December 26, 2024

Archives for 2009

If You're Going to Track Me, Please Use Cookies

Web cookies have a bad name. People often complain — with good reason — about sites using cookies to track them. Today I want to say a few words in favor of tracking cookies.

[Technical background: An HTTP “cookie” is a small string of text. When your web browser gets a file from a site, the site can send along a cookie. Your browser stores the cookie. Later, if the browser gets another file from the same site, the browser will send along the cookie.]

What’s important about cookies, for our purposes, is that they allow a site to tell when it’s seeing the same browser (and therefore, probably, the same user) that it saw before. This has benign uses — it’s needed to implement the shopping cart feature of e-commerce sites (so the site knows which cart is yours) and to remember that you have logged in to a site so you don’t have to log in over and over.

The dark side of cookies involves “hidden” sites that track your activities across the web. Suppose you go to A.com, and A.com’s site includes a banner ad that is provided by the advertising service AdService.com. Later, you go to B.com, and B.com also includes a banner ad provided by AdService.com. When you’re reading A.com and your browser goes to AdService.com to get an ad, AdService.com gives you a cookie. Later, when you’re reading B.com and your browser goes back to AdService.com to get an ad, AdService.com will see the cookie it gave you earlier. This will allow AdService.com to link together your visits to A.com and B.com. Ad services that place ads on lots of sites can link together your activities across all of those sites, by using a “tracking cookie” in this way.

The obvious response is to limit or regulate the use of tracking cookies — the government could limit them, industry could self-regulate, or users could shun sites that associate themselves with tracking cookies.

But this approach could easily backfire. It turns out that there are lots of ways for a site to track users, by recognizing something distinctive about the user’s computer or by placing a unique marker on the computer and recognizing it later. These other tracking mechanisms are hard to detect — new tracking methods are discovered regularly — and unlike cookies they can be hard for users to manage. The tools for viewing, blocking, and removing cookies are far from perfect, but at least they exist. Other tracking measures leave users nearly defenseless.

My attitude, as a user, is that if a site is going to track me, I want them to do it openly, using cookies. Cookies offer me less transparency and control that I would like, but the alternatives are worse.

If I were writing a self-regulation code for the industry, I would have the code require that cookies be the only means used to track users across sites.

Thoughtcrime Experiments

Cosmic rays can flip bits in memory cells or processor datapaths. Once upon a time, Sudhakar and I asked the question, “can an attacker exploit rare and random bit-flips to bypass a programming-language’s type protections and thereby break out of the Java sandbox?

Thoughtcrime Experiments

A recently published science-fiction anthology Thoughtcrime Experiments contains a story, “Single-Bit Error” inspired by our research paper. What if you could use cosmic-ray bit flips in neurons to bypass the “type protections” of human rationality?

In addition to 9 stories and 6 original illustrations, the anthology is interesting for another reason. It’s an experiment in do-it-yourself paying-the-artists high-editorial-standards open-source Creative-Commons print-on-demand publishing. Theorists like Yochai Benkler and others have explained that production costs attributable to communications and coordination have been reduced down into the noise by the Internet, and that this enables “peer production” that was not possible back in the 19th and 20th centuries. Now the Appendix to Thoughtcrime Experiments explains how to edit and produce your own anthology, complete with a sample publication contract.

It’s not all honey and roses, of course. The authors got paid, but the editors didn’t! The Appendix presents data on how many hours they spent “for free”. In addition, if you look closely, you’ll see that the way the authors got paid is that the editors spent their own money.

Still, part of the new theory of open-source peer-production asks questions like, “What motivates people to produce technical or artistic works? What mechanisms do they use to organize this work? What is the quality of the work produced, and how does it contribute to society? What are the legal frameworks that will encourage such work?” This anthology and its appendix provide an interesting datapoint for the theorists.

Assorted targeted spam

You can run, but you can’t hide. Here are a few of the latest things I’ve seen, in no particular order.

  • On a PHPBB-style chat board which I sometimes frequent, there was a thread about do-it-yourself television repair, dormant for over a year. Recently, there was a seemingly robotic post, from a brand new user, that was still on-topic, giving general diagnosis advice and offering to sell parts for TV repair. The spam was actually somewhat germane to the main thread of the discussion. Is it still spam?
  • In my email, I recently got a press release for a local fried chicken franchise celebrating their 40th anniversary. My blogging output generally doesn’t extend to writing restaurant reviews (tempting as that might be), although I do sometimes link to foodie things from Google Reader which will also show up in my public FriendFeed. Spam or not spam?

CITP Announces 2009-10 Visitors

Today, I’m pleased to announce CITP’s visitors for the upcoming academic year.

Deven R. Desai, Visiting Fellow: Deven is an Associate Professor of Law at the Thomas Jefferson School of Law, and a permanent blogger at Concurring Opinions. Professor Desai’s scholarship centers on intellectual property, information theory, and Internet-related law. He plans to work on a major project exploring the ways trademark law can foster, or limit, online innovation.

James Katz, Visiting Fellow. Jim is Professor, Chair of the Department of Communication, and Director of the Center for Mobile Communication Studies at Rutgers, where he holds the University’s highest professorial rank. He has devoted much of his career to exploring the social consequences of new communication technology, especially the mobile phone and Internet. Currently he is looking at how personal communication technologies can be used by teens from urban environments to engage in informal science and health learning. This research is being carried out through an NSF-sponsored project with New Jersey’s Liberty Science Center.

Rebecca MacKinnon, Visiting Fellow (spring term): Rebecca is an Assistant Professor at the University of Hong Kong’s Journalism and Media Studies Centre. She is currently on leave, as an Open Society Fellow, to work on a book tentatively titled “Internet Freedom and Control: Lessons from China for the World.” She will spend the spring 2010 semester at CITP, continuing to work on the book. Rebecca is a cofounder of Global Voices, a founding member of the Global Network Initiative, and a former television journalist, having served as CNN’s bureau chief in Beijing and, later, Tokyo.

Jens Grossklags, Postdoctoral Research Associate: Jens, a new PhD from the UC Berkeley School of Information, studies information economics and technology policy. He focuses on the intersection of privacy, security, and network systems. His approach is highly interdisciplinary, combining economics, computer science, and public policy. Currently, he is investigating the ways institutions and end users make decisions about complex computer security risks under conditions of uncertainty and limited information.

Joseph Lorenzo Hall, Visiting Postdoctoral Research Associate: Joe, whose work is supported by the NSF ACCURATE Center, also earned his PhD from the UC Berkeley School of Information. His dissertation examined public policy mechanisms for making computerized voting systems more transparent. He continues to work along the same lines, drawing lessons from voting machines, gaming machines and other technologies on how to best protect users from error and malicious activity.

In addition to these full time appointments, the Center will also welcome two Visiting Research Collaborators on an occasional basis: Alex Halderman, an Assistant Professor of Computer Science at the University of Michigan (and recently in the news for his research group’s analysis of China’s Green Dam software), and David Lukens, an attorney who has been collaborating on the Center’s transparency work.

Did the Sanford E-Mail Tipster or the Newspaper Break the Law?

Part of me doesn’t want to comment on the Mark Sanford news, because it’s all so tawdry and inconsistent with the respectable, family-friendly tone of Freedom to Tinker. But since everybody from the Gray Lady on down is plastering the web with stories, and because all of this reporting is leaving unanalyzed some Internet law questions, let me offer this:

On Wednesday, after Sanford’s confessional press conference, The State, the largest newspaper in South Carolina, posted email messages appearing to be love letters between the Governor and his mistress. (The paper obscured the name of the mistress, calling her only “Maria.”) The paper explained in a related news story that they had received these messages from an anonymous tipster back in December, but until yesterday’s unexpected corroboration of their likely authenticity, they had just sat on them.

Did the anonymous tipster break the law by obtaining or disclosing the email messages? Did the paper break the law by publishing them? After the jump, I’ll offer my take on these questions.