 ]. For this survey, EPIC established several types of information it wished to monitor at the sites:
- Does the site collect Personally Identifiable Information (PII) - name, address, and so on?
- Does the site have a privacy policy?
- Does the site explain why information is collected and how it is used as part of its privacy policy?
- Does the site restrict the use of PII?
- Does the user have access to his or her Personally Identifiable Information?
- Does the site require registration for access?
- Does the site enable cookies?
EPIC concluded that only 17 of the 100 sites had a privacy policy and "few were easy to find" (although the appendix of the results shows that 19 sites were reported with a privacy policy, which is still a small number). None of the 100 sites provided adequate privacy protection. Registration was not obligatory at any site for access to at least the home page. A total of 49 sites collect personal information with online registration, but only eight allow some sort of user limitation to what can be done with this information. Only one of these sites permitted users access to their individual files. Although EPIC admitted that not every page could be visited to check for cookies, the survey did determine that 24 of the 100 sites enabled persistent cookies. What is remarkable, however, is that none of the cookie-enabling sites took the initiative to warn the users that it was passing data to store on their hard drive via a cookie.
The apparent need for sites to practice either visitor registration and/or pass out cookies has come under renewed scrutiny as both concerned citizens and consumer watchdog groups have begun to protest the decreasing lack of privacy on the Web. Data security and privacy have always been touted as essential elements of the Internet, of course, but the privacy of those who wish to browse the Web has never been so far in doubt. The Graphic, Visualization, & Usability (GVU) Center's WWW biannual User Surveys [ 2 ], since their inception in January 1994, have attempted to see how the Web affects social issues. Beginning with the April 1996 survey (the Fifth Survey), the issue of data privacy was included as part of the study. The survey administrators have incorporated a section on electronic privacy because, as they state, they foresaw that "issues of data privacy would become increasingly important as the Internet became a part of many people's daily lives" (this quote is from the Seventh Survey). The survey team has demonstrated in the Eighth Survey (Oct/Nov 1997) that privacy is, indeed, the main user concern (30.49%). This number has changed since the Seventh Survey (May/April 1997) whose results showed that 26.17% of the respondents indicated privacy as the main concern - a number that had held steady from the time of the Sixth Survey (Oct/Nov 1996).
Problems with information gathering through site registration
It is obviously important for Web-site managers to go beyond basic server-log accounting and ask for specific information from visitors in order to improve and personalize site/user interaction, which is apparently seen as an obligatory step toward Web success. But asking visitors to provide personal information by registering is sometimes seen as intrusive. As a result, obligatory registration "has eroded as the web's growth has presented surfers with so many alternatives" [ 3 ]. In addition, the accuracy of information gained in this manner is often questionable. The Eighth GVU User Survey reports that users are prone to falsify information if asked to register at a site. In this survey, it has been determined that some 40% of all users have falsified information when registering. From these results and from those of the preceding survey, the survey team concludes that "people falsify information of online registrations with some regularity" [ 4 ].
Of all U. S. and European respondents, 66.49% report that they do not register because they don't know how the information is going to be used. In addition, 62.78% don't feel that registration is worthwhile considering the content of a site, and 57.57% state that they do not trust the sites collecting this information from them. These main reasons, along with others (lack of time, as well as unwillingness to report one's address, name, or e-mail), are a good indication of why only 6.01% of all respondents always register when requested.
Data-collecting cookies concern Web users
Because of the surreptitious atmosphere surrounding cookies, this technology is much more controversial than registration. Of course, the non-persistent cookies are not an issue: These cookies exist only during the actual time of the visit and are deleted once the visit is terminated. A typical example of such a cookie is the "shopping cart" that records the necessary transactions for a visitor's purchases across as many pages as necessary. At the center of the controversy are the persistent cookies, those passed to a visitor and stored for a pre-determined amount of time on the user's hard drive, which can be for years after the visit. Persistent cookies are used for several reasons. For instance, marketing can be targeted when a cookie collects data such as where you go on a particular site, which advertisements you may click on, what information you request, and so on. Such cookies are often passed by a third party that can tailor advertisements to a user's profile. Then there is the attempt at site personalization according to the preferences that the visitor either knowingly indicates or which the site observes during the visit. With cookies, webmasters can also track a unique visitor's wanderings through a site. The shopping cart can act just like the non-persistent cookies that are deleted once a visitor leaves a site - but these cookies are retained, however, on the visitor's computer so that the visitor will not need to begin anew if, for some reason, the visit was interrupted. Finally, one of the most useful services for a cookie is to save visitors the trouble of having to re-enter registration information already provided once to a site.
Unfortunately, many users are unaware that they have cookies on their hard drive because Web sites do not commonly notify that a cookie is being created. And for those users who are aware of their cookies, they will not be able to discover what information is actually stored in the cookie that is - for them - a string of mostly meaningless text. Although a cookie can be rejected or deleted at any time, users who are unfamiliar with this technology would of course not take advantage of this possibility [ 5 ]. All major browsers accept cookies, and by default the user is not warned that a cookie is being passed.
One major problem with this process is that the use of cookies has never been regulated. Although cookie technology is old by Web standards - its potential has existed since the inception of Netscape Navigator 1.1 in March 1995 - this technology initially went almost unnoticed because it was merely intended to be a way to personalize a Web site during the time of a visit and not stored on the user's computer [ 6 ]. The cookie defaults can be overwritten, however, and the original inoffensive nature of cookie technology has led to options that were never really intended. It must be understood, however, that the physical danger of cookies has been greatly exaggerated: Cookies cannot read anything from a user's hard disk and can perform no functions that compromise a user's computer [ 7 ].
Toward cookie standards: RFC 2109
Early in 1997, the state management subworking group of the Internet Engineering Task Force (IETF) began considering a proposal put forth by privacy, consumer, and educational groups to repair some of the problems of cookies. RFC 2109 (February 1997) [ 8 ] and its later revision (July 1997) [ 9 ] suggest that users should have more control over this potentially intrusive situation. The IETF has thus suggested several possible solutions:
- The user should be able to reject all cookies.
- The user should be able to know when a stateful session is taking place.
- The user should be able to manage the cookie based on its origin (domain).
To satisfy these requirements, the IETF recommends a visual indication when a stateful session is in progress or when a user's computer itself is prepared to return a cookie to a server. In addition, the IETF asks that the user be able to decide which cookies should be saved or rejected after a session is completed. Netscape itself proposed in April 1997 (in comments concerning consumer online privacy) to the Federal Trade Commission that cookies had "some perceived and potential risks" [ 10 ] and that some action was justified. It was thus proposed that this notice could be similar to the now common copyright links found on many Web home pages:
At some point in the ongoing discussion of the role of technology and industry in providing solutions and self-regulatory standards for protecting privacy there may be the need to identify means available to Web site operators to somehow state on their Web site what their cookie practices are. This sort of notice to users should not be intrusive and negatively impact the economic value of the finite space of a Web page. However, it should also be conspicuous enough so that users are aware of such notice.Web sites passing cookies obviously did not routinely inform users of their practices. In addition, early versions of Netscape Navigator and Microsoft Internet Explorer did not help the users be aware of a site passing a cookie. Not until version 3.0 of both browsers did their users enjoy the option of having a dialogue box warn when a cookie was being enabled; no way to control cookies existed, however. To fill this void, several individuals and companies developed products or methods to help Web users take control of their privacy concerns by managing their cookies [ 11 ].Privacy concerns made public: the Federal Trade Commission hearings
In June 1997, the U. S. Federal Trade Commission's Bureau of Protection conducted a workshop on Consumer Information Privacy to help determine if federal legislation is necessary to protect privacy on the Internet or whether Internet business can be relied upon to satisfy privacy concerns [ 12 ]. Session 2 (June 11-12) was specifically dedicated to examining electronic privacy issues, and questions concerning data collection by registration and cookies inevitably arose. In Panel 1B, James Pitkow discussed the GVU User Surveys and reiterated that "80 percent of the people do not believe in persistent identifiers that can track users across sessions [and] 40 percent of the population doesn't even know that such identifiers exist." In the same panel, concerns over visitor registration were raised. Michael Kleeman, a vice president of The Boston Consulting Group, made observations on data taken from their own online survey. According to this survey, 42 percent of consumers did not provide registration information because of privacy concerns. However, Kleeman was also anxious to report that if Web sites were to meet the privacy concerns of citizens, users would no longer fear registration: "We believe that assurance of non-dissemination of personal information would have significant impact, increasing consumer willingness to participate in electronic commerce by a factor of 2 to 3. Disclosure would increase almost 50 percent alone ... ." Among other topics, the FTC hearings raised awareness of the importance of privacy concerns and seemed to culminate a period where online registration and cookies were perhaps more tolerated because of less awareness.Perhaps as a result of the growing attention being given to cookies, both Netscape and Microsoft made an important change in the scheduled next-generation browsers. Netscape Communicator 4.0 and Internet Explorer 4.0 now include more than simply an optional security alert dialog box for the user who is concerned about receiving cookies: The new browsers contain the option that allows the user to refuse all cookies without having to click through the warnings. In addition, Netscape Communicator has an option for the user who wants to accept only the cookies that are going to be returned to the domain on which the user is logged. This option is aimed at stopping third-party cookies used by advertisers [ 13 ].
The combination of increased public awareness of cookie usage (seen in the proliferation of methods to surf more anonymously) with possible future government intervention to safeguard user privacy on the Internet suggests that the status quo will not be maintained. The consequences of these events, especially if the IETF approves the proposed cookie standard (RFC 2109) in its present form, would have a devastating effect on the use of cookies, rendering them "almost useless" [ 14 ] or contributing to the loss altogether of this protocol.
Summary of problem
No study exists demonstrating any increase or decrease in the number of sites that ask for visitor registration or enable cookies, and there is likewise no study on the use of privacy policies on the Web. Yet, as far as registration and cookies are concerned, the general consensus is that their use has been on the rise as Web sites have discovered their potential. There is a developing concern about site registration that asks for personal information and about persistent (and surreptitious) cookies; the concern about cookies is especially heated and appears to be placing the continued growth of this technology in peril. In what has become an issue revolving around Internet privacy and the lack of clearly stated privacy policies for Web sites, it is important to gauge if the Web will insist on committing to cookies in spite of their drawbacks or if a gradual return to the less problematic but still controversial visitor registration is foreseeable in the near future. In addition, it is necessary to look for any increase or decrease in the use of Web-site privacy policies - a practice that would help alleviate some of the privacy concerns of users.
Discussion of Data-Collection Concerns on the Web
The issue of visitor registration - unlike that of cookies - does not have a collection of Web sites or pages that treat it as a controversy. Most online discussion about registration is simply informative or explanatory for those wish to employ this method. Web cookies, however, enjoy quite a variety of papers, postings, and articles; several sites are dedicated entirely to the cookie issue; information on cookies and their standards are readily available on the Internet. Netscape keeps its original specifications posted (see Note 6), and many general directories, such as Yahoo!, allow users to link to this information.
First awareness of cookies and their potential
Roger Clarke, in an appendix of his "Cookies" page [ 15 ], has estimated that only a few users were aware of cookies after their inception during the first quarter of 1995 but that the knowledge began to spread in early 1996 and received "copious media-coverage" at that point - although he does not distinguish between computer-centered media and general media. An early example of an objective alert on cookie possibilities is James Staten's March 1996 article "Netscape tricks raise security concerns" [ 16 ]. Staten discusses two uncovered capabilities of Netscape Navigator 2.0: JavaScript with its security concerns and HTTP cookies. Staten cites Frank Chen (security product manager at Netscape) who states that Netscape was planning a "feature that will either disable Cookie and JavaScript support or alert the user to their presence." In April of the same year, Carol Davidson hints at the growing controversy in "Cookies Anyone?" [ 17 ] when she mentions that "many in the online community feel users' privacy and security are in danger of being breached" and that many are unaware that they even have cookies. This brief article ends with the announcement that Netscape was then working on a method to alert users when a cookie was being passed (which was instituted with Navigator 3.0).
These early concerns or warnings about cookies were mainly inspired by the thought of webmasters misusing cookies in order to glean sensitive data from site users. However, it was eventually observed that some advertising businesses were taking advantage of cookie technology: Users began to notice cookies passed to them by sites other than the ones that they had visited. The realization that third-party cookies were being surreptitiously passed greatly fueled the cookie controversy and added another dimension to online privacy concerns. For example, several comments appeared in The Risks Digest (Forum on Risks to the Public in Computers and Related Systems). Howard Goldstein decries (June 1996) the secretive marketing cookies from companies such as DoubleClick. Several months later, Matin Minow adds (November 1996): "It seems that the very lack of 'real world' controls over online activity which many Internet users favour has created the environment in which marketing companies can thrive" [ 18 ]. Growing concern with cookies have engendered more than these simple postings about the use of third-party cookies, however. Perhaps the most cogent argument against the current manner of using cookie technology can be found in Viktor Mayer-Schönberger's paper "The Internet and Privacy." Mayer-Schönberger studies U. S. and international law and how it applies to the Internet. In his paper, he concludes about cookies: "Existing regulations, targeted at protecting personal information, limit the use and application of cookies. Current cookie usage violates such norms" [ 19 ].
Impartial attempts to educate
Many individuals have taken a neutral stance toward cookies and have posted pages giving background information and numerous links to other informative sites. Glenn Fleishman attempts to dispel the "furor" over cookies with a careful explanation of their origin, their uses, and their potential [ 20 ]. He also links to several sites of resources. Andy Kington's Netscape Cookie Notes [ 21 ], like the Fleishman site, offers information on both the uses of cookies and the security questions that have arisen. As does Fleishman, this site encourages further study by providing advice and links to useful resources. David Forrester, in "Cookies in the Middle: A Burning Issue" [ 22 ], is especially careful in explaining just what a cookie can do; he spends a good amount of space addressing the issue of personalized ads that are used by marketers - which is, of course, the issue about cookies that privacy activists most often debate. Such a use (or abuse) of cookies by marketers damages the chances that cookies will be generally acceptable in their less intrusive forms (i.e., shopping carts). Forrester gives the options that are being developed, however, such as the Electronic Frontier Foundation (EFF) and CommerceNet proposal for guidelines. As a result, he sees future guidelines allowing both sides to be happy: "Marketers will have more information on their sites and their visitors ... and users will benefit from useful applications of HTTP cookies like shopping carts and personalization."
Attempts to defend the use of cookies
Other discussions of cookies attempt to reassure Web users that this technology presents no danger and that its notoriety is undeserved. Robert Brooks [ 23 ] likens cookies to junk mail as he chides the paranoia that he sees in other sites, such as the Center for Democracy and Technology (CDT) page. Brooks' page is primarily constructed of briefly annotated links to sites about cookies and to sites that use cookies. Malcolm Humes [ 24 ] states that "ideal implementation of cookies should be transparent, working to make your navigation or experience more fluid and personal without you even noticing the behind the scenes work." Humes sees the benefits of cookies outweighing any risks of user profiling, which is so common in other media. Christopher Barr [ 25 ] believes that "cookies aren't a threat to security. In fact, they are often used in ways that can enhance your time on the Web."The Internet Engineering Task Force is also coming under pressure by the Association of Online Professionals (AOP) not to institute proposed cookie standards mentioned in RFC 2109. The AOP's executive director, Dave McClure, warns: "Abandoning a widely used and largely effective technology just because it might possibly be abused is not a rational response to privacy concerns. Given that Web browsers already are easily controlled by the user, and that no abuse of cookies has been recorded to date, adoption of the proposal would be inappropriate" [ 26 ].
Businesses with a vested interest in cookie technology are especially anxious to downplay the furor over cookie abuses. For example, Focalink, a company that uses cookies to individualize advertisements on business sites, devotes a page to the explanation of its cookie policy and to the limitations of this technology. Focalink states that "the use of cookies is a 'fact of life' of the commercialization of the net" and that "the user can empty his/her cookie file at any time" [ 27 ]. Focalink does not address the question of the average Web user and his/her knowledge of cookie technology, however. DoubleClick, an ad agency that also depends on cookies to obtain information on Web users, wishes to contribute to the Internet Engineering task Force's discussion on the cookie standards draft because "the company had only recently become aware of the extent to which its business would be affected by the specification" [ 28 ].
As vehemently as many organizations have painted the danger of cookies, some see this reaction as unwarranted. Wendy Leibowitz, in "Spilling Your Cookies on the 'Net: A Big, Silly Food Fight on Privacy" [ 29 ] derides groups like the Electronic Privacy Information Center (http://www.epic.org) and the Electronic Frontier Foundation (http://www.eff.org) who "focus on the dangers of the Internet with a passion that borders on irresponsibility." Leibowitz downplays the percentage of Web users who cited privacy as their major concern in the Graphic, Visualization, & Usability Center's Seventh User Survey (see Note 2). Leibowitz generally concludes that attention given to cookie privacy issues would be better spent on legitimate privacy concerns such as personal medical histories. Recently, Paul Bonner contributed "Cookie Recipes for Web-Page Builders" [ 30 ] where, true to the article's title, he encourages the use of cookies in order to build an efficient Web site. Bonner clearly believes that the talk about the "notorious" cookie is misdirected because the cookie is nor more than "the electronic version of a clerk who remembers your name and calls it out when you enter a store."
Keeping the public informed of the threat
In contrast to the pages that present cookies as a harmless practice, many exist whose intention seems to be to act as a watchdog for the unsuspecting public. What differentiates these sites from the others is their effort to keep updated rather than to perform one-time informational services that never change after being posted. Such a site is Cookie Central [ 31 ], whose aim is to "provide full information upon Persistent Cookies," as stated on its home page. Cookie Central is also dedicated to remaining current on the developing technology, linking to its own FAQ page. In addition, Cookie Central watched closely the development of the Navigator and Explorer browser software. Other sites that keep the public informed on this topic include, for example, the Center for Democracy and Technology (CDT) Web site [ 32 ], which has a page demonstrating the type of information that can be collected on Web users and highlights cookies as one of the Web's threats to privacy.Other pages from concerned Web users that are devoted to cookies frequently provide information on how to refuse or disable cookies [ 33 ]. Cookies have even eventually found mention in the popular press - beyond the popular technical press. In an issue of Time magazine (25 August 1997), a sidebar in the article "Invasion of Privacy" told readers how to find, rig, and disable their "cookie" - without really telling them why or providing much details on the topic until later in the article [ 34 ].
The call for regulation
Appeals for cookie regulation has come from the public and the private sectors and has mirrored each other. In a draft for public comment (April 1997), the Information Policy Committee of the National Information Infrastructure Task Force concluded: "Consumers want to control what personal information is disclosed about them, to whom, and how that information will be used. As a result, electronic commerce will flourish only if we are able to agree on, and implement, fair information practices for the information age" [ 35 ]. And in a set of supplemental comments provided for Session 2, panel 2 of the FTC's consumer privacy hearings, Peter Harter (Global Public Policy Counsel for Netscape Communications Corporation) presented several suggestions for self-regulatory approaches to online privacy. Among these suggestions was a call for more industry leadership, as Harter states that "Websites should consider stating their cookie practices on their home pages" [ 36 ] as many already do with a copyright link. Harter continues: "Such a page could be dynamic - changing as a Website updates its practices in response to consumer inquiries and demand. Such a page could contain statements as to what type of cookies are employed and why."Finally, Roger Clark's "Cookies" page [ 37 ] can serve as a good example of an individual's call for action; in appendix 3 of his page, Clark asserts that web sites can use cookies in a "manner that addresses the interests of consumers" simply by informing the visitor what a cookie is, when it is being passed, and what will be done with the data - on each page where a cookie is encountered. In addition, the visitor should have the right to suppress cookies on individual pages and should be asked to provide consent. This strategy, of course, would be in addition to the warning option available in both Netscape Navigator and Internet Explorer browsers.
Surveying Web Sites for Privacy Concerns
For any study of privacy on the Web, it is important to establish a figure for Web-site privacy policies along with the use of visitor registration and cookies. A study of the same sites over a period of time thus could reveal the extent of these practices and their pattern of growth or decline. In addition, it is necessary to note the manner in which the sites advertise any existing privacy policy, ask for registration (voluntary and obligatory), and deliver cookies (by notification of the user or surreptitiously). The June 1997 EPIC survey of Web sites listed by www.hot100.com (see Note 1) can serve as a point of departure for a new survey of the same sites.From its survey, EPIC arrived at several recommendations. Web sites need to make readily apparent a privacy policy and explain how any information collected is to be used. In addition, sites must allow users access to any data collected on them. Finally, cookie usage must be made less secretive because the users should not be expected to initiate any plan to discover and monitor the cookies being passed to them. These recommendations echo those made by the Internet Engineering task Force with RFC 2109 (see Note 9) and by Netscape before the FTC privacy hearings (see Notes 10 and 36).
Not all the sites in the original EPIC survey are engaged in direct commerce with consumers, of course; the goal of the EPIC survey was not to examine the use of registration and cookies as an aid to commerce. Rather, EPIC wished to examine registration and cookies as an aid to data collection on a site's user. Trying to establish whether a particular type of data collection is malevolent or whether it actually does transgress the bounds of personal privacy was also beyond the scope of its study. Nevertheless, simply determining the amount of registration/cookie use is important to know for those who continue to see inherent dangers in such practices and who have, in many cases, already taken steps to protect their privacy while warning others of this perceived threat.
The advantage in reusing the list of 100 Web sites examined by EPIC for this present study is that this list represents a fairly stable set of sites and thus can reduce the affect of any mortality on a study to be conducted after a six-month period (December 1997). A few of these sites may have been of ephemeral interest, but such sites won't be so numerous as to effect the results [ 38 ]. Thus, the same sites were examined again between December 5-7, 1997 in order to compare its results with the EPIC survey. For every site visited, the data sought reflects four main sets contained in the EPIC survey:
- The collection of personally identifiable information by various registration methods
- The existence of a privacy policy
- Access restricted by registration
- The passing of persistent cookies
In addition, care was taken to notice the location of a site's privacy policy (if existent), and if this policy contained a cookie explanation (should the site pass cookies) or if such an explanation were found elsewhere. Unlike the EPIC survey, this study did not attempt to judge the adequacy of privacy policies or user access to personal information because much of this data is open to interpretation.
Defining registration and cookies for this study
For this present study, a site was determined to be using registration if it asks for personally identifiable information (name, address, e-mail, and so on) through any online registration form, which can also take the shape of a survey, a mailing list, a request for personal preferences, feedback, and so on - as long as the form asks the user to fill in such information.A persistent cookie was defined as any .txt file sent by a server to reside on the visitor's hard drive in their browser's designated cookie directory. The passing of a cookie was determined by using the optional setting in Internet Explorer that warns the user each time a Web server wants to pass a cookie. Non-persistent cookies were, of course, ignored for the purposes of this study. Granted, a Web site can assign a new cookie or cookies for each page on its site (with a limit of 20 per domain), while other sites assign only one cookie for the entire site. Because the number of pages on each site is not a factor in this study, only one persistent cookie was necessary to have a site categorized cookie-enabling. Thus, a site that passed one persistent cookie had the same weight in this study as a site that passed more cookies because it was not a question here of determining how many cookies are being passed by individual sites. This distinction is especially important when we remember that the number of pages and cookies per site naturally fluctuates.
Results of the December survey
In the original study, EPIC found that all 100 Web sites allowed user access to the home page without forcing the disclosure of personally identifiable information, and even the sites that restricted access in some way (more so than simply asking for PII in feedback forms and the like) still permitted users to take advantage of many services without registering. The present study found that this level of anonymous browsing still exists for these sites six months later.Other results showed much less stability, however. Perhaps because of growing awareness of how a Web site can compromise a user's privacy with its registration and/or cookie policy, this present study found that the number of individual Web-site privacy policies increased from 19 to 28 (see Appendix A). In its June survey, EPIC reported that "few were easy to find," and this study encountered the same difficulty: No consistent format exists for posting privacy policies as seems to be the case for copyright policies (which can sometimes lead to privacy policies). However, some of the nine sites that have added a privacy policy during the past six months did seem to make this policy easier for the user to locate. For example, Windows 95.com (http://www.windows95.com) and IBM (http://www.ibm.com) located a link to their policies at the bottom of the home page where many users would be inclined to look. Some sites such as NBC (http://www.nbc.com) and Riddler's Games (http://www.riddler.com) placed a link to their privacy policies on the same page where they asked for personally identifiable information. Others made it harder but not impossible: the World Wide Web Consortium (http://www.w3.org) situated its policy under "About" and Healthgate (http://www.healthgate.com) placed its explanation under "Terms of service." In spite of the large increase in the number of privacy pages being posted, however, three sites either took off their posting observed by EPIC in June or made it impossible to find during the time period of this last survey: Icount (http://icount.com), National Geographic (http://www.nationalgeographic.com), and Techweb (http://www.techweb.com).
The privacy policies found during this study did tend to explain the concerns raised for that particular site. If personal information was being collected on theses sites, the policies stated with few exceptions that this information would not be sold or distributed without prior permission or some sort of consent. In June, EPIC noted only four sites that offered no restrictions on the use of PII: Geocities (http://www.geocities.com), RocketMail (http://www.rocketmail.com), MindSpring (http://www.mindspring.com), and Internet Count Registration (icount.com). In the present study, one site joined this group on non-restricted use of PII: Riddler's Games (http://www.riddler.com) did announce that it would distribute such information "to other reputable organizations whose products or services we think you might find interesting." However, this site is also among those that added its privacy policy between June and December, which can clearly be accessed from the page that collects the personal information. In addition, the Riddler Web site is one of the few that offers the user the option of removing any personal information collected, although this request must be done in writing, which is itself a minor impediment.
Table 1 summarizes changes in the use of privacy policies by the Web sites in question between the times of the two surveys.
Table 1: Possession of Privacy Policy Sites Date Number Sites with privacy policy June 1997 19 Same sites losing privacy policy December 1997 3 Other sites adding privacy policy December 1997 12 Total sites with privacy policy December 1997 28 Change in sites June-December 1997 +9 The number of sites collecting personally identifiable information also increased from 52 observed by EPIC in June to 57 in December (see Appendix B). Among the sites joining the group were well-known sites such as Alta Vista (http://www.altavista.digital.com) a nd The Internet Movie Database (http://www.imdb.com). Imagine (http://www.imagine.com) was the only site from the June survey that appeared to cease collecting personally identifiable information.
Table 2 summarizes changes in the number of sites collecting personally identifiable information.
Table 2: Collection of Personally Identifiable Information (PII) Sites Date Number Sites collecting PII June 1997 52 Same sites no longer collecting PII December 1997 1 Other sites collecting PII December 1997 6 Total sites collecting PII December 1997 57 Change in sites June-December 1997 +5 Perhaps the most obvious change was the number of sites enabling persistent cookies, which increased from 24 to 30 (see Appendix C). Five former cookie-passing sites no longer set cookies, but many added this technology. Sixteen of the 30 sites surveyed passed the cookie on the home page, before the reader could theoretically read or link to any explanation - if contained in a privacy policy. At least seven of the cookies passed on the home page were third-party cookies (from DoubleClick, Focalink, or Preferences). Only a few sites described in any detail what a cookie was or mentioned their use of cookies under the privacy policy: Disney (http://www.disney.com), IBM (http://www.ibm.com), Pathfinder (http://www.pathtfinder.com), United Media (http://www.unitedmedia.com), and Alta Vista ( http://www.altavista.digital.com) were exceptional in this respect. Of this group, United Media and Alta Vista even explain the use of third-party cookies on their sites. On the other hand, The Internet Movie Database (http://www.imdb.com) simply warns that the user's browser must accept cookies and gives no further explanation. The Weather Channel (http://www.weather.com) also mentions without any other details that a cookie will be set for the user, but in this case it is clear that no personal information is at stake.
Table 3 summarizes changes in the passing of persistent cookies between the June and December surveys.
Table 3: Passing of Persistent Cookies Sites Date Number Sites passing persistent cookies June 1997 24 Same sites no longer passing persistent cookies December 1997 5 Other sites passing persistent cookies December 1997 11 Total sites passing persistent cookies December 1997 30 Change in sites June-December 1997 +6 Conclusion
As a result of its June survey, EPIC formulated several recommendations for the protection of privacy. The findings of this present study are perhaps best seen in conjunction with these earlier recommendations. EPIC's observation that Web sites should continue to allow users basic anonymous access (as suitably demonstrated in the June survey) is still valid.EPIC also recommends that any privacy policy be easy to find, suggesting that access be possible from a clear link (named "privacy") on the home page. As noted, this study encountered a few sites that since June posted a privacy policy and clearly linked to it from the home page or, at least, from the page that asked for personally identifiable information. Nevertheless, the overall location of privacy policies was unclear and inconsistent, ranging from FAQs to Terms of Agreement pages.
The apparent increase in use of persistent cookies is disturbing for several reasons. A growing awareness of cookies has alarmed many users who resent the potential invasion of privacy that unannounced cookies represent; this awareness is certainly reflected in the number of Web postings that attack, defend, or simply explain cookies and related issues. The increased coverage given cookies during the June 1997 FTC consumer privacy workshop is also a good indication of this discussion becoming more mainstream. Additionally, new generations of Web browsers allow users to permanently reject all cookies without having to tolerate a constant security alert message each time a Web site wants to pass a cookie. It has been suggested that, if enough Web users learn about cookies and exercise this option, the cookie cannot survive as a viable method of data collection [see Note 28]. If the present survey is a fair assessment of the situation, it can be surmised that cookies are surviving quite well in spite of user privacy concerns and in spite of the proposals made by the Internet Engineering Task Force in RFC 2109. For this technology, EPIC recommends that cookie use be more "transparent." At this time, no trend toward transparent transactions is observed. Only two sites inform the user about cookies when the user is at a page where personal information can be collected: NBC (http://www.nbc.com) and Riddler's Games (http://www.riddler.com). Of these two sites, however, NBC does pass a persistent cookie from a third-party on its home page without giving any warning. Thus for all sites, unless the browser option is set to warn about cookies and unless the user is motivated enough to search for privacy policies in different locations and wade through all sorts of additional text to find partly hidden policies, the passing of cookies is still a surreptitious affair and certainly prone to continued complaints for the privacy-concerned public.
In sum, perhaps because of the heightened attention given now to online privacy issues, more Web sites are demonstrating sensitivity to the needs of users by creating privacy policies. On the other hand, the practice of asking for personally identifiable information and passing persistent cookies has grown. A consistent manner of posting a privacy policy or at least explaining somehow the manner in which a site uses its collected data or cookies is not yet discernible.
Study Limitations and Suggestions for Further Study
It must be conjectured that popular sites making up the 100 hot Web sites owe some of their popularity to the fact that user access is not limited. It would be difficult for a site to become part of such a list if the site did not allow at least some measure of anonymous use. The EPIC survey and this present survey may thus not be able to judge well whether anonymous usage of the Web is still that pervasive.The importance given to cookie usage by both opponents and proponents of this technology may also be misdirected. Determining whether a unique user can be distinguished by a cookie is necessary if the passing of cookies is to be considered a genuine privacy concern for all users. Of course, in the situations where a visitor is getting on the Web via an online service (e.g., America Online), corporate computer, or educational institution's computer, the tracking performed by the cookies or the data stored by the cookie on the user's hard drive is of little use because the Web site that passed the cookie will not recognize the return of that individual - but only of the online service or the corporate/academic computer whose ownership is not private and whose use is not always restricted to the same individual. Even home use of a computer for Web access is not always limited to a unique user. The idea of being electronically tagged for later identification may not be an issue for many Web users, and cookies may not be after all the ideal method for collecting market information.
In addition, this study covered only 100 Web sites. This population included a variety ranging from search engines to newspapers. Because no distinction was made in the type of site, an important consideration could not be examined: the types of sites using visitor registration or passing cookies the most often. It is probable that sites having direct economic interest in the Web (i.e., conducting commerce) would be the largest group of registration and cookie-enabled sites - simply to collect demographic data, to make user access more transparent, and to monitor the site for visitor appeal. Differentiating between types of sites asking for registration and/or passing cookies could help uncover some interesting movements in the implementation of such tactics.
It is also necessary to admit that the changing nature of the Web (which is probably even more true with the popular Web sites used for this study) works to invalidate many efforts to collect data on practices such as registration and cookie enabling; these practices, of course, can appear and disappear with alarming frequency, depending on the whims of the Web-site managers. Perhaps an examination of a group of Web sites done at more frequent intervals could help determine with better certainty any patterns of usage.
Finally, some more specific estimation of Web users' knowledge of cookie technology would provide a good background to this study. If this knowledge is actually minimal, as suggested by the Eighth GVU WWW User Survey [ 39 ], the use of cookie technology would be considered perhaps even more intrusive than it now is by many concerned parties. Attitudes of Web users toward cookie technology would also prove important [ 40 ]. This survey work would entail a complete study on its own.
About the Author
Bill Helling is a project editor of both technical and trade books at IDG Books Worldwide, Inc. He holds a B.A. in studio art from Avila College and a Ph.D. in French from the University of Kansas. His varied research interests range from early 19th-century French exploration of the Pacific to film interpretations of both the novella Carmen and its opera version. He is currently concerned with international issues of electronic privacy and industry response to consumer concerns. At the present time, he is a candidate for the M.I.S. degree in the School of Library and Information Science at Indiana University.E-mail: helling@tctc.com
Notes
1. The study is at http://www.epic.org/report s/surfer-beware.html The results of the survey are available at http://www.epic.org/repo rts/surfer-appendix.html2. The collected surveys and documentation are at http://www.gvu.gatech.edu/user_sur veys
3. As cited in Miryam Williamson's article "Getting to Know You" in WebMaster (September 1996): pp. 28-35.
4. This disturbing observation stems from results of the Seventh GVU WWW User Survey (http://www.gvu.gate ch.edu/user_surveys/survey-1997-04) whose percentage of users falsifying information was just as large as the Eight Survey (http://www.gvu.gate ch.edu/user_surveys/survey-1997-10). The Eighth Survey added that 14.02% of users falsify information more than 25% of the time, a figure that the survey team called "disturbing if you are trying to make the claim that the collected demographics of a site's online registered users are representative of the entire set of users for that site."
5. The Eighth GVU User Survey ( http://www.gvu.gate ch.edu/user_surveys/survey-1997-10) maintains that 25% of users do not know what cookies are and "suggests that an education effort might be in order."
6. See "Persistent Client State HTTP Cookies, Preliminary Specifications" (1996) at http://home.netscap e.com/newsref/std/cookie_spec.html
7. When Netscape Navigator 2.0 first appeared, its JavaScript and cookies capabilities caused concern when it was realized that JavaScript could retrieve a user's e-mail address and other sensitive information from the Netscape cache file. The combination of cookies with JavaScript technology had many users worried. (See, for example, James Staten's article "Netscape tricks raise security concerns" in MacWeek Gateways, 13 March 1996, at http://www8.zdne t.com/macweek/mw_1011/gw_net_tricks.html Although this security hole was repaired, even Netscape Communicator was not immune to risks. A security hole in an early release of Communicator (4.0) allowed Web-site operators to see information typed in by a visitor and any data passed between cookie files and the Web site, as reported in Lynda Radosevich's article "Bugs rain down once more on Netscape Communicator" in Infoworld (4 August 1997): p. 57.
8. The text of RFC 2109 can be found at http://www.internic.net/rfc/rfc21 09.txt Groups supporting this proposal include the Center for Media Education, the Electronic Frontier Foundation, and the Electronic Privacy Information Center.
9. The revision of RFC 2109 is available at http://portal.r esearch.bell-labs.com/~dmk/cookie-2.68.txt This draft obsoletes its preceding iteration and is set to expire on January 30, 1998.
10. http://www.ftc.gov /bcp/privacy2/comments2/netsc067.htm These remarks, made by Peter F. Harter (Global Public Policy Counsel, Netscape Corp.), are contained in "Comments of Netscape concerning consumer on-line privacy P954807," 16 April 1997.
11. ZDNet provides a brief explanation of cookie managers with links to sites (http://www8.zdnet.c om/pcmag/features/cookie/_open.htm). Typical cookie-management software includes Cookie Crusher (http://www.thelimitsoft.com/cooki e.html), Cookie Master ( http://www6.zdnet.com/cgi-bin/texis/swlib/hotfiles/info.html?fcode=000CKP), Cookie Monster (http://www.geocities.com /Paris/1778/monster.html), Cookie Pal (http://www.kburra.com/cpal.html), Cru mbler 97 (http://www.scscorp. com/personal/scottmac/crumbler.htm), Luckman Interactive (http://www.luckman.com/anonc ookie/index.html), PGPcookie.cutter (http://www.pgp.com/product s/PGPcookie-info.cgi), and SoftDD (http://members.aol.com/sof tdd/cookie/index.htm).
12. See also the FTC site at http://www.ftc.gov/bcp/privacy 2/index.html for transcripts available by download in WordPerfect 5.1 and as .pdf files. On June 4-5, 1996, the U. S. Federal Trade Commission's Bureau of Consumer Protection held a public workshop on Consumer Privacy on the Global Information Infrastructure (http://www.ftc.gov/bcp/privacy /privacy.htm). The workshop was part of the Bureau's Consumer Privacy Initiative - an effort to address consumer online privacy issues. Cookies were not then the issue that they were to become, yet they are mentioned briefly from time to time. During the session on June 5th, Peter Harter [see Note 10] stated that "cookies are a very simple technology, a temporary fix for technology that will have to be overhauled for the commercialization of the Internet. I really think we need to look beyond cookies and to the real solutions for privacy issues."
13. This option is not foolproof, however, as some companies have discovered a way to work around this barrier. Cookie Central (http://www.cookiecentral.com/dsc3.h tm) reports that some companies are now using the same domain name for advertising as the site that is being visited. Netscape's option to refuse third-party cookies is thus rendered useless.
14. As quoted in Macavinta, Courtney and Wingfield, Nick in "Group opposes cookie changes," 22 April 1997 (http://www.news.com/News/I tem/0,4,9962,00.html).
15. See http://www.anu.edu /people/Roger.Clarke/II/Cookies.html Roger Clark describes several points of concern (such as the surreptitious feature of cookies) and some community reaction. The call is made for Web-site managers to communicate their use of cookies, to give the users choice in suppressing cookies, and to ask for user consent.
16. In MacWeek Gateways at http://www8.zdne t.com/macweek/mw_1011/gw_net_tricks.html
17. In iWORLD (22 April 1996), originally at http://www.iworld.com/plweb-cgi/idoc.pl?1110+unix+_free_user_+netday.iworld.com..80+Netd3/10/
18. See Goldstein at http://catless.ncl.ac.uk/Risks/18.19.html Minow is at http://catless.ncl.ac.uk/Risks/18.63.html The RISKS archives provide several more examples of these initial reactions to marketing and third-party cookies.
19. Mayer-Schönberger's article is available at www.wvjolt.wvu.edu/wvjolt/current/issue1/articles/mayer/mayer.htm This article examines thedisparity between Europe and the U. S. in the area of privacy rights. European nations have accumulated many more data protection acts, and in 1995 the European Union adopted a Directive on the Protection of Personal Data. Mayer-Schönberger believes that this mandatory and binding Directive is violated by nearly all the functions of cookies that "make unwitting and automatic access to personal user data possible." In addition, the author maintains that the common practice of third-party cookies set for marketing purposes "would be illegal within the European Union data protection regime." Mayer-Schönberger concludes that cookie-enabling sites as well as browser producers risk legal liability when they exceed existing regulations. Mayer-Schönberger is also the author of "The Cookie Concept" posted on the Cookie Central Web site (http://www.cookiecentral.com/c_concept.htm).
20. See http://www.webdeveloper.com/julyaug96/webtalk.html Fleishman's intention is toshow that cookies should not be considered as serious of a threat as many make them out to be. He explains briefly what they are and what they are used for. He supports cookies for their ability to help collect more specific information on user interests and save these users the trouble of having to re-enter details, but he does not discuss privacy issues.
21. See http://www.illuminatus.com/cookie. fcgi Andy Kington provides brief answers to basic cookie questions and attempts to present impartially the security concerns and problems of cookies. Kington is especially anxious to dispel the "hype and hysteria" that have turned so many people against cookies.
22. See http://pick-n-roll.tvisions.com: 7000/cookies.html David Forrester explains for the layman what cookies can do and especially details the controversial role of personalized ads.
23. See http://www.geocities.com/S oHo/4535/cookie.html Brooks does not spend time explaining cookies but rather categorizes cookie-passing sites so that one can link to search engines that pass cookies as well as to sites that use cookies as shopping carts.
24. See http://www.emf.net/~mal/cookiesi nfo.html Humes admits the possible "negative connotations" of cookies but concludes that the concern is overrated.
25. See http://www.cnet.com/Conten t/Voices/Barr/042996 In C|NET (29 April 1996), Barr sketches the benefits of cookies and downplays any potential problems. According to him, cookies pose no threat to security or privacy.
26. As quoted in Macavinta and Wingfield's article (previously cited in Note 14) "Group opposes cookie changes" at http://www.news.com/News/I tem/0,4,9962,00.html
27. See http://www.focalink.com/home/fc /fc23.html Focalink attempts to demonstrate that "cookies, as they exist today, comprise a useful marketing tool that does not pose a significant threat to individual privacy." This page thus outlines the capabilities and limitations of cookies, their policies and practice, and finally Focalink's use of cookies in its SmartBanner cookies.
28. As quoted in Kristi Coale's article "DoubleClick Tries to Force Hand into Cookie Jar" at http://www.wired.com /news/technology/story/2615.html in Wired News (17 March 1997). DoubleClick uses cookies to track users between sites and set up unique ads based on the data collected. If this ability is disallowed, DoubleClick would have to scramble for other methods in order to provide their services.
29. See http://www.l jextra.com/securitynet/articles/0623cookies.html This article appeared in the National Law Journal (23 June 1997); Leibowitz compares the June 1997 privacy hearings of the FTC to the activities of the House un-American Activities Committee hearings in the United States during the 1950s.
30. See http://www.zdnet.com /wsources/content/1197/s_tb.html Bonner ends with a section entitled "The Great Cookie Caper" where he reminds us that cookies don't harm our privacy, Web-site managers harm our privacy with the way that they use cookies (making the analogy with the old argument "guns don't kill people, people do"). In an even more recent article (18 November 1997) "Adding cookies to your site" (http:/ /www.cnet.com/Content/Builder/Programming/Cookies/index.html), Bonner again attacks opponents of cookies: "So what's the big deal? After all, a client-side cookie is just a calling card, like a 'made especially for John Jacob Hammerschmidt' label sewn into the lining of a customer's jacket. A cookie is no more threatening than a bartender who calls out a customer's name as they walk through the door." Bonner does admit, however, that a "clear policy statement can make it clear that in the hands of honest operators, cookies are anything but ominous."
On the same page of Bonner's article "The Great Cookie Caper" was a ZD-Net survey entitled: Do you think cookies are an invasion of your privacy? The visitor is invited to vote for one of three items: (1) Yes, I don't want anyone knowing anything about me. (2) No, I don't mind someone tracking small bits of information to improve my surfing experience. (3) I like chocolate macadamia nut cookies, and I'm hungry. In spite of the distracting third choice that had received 49 votes (17%) and the very reassuring (perhaps leading) second choice that had 93 votes (34%), 145 visitors (50%) voted "yes."
31. See http://www.cookiecentral.com This site is often given as the first source for any cookie information, especially as it is periodically updated as the situation merits. Although this site is not tolerant of cookie abuses, it also tries to dispel the notion that cookies are inherently evil.
32. See http://www.13x.com/cgi-bin/cdt/sn oop.pl
33. See, for example, Kevin McAleavey's article "Learn More about It Here" at http://www.wizvax.net/kevinmca/ learn.html
34. Joshua Quittner, 1997. "Invasion of Privacy," Time (25 August), pp. 28-35. This article briefly exposes both sides of the controversy (p. 34).
35. See http://www.iitf.nist.gov/ipc/pri vacy.htm
36. See http://www.ftc .gov.WWW/bcp/privacy2/comments2/netscape.htm See also Note 10.
37. See http://www.anu.edu /people/Roger.Clarke/II/Cookies.html, previously cited in Note 15.
38. For example, http://www.missuniverse.com was listed as the 100th site and has naturally fallen further down the scale. Others, such as http://www.chess.ibm.com (the site of the Kasparov vs. Deep Blue chess match), then listed as 11th, enjoyed such popularity because of its relationship with current events. The EPIC survey failed to access four sites (http://www.macromedia.com, http://www.gamepen.com, http://www.mtv.com, and http://www.cybercity.hko.net), so the total number of EPIC-surveyed sites was actually 96. Because one site at the time of the December survey (http://www.nasa.com) was no longer available, the data of 95 sites are represented in the present study.
39. As mentioned previously in Note 5, the Eighth GVU User Survey (http://www.gvu.gate ch.edu/user_surveys/survey-1997-10) maintains that 25% of users are unaware of cookies. A year earlier, the Sixth Survey (http://www.gvu.gat ech.edu/user_surveys/survey-10-1996/) found that only 19.09% of users thought that it was possible to have an identifier for unique users at a site. The survey team thus predicted: "There is already evidence of controversy surrounding the use and lack of control over cookies by technically savvy portions of the user community and the advertising community that desires fine grain measurement of usage. Wonder how it will all pan out!"
40. See the author's annotated links to diverse Web pages that touch upon the topic of cookies, available at http://php.iupui.edu/~whellin g/cookies.html These numerous links are yet another indication of the interest - both pro and con - that cookies have aroused among a privacy-conscious public.
Appendix A: Privacy Policies Rank Site URL Privacy Policy June 1997 Privacy Policy December 1997 Comments 1 Geocities www.geocities.com No No 2 Yahoo www.yahoo.com Yes Yes 3 Starwave Corporation www.starwave.com No No 4 Excite www.excite.com No No 5 Pathfinder www.pathfinder.com Yes Yes Link located on home page; it describes cookies 6 Alta Vista www.altavista.digital.com No No Link located on home page; it describes cookies and its 3rd-part cookies 7 America Online Member Home Pages home.aol.com No No 8 C/Net www.cnet.com No No 9 New York Times www.nytimes.com No Yes Link located on home page 10 Ziff-Davis www3.zdnet.com No No 11 Kasparov v. Deep Blue www.chess.ibm.com No No 12 USA Today www.usatoday.com No No 13 MacroMedia www.macromedia.com No access by EPIC 14 Progressive Networks www.real.com No No 15 Hotwired and HotBot www.hotwired.com, www.hotbot.com Yes Yes 16 Sun Microsystems www.sun.com No No 17 Sony www.sony.com No No 18 Lycos www.lycos.com No No 19 Disney Entertainment www.disney.com Yes Yes Link located on home page 20 Happy Puppy www.happypuppy.com No No 21 CBS Sportsline www.sportsline.com No No 22 MTV Online www.mtv.com No access by EPIC 23 Windows 95.com www.windows95.com No Yes Link located on home page 24 CompuServe world.compuserve.com No Yes 25 Kabalarians Philosophy www.kabalarians.com No No 26 Net@ddress netaddress.usa.net No No Link located under subscriber agreement 27 Adbot www.adbot.com No No 28 Hewlett-Packard www.hp.com No No 29 IBM www.ibm.com No Yes 30 Imagine www.imagine.com No No 31 Intel www.intel.com No No 32 Day Traders Online www.daytraders.com No No 33 Internet Movie Database www.imdb.com No Yes Policy hard to find; mentions cookies with no explanation 34 Apple Computer www.apple.com No No 35 Amazon.com www.amazon.com Yes Yes Policy hard to find 36 Opening Screen www.nasa.com defunct 37 LinkExchange www.linkexchange.com No No 38 United Media www.unitedmedia.com Yes Yes Policy located in "About our site" - policy explains DoubleClick and cookies 39 Alta Vista Technology www.altavista.com No No 40 Intellicast www.intellicast.com No No 41 MSNBC www.msnbc.com No No 42 Jumbo www.jumbo.com No No 43 Walnut Creek CDROM www.cdrom.com No No 44 Adobe Systems Incorporated www.adobe.com No No 45 Virtual Hospital Home Page www.vh.org No No 46 Infoseek Search Engine infoseek.com Yes Yes 47 Panasonic www.panasonic.com No No 48 McAfeeMall www.mcafee.com No No 49 NBC www.nbc.com No Yes Policy on the registration page 50 W3C (The World Wide Web Consortium) www.w3.org No Yes Policy under "About W3C" 51 WhoWhere? www.whowhere.com Yes Yes 52 U. S. Robotics www.usr.com No No 53 Prodigy Internet: Main Page www.prodigy.com No No 54 Hollywood Online www.hollywood.com No Yes 55 RocketMail www.rocketmail.com Yes Yes Policy under "Terms of service" 56 Official Star WarsWeb Site www.starwars.com No No 57 Welcome to AMD www.amd.com No No 58 WebCom www.webcom.com No No 59 SiliconSurf, Reality, SiliconStudios and VRML www.surfsgi.com 60 WebChat Broadcasting System www.wbs.net Yes Yes 61 Stat Trax Professional Main Page www.stattrax.com No No 62 Welcome to Westwood Studios www.westwood.com 63 Gamespot www.gamespot.com No Yes 64 Welcome-Ze us Server adex3.flycast.com No No 65 DejaNews www.dejanews.com Yes Yes 66 Welcome to GlobalCenter www.primenet.com No No 67 Symantec Corporation www.symantec.com No No 68 Welcome to the Creative Zone www.creaf.com No No 69 CricInfo, Cricket Home Page www.cricket.org Yes Yes 70 100hot www.100hot.com No No 71 Gamelan www.gamelan.com No No 72 MindSpring Enterprises Inc. www.mindspring.com Yes Yes 73 Nando Times www.nando.net No No 74 Electronic Arts www.ea.com Yes Yes 75 Weather Channel www.weather.com No No 76 AudioNet www.audionet.com No No 77 Global Partners www.oneweb street.com No No 78 Riddler's Games www.riddler.com No Yes Policy on the registration page 79 Matrox Group www.matrox.com No No 80 Cybercity Hong Kong www.cybercity.hko.net 81 The Lost World Site www.lost-world.com No No 82 Internet Count Registration Icount.com Yes No 83 Washington Post www.washingtonpost.com No No 84 HoTMaiL www.hotmail.com Yes Yes 85 Webpage Home Page www.webpage.com No No 86 LucasArts Entertainment Company www.lucasarts.com No No 87 National Geographic Online www.nationalgeographic.com Yes No 88 Stomped www.stomped.com No No 89 TechWeb www.techweb.com Yes No 90 Novell www.novell.com No No 91 The STACK World Wide Web server www.stack.nl No No 92 National Hockey League Official Web Site www.nhl.com No No 93 Borland Online www.borland.com No No 94 HealthGate home page www.healthgate.com No Yes Policy under "Terms of agreement" 95 TV Guide www.tvguide.com No No 96 Macmillan Publishing USA www.mcp.com No Yes 97 Motorola www.mot.com No No 98 Korealink www.korealink.com Yes Yes 99 GamePen www.gamepen.com no access by EPIC 100 Miss Universe www.missuniverse.com No No
Appendix B: Collection of Personally Identifiable Information (PII) Rank Site URL Collect PII? June 1997 Collect PII? December 1997 Comments 1 Geocities www.geocities.com Yes Yes 2 Yahoo www.yahoo.com Yes Yes 3 Starwave Corporation www.starwave.com No No 4 Excite www.excite.com Yes Yes 5 Pathfinder www.pathfinder.com Yes Yes 6 Alta Vista www.altavista.digital.com No Yes 7 America Online Member Home Pages home.aol.com No No 8 C/Net www.cnet.com Yes Yes Registration form for members 9 New York Times www.nytimes.com Yes Yes 10 Ziff-Davis www3.zdnet.com No No Registration form for members 11 Kasparov v. Deep Blue www.chess.ibm.com No No 12 USA Today www.usatoday.com Yes Yes 13 MacroMedia www.macromedia.com No access by EPIC 14 Progressive Networks www.real.com Yes Yes 15 Hotwired and HotBot www.hotwired.com, www.hotbot.com Yes Yes 16 Sun Microsystems www.sun.com No No 17 Sony www.sony.com No No 18 Lycos www.lycos.com Yes Yes 19 Disney Entertainment www.disney.com Yes Yes 20 Happy Puppy www.happypuppy.com Yes Yes 21 CBS Sportsline www.sportsline.com Yes Yes 22 MTV Online www.mtv.com No access by EPIC 23 Windows 95.com www.windows95.com No No 24 CompuServe world.compuserve.com No No 25 Kabalarians Philosophy www.kabalarians.com No No 26 Net@ddress netaddress.usa.net Yes Yes 27 Adbot www.adbot.com No No 28 Hewlett-Packard www.hp.com No No 29 IBM www.ibm.com No No 30 Imagine www.imagine.com Yes No 31 Intel www.intel.com Yes Yes 32 Day Traders Online www.daytraders.com Yes Yes 33 Internet Movie Database www.imdb.com No Yes 34 Apple Computer www.apple.com Yes Yes 35 Amazon.com www.amazon.com Yes Yes 36 Opening Screen www.nasa.com defunct 37 LinkExchange www.linkexchange.com Yes Yes 38 United Media www.unitedmedia.com Yes Yes 39 Alta Vista Technology www.altavista.com Yes Yes 40 Intellicast www.intellicast.com Yes Yes 41 MSNBC www.msnbc.com No No 42 Jumbo www.jumbo.com No No 43 Walnut Creek CDROM www.cdrom.com Yes Yes Register to get catalog or register a product 44 Adobe Systems Incorporated www.adobe.com No No 45 Virtual Hospital Home Page www.vh.org No Yes Register to make a comment 46 Infoseek Search Engine infoseek.com Yes Yes 47 Panasonic www.panasonic.com No No 48 McAfeeMall www.mcafee.com Yes Yes 49 NBC www.nbc.com No Yes 50 W3C (The World Wide Web Consortium) www.w3.org No No 51 WhoWhere? www.whowhere.com Yes Yes 52 U. S. Robotics www.usr.com No No 53 Prodigy Internet: Main Page www.prodigy.com No No 54 Hollywood Online www.hollywood.com No No Register to get catalog 55 RocketMail www.rocketmail.com Yes Yes 56 Official Star WarsWeb Site www.starwars.com No No 57 Welcome to AMD www.amd.com Yes Yes 58 WebCom www.webcom.com Yes Yes 59 SiliconSurf, Reality, SiliconStudios and VRML www.surfsgi.com 60 WebChat Broadcasting System www.wbs.net Yes Yes 61 Stat Trax Professional Main Page www.stattrax.com Yes Yes 62 Welcome to Westwood Studios www.westwood.com 63 Gamespot www.gamespot.com No No Registration for members 64 Welcome-Ze us Server adex3.flycast.com No No 65 DejaNews www.dejanews.com Yes Yes 66 Welcome to GlobalCenter www.primenet.com No No 67 Symantec Corporation www.symantec.com Yes Yes 68 Welcome to the Creative Zone www.creaf.com Yes Yes 69 CricInfo, Cricket Home Page www.cricket.org Yes Yes 70 100hot www.100hot.com No No 71 Gamelan www.gamelan.com No No 72 MindSpring Enterprises Inc. www.mindspring.com Yes Yes 73 Nando Times www.nando.net No No 74 Electronic Arts www.ea.com Yes Yes 75 Weather Channel www.weather.com Yes Yes 76 AudioNet www.audionet.com Yes Yes Keeps a guestbook 77 Global Partners www.oneweb street.com No No 78 Riddler's Games www.riddler.com Yes Yes Will sell PII 79 Matrox Group www.matrox.com No Yes 80 Cybercity Hong Kong www.cybercity.hko.net 81 The Lost World Site www.lost-world.com No No 82 Internet Count Registration Icount.com Yes Yes 83 Washington Post www.washingtonpost.com No No Has a "Keep me posted" form 84 HoTMaiL www.hotmail.com Yes Yes 85 Webpage Home Page www.webpage.com Yes Yes 86 LucasArts Entertainment Company www.lucasarts.com No No 87 National Geographic Online www.nationalgeographic.com Yes Yes May have improved its form to make it less intrusive 88 Stomped www.stomped.com No No 89 TechWeb www.techweb.com Yes Yes 90 Novell www.novell.com No No 91 The STACK World Wide Web server www.stack.nl No No 92 National Hockey League Official Web Site www.nhl.com No Yes Registration for shopping or letters to the editor 93 Borland Online www.borland.com No No 94 HealthGate home page www.healthgate.com Yes Yes 95 TV Guide www.tvguide.com No No 96 Macmillan Publishing USA www.mcp.com Yes Yes 97 Motorola www.mot.com No Yes Registration for comments 98 Korealink www.korealink.com Yes Yes 99 GamePen www.gamepen.com no access by EPIC 100 Miss Universe www.missuniverse.com No No
Appendix C: Use of Persistent Cookies Rank Site URL Cookies June 1997 Cookies December 1997 Comments 1 Geocities www.geocities.com No No 2 Yahoo www.yahoo.com No No 3 Starwave Corporation www.starwave.com No Yes On home page 4 Excite www.excite.com No No 5 Pathfinder www.pathfinder.com Yes Yes On home page 6 Alta Vista www.altavista.digital.com No No 7 America Online Member Home Pages home.aol.com No No 8 C/Net www.cnet.com No Yes 9 New York Times www.nytimes.com Yes Yes On home page 10 Ziff-Davis www3.zdnet.com No No 11 Kasparov v. Deep Blue www.chess.ibm.com No No 12 USA Today www.usatoday.com Yes No 13 MacroMedia www.macromedia.com Yes Yes No PII or privacy policy data collected by EPIC 14 Progressive Networks www.real.com No No 15 Hotwired and HotBot www.hotwired.com, www.hotbot.com Yes Yes On home page 16 Sun Microsystems www.sun.com No No 17 Sony www.sony.com No No 18 Lycos www.lycos.com No No 19 Disney Entertainment www.disney.com Yes Yes On home page 20 Happy Puppy www.happypuppy.com Yes Yes 21 CBS Sportsline www.sportsline.com Yes No 22 MTV Online www.mtv.com No access by EPIC 23 Windows 95.com www.windows95.com No No 24 CompuServe world.compuserve.com Yes Yes 25 Kabalarians Philosophy www.kabalarians.com No No 26 Net@ddress netaddress.usa.net Yes No 27 Adbot www.adbot.com No No 28 Hewlett-Packard www.hp.com No No 29 IBM www.ibm.com No No 30 Imagine www.imagine.com No No 31 Intel www.intel.com No No 32 Day Traders Online www.daytraders.com No No 33 Internet Movie Database www.imdb.com No Yes Warns browser must accept cookies after registration complete 34 Apple Computer www.apple.com No No 35 Amazon.com www.amazon.com Yes Yes 36 Opening Screen www.nasa.com Yes defunct 37 LinkExchange www.linkexchange.com Yes Yes 38 United Media www.unitedmedia.com No Yes On home page. 3rd-party 39 Alta Vista Technology www.altavista.com No No 40 Intellicast www.intellicast.com No No 41 MSNBC www.msnbc.com Yes Yes 42 Jumbo www.jumbo.com No Yes On home page. 3rd-party and site-specific cookie 43 Walnut Creek CDROM www.cdrom.com No No 44 Adobe Systems Incorporated www.adobe.com No Yes On home page 45 Virtual Hospital Home Page www.vh.org No No 46 Infoseek Search Engine infoseek.com No Yes On home page 47 Panasonic www.panasonic.com No No 48 McAfeeMall www.mcafee.com No No 49 NBC www.nbc.com Yes Yes On home page. 3rd-party 50 W3C (The World Wide Web Consortium) www.w3.org No No 51 WhoWhere? www.whowhere.com Yes Yes 52 U. S. Robotics www.usr.com No No 53 Prodigy Internet: Main Page www.prodigy.com No No 54 Hollywood Online www.hollywood.com Yes No 55 RocketMail www.rocketmail.com No No 56 Official Star WarsWeb Site www.starwars.com No No 57 Welcome to AMD www.amd.com No No 58 WebCom www.webcom.com No No 59 SiliconSurf, Reality, SiliconStudios and VRML www.surfsgi.com 60 WebChat Broadcasting System www.wbs.net No No 61 Stat Trax Professional Main Page www.stattrax.com No No 62 Welcome to Westwood Studios www.westwood.com 63 Gamespot www.gamespot.com No No 64 Welcome-Ze us Server adex3.flycast.com No Yes On home page 65 DejaNews www.dejanews.com Yes Yes 66 Welcome to GlobalCenter www.primenet.com No No 67 Symantec Corporation www.symantec.com No No 68 Welcome to the Creative Zone www.creaf.com No No 69 CricInfo, Cricket Home Page www.cricket.org No No 70 100hot www.100hot.com No No 71 Gamelan www.gamelan.com No Yes On home page 72 MindSpring Enterprises Inc. www.mindspring.com No Yes On home page. 3rd-party (2) 73 Nando Times www.nando.net No Yes On "about" page. 3rd-party 74 Electronic Arts www.ea.com No No 75 Weather Channel www.weather.com No Yes Explains cookie will be set; no PII collected 76 AudioNet www.audionet.com Yes Yes On home page. (3) 77 Global Partners www.oneweb street.com No No 78 Riddler's Games www.riddler.com No No 79 Matrox Group www.matrox.com No No 80 Cybercity Hong Kong www.cybercity.hko.net 81 The Lost World Site www.lost-world.com No No 82 Internet Count Registration Icount.com No No 83 Washington Post www.washingtonpost.com Yes Yes 84 HoTMaiL www.hotmail.com No No 85 Webpage Home Page www.webpage.com No No 86 LucasArts Entertainment Company www.lucasarts.com No No 87 National Geographic Online www.nationalgeographic.com Yes Yes 3rd-party 88 Stomped www.stomped.com No No 89 TechWeb www.techweb.com Yes Yes 90 Novell www.novell.com No No 91 The STACK World Wide Web server www.stack.nl No No 92 National Hockey League Official Web Site www.nhl.com No No 93 Borland Online www.borland.com No Yes On home page. 3rd-party. EPIC survey incomplete 94 HealthGate home page www.healthgate.com No No 95 TV Guide www.tvguide.com No No 96 Macmillan Publishing USA www.mcp.com Yes No 97 Motorola www.mot.com No No 98 Korealink www.korealink.com Yes Yes On home page. 3rd-party 99 GamePen www.gamepen.com no access by EPIC 100 Miss Universe www.missuniverse.com No No
Copyright © 1998, ƒ ¡ ® s † - m ¤ ñ d @ ¥
