Cyber Law and the Use of Cookies - Essay Example

CYBERLAW & THE USE OF COOKIES Introduction The increasing use of the Internet in today’s world gives rise to severe privacy issues. Privacy is one ofthe most complex legal issues facing e-commerce industry today. Whenever a user uses Internet to communicate any kind of information, the user gives away some form of personal information to the website the user is browsing knowingly or unknowingly. Every e-mail message contains information about the sender and the recipient. Virtually every electronic transaction will involve the transfer of personal data such as User id, passwords, credit card numbers, telephone numbers, physical addresses and e-mail addresses (Buys, N.D.). Many of the e-commerce sites directly ask users for personal information such as name, date of birth, e-mail address, credit card details etc, through forms which the users need to fill up online. However, in addition to such information, many sites also record data about their users browsing habits. This data can be matched with personal and demographic information to create a profile of user preferences. This information collected by theses sites might be used to target advertising or offer customized services. Or, sites might engage in web lining, where different users are offered different prices based on their profiles (Lin, N.D). Unauthorized access to personal information on the Internet remains relatively easy in the absence of encryption technology. Encryption is the process of obscuring data to make it unreadable without special knowledge or technology. Encryption is the method used to protect communications for centuries. But only organizations and individuals with an extraordinary need for privacy had made use of the technology for example: Government establishment, Banks etc. Now a days encryption technology is used in protecting widely-used systems, such as Internet e-commerce, mobile telephone networks and bank ATM. Encryption can be used to ensure secrecy, but other techniques are still needed to make communications secure, particularly to verify the integrity and authenticity of a message (Wikipedia, 2006). Whether or not the exposure of privacy on the Internet is overstated, it is undisputed that there are security risks associated with its use. It is safer to assume, for the present, that the Internet is not yet a secure medium over which to communicate financial and personal information without having due consideration of the risks and legal issues involved. Apart from traditional privacy concerns like surveillance and unauthorized access to information, the Internet also creates new concerns relating to the use of cookies and spamming (Buys, N.D.). The use of Cookies A cookie is a text-only string created by the web site that gets entered into the memory of the browser, when the particular site is visited. If the lifetime value of a variable that a website sets is longer than the time you spend at that site, then this string is saved as a file into physical memory that is hard disk of the computer for future reference. Lou Montulli, currently the protocols manager in Netscapes client product division, wrote the cookies design for Navigator 1.0, this was the first browser to use the cookie technology. Montulli says A cookie is a well-known computer science term that is used when describing a solid piece of data held by a mediator. The term fits the usage accurately; its just not a well-known term outside of computer science circles. There are different reasons why the cookies are used; these range from the ability to personalize information or to help with on-line sales or services, or simply for the purposes of collecting demographic information. Cookies also provide programmers with a quick and convenient means of keeping site content fresh and relevant to the users interests. The newest servers use cookies to help with back-end interaction as well, which can improve the utility of a site by being able to securely store any personal data that the user has shared with a site. Cookies are a very important method to work interactively with a user, remembering all data since the application started, and differentiating between users and their individual data sets. Whenever a visitor visits a website, it is seen by the server as the first visit by the user. That is the server does not remember last time you visited the site. Cookies is the method of storing information of the website, so that whenever the site is visited the site remembers the information about the last time the site was visited by the computer. After a cookie is transmitted through an HTTP header, it is stored in the memory of the browser. This way the information is readily available without re-transmission. However, it is possible for the lifetime of a cookie to greatly exceed the amount of time the browser will be open. In such cases, the browser must have a way of saving the cookie when not browsing, or when the computer is shut off. The only way the browser can do this is to move the cookies from memory into the hard drive. The browser is constantly performing maintenance on its cookies. As and when the cookie expired the file is removed from the hard disk automatically (Whalen, 2002). Cookies can be very magnificent as, correctly used, they can personalize the surfing skill making it that much more gainful and enjoyable (Cookies, N.D.). Trojan horse Trojan horse programs are experienced veterans of the nasty code world. They work like the wooden horse Greek soldiers used to enter the gates of Troy. Trojan horses clandestinely enter computers and perform actions with out the knowledge of the victim. These programs are sometimes part of worms and packaged as an email attachment, and also can contaminate computers through downloads or network holes. Once installed in a computer, Trojan horse programs can use its Internet connection to send data -such as passwords, financial information, and more - to a remote computer (Perry, N.D.). Trojan horse is a program which seems to be good and harmless, but in fact it hides something dreadful. There are different ways to spread a Trojan horse, one way is to hide it inside software and distribute. Another way to spread Trojan horses is to send files to users over chat systems such as Yahoo Messenger, Goggle Mail, ICQ, AIM etc., Trojan horses do not usually spread themselves; they should be spread by some mechanism. It is a virus that spreads by deceiving a user into executing the file or attachments. Whenever a user opens an e-mail infected by Trojan horse it gets activated and spreads when the user sends mail to other users. Unintentionally the virus is spread to lots of other users. The system with Trojan horse usually gives the attacker some control over the user’s machine. It may allow the attacker to remotely access the system or to run commands with all the users’ rights. The Trojan horse can make use of the infected machine part of a Distributed Denial of Service (DDoS) network, where the infected machine is used to attack other user’s machine (TechFAQ, N.D). The Right of Privacy The right of privacy includes the right to be free from interruptions and intrusion by the state and others in one’s personal life and liberty from unlawful revelations of information about one’s personal life. This describes the importance of the person’s choice between keeping information personal and making it public. A few Internet users may prefer the use of cookies to identify them on the Internet. On the other hand some may choose to encrypt messages to send over the Internet, use filters to regulate the content that their computers can access or disable and delete cookies on their browsers. It is not possible to regulate the technology that threatens privacy. The government and the courts should rather be concerned in giving Internet users the control over their own information and to provide measures to enable every user to make an informed decision on the question of how private and confidential personal information should be in the digital age. Privacy in the United States of America The right of privacy is not mentioned clearly in the American Constitution but has been held to be certain implicitly in several of its provisions. To make a decision whether a specific privacy right have to be recognized the Supreme Court generally asks itself whether such a right is implied in the concept of orderly freedom in such a way that neither freedom nor justice would exist if it was sacrificed and whether it is deeply rooted in the nation’s history and tradition. This natural limitation of the scope of the privacy right has resulted in a narrower understanding of it than in other jurisdictions. Apart from the natural limits, privacy may also understandably be infringed if a persuasive state interest so necessitates. A law infringing the privacy right must be necessary and not merely rationally related to the achievement of a permissible state policy. Legal security of information privacy in the United States is a difficult issue. The Fourth Amendment provides: “The right of the people to be secure in their persons, houses, paper, and effects, against unreasonable searches and seizure, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or thing to be seized.” US courts have also examined whether the control of personal information by individuals to whom it relates is a fundamental right protected by the Fourteenth Amendment: “In an information-dense technological era, when living inevitably entails leaving not just informational footprints but parts of one’s self in myriad directories, files, records and computers, to hold that the Fourteenth Amendment does not reserve to individuals some power to say when and how and by whom that information and those confidences are to be used would be to denigrate the central role that informational autonomy must play in any developed concept of the self” (Buys, N.D.). Electronic Communications Privacy Act (ECPA) The ECPA imposes civil and criminal penalties for the intentional intervention, disclosure, or use of electronic communications that affect interstate or foreign commerce. Electronic communications are defined as any transfer of information by means of wire or electromagnetic system. The major blockage to using the ECPA to limit online profiling is that it exempts parties from liability if they obtain the prior consent from "users" or "parties to communication". Based on the "user" exception, a federal district court ruled in ‘DoubleClick’ that the ECPA does not bar the use of cookies by third-party advertisers. The court found that Websites where ads were placed constitute "users" under the ECPA. As long as the Website agrees to the use of cookies, the requirement of "prior consent by users" is satisfied and DoubleClick cannot be held accountable (DoubleClick, 2001). On the other hand, critics of the decision have argued that only the consumer can give consent to cookie placement because the consumers hard drive is the relevant site of stored information. In a recent decision regarding a class action suit filed against Intuit, which owns quicken.com, a California district court refused to dismiss a claim based on the ECPA (Intuit, 2001). The ECPA has two major parts relevant to online profiling: Section 2701 prohibits unauthorized access to stored communications, and Section 2511 prohibits the interception of electronic communications for tortuous or criminal purposes. The court denied Intuits motion to dismiss the Section 2701 claim. Although the court did not address ‘DoubleClicks’ consent reasoning directly, it emphasized that the users hard drives were their own and thus that users alone could consent to cookie use. The court held that if the plaintiffs allegations are true, Intuit did violate the stored communications provision of the ECPA by placing cookies on users hard drives. However, the court did dismiss the claims under Section 2511 because it saw no evidence that Intuits purpose was criminal or tortuous. The plaintiffs argument that cookies violated users’ privacy and therefore constituted a common-law privacy tort was unsuccessful in swaying the courts finding with regard to Section 2511. Finally, the question of whether the ECPA prohibits cookie placement remains unresolved--particularly with regard to Section 2701 (Lin, N.D). Privacy in the European Union On 24 October 1995 the European Union finally adopted its long awaited Directive on Data Protection which has been effective since 24 October 1998. Member countries of the EU were required to enact the Directive’s provisions before the effective date and to this extent the UK enacted a new and more wide-ranging Data Protection Act in 1998. The EU Directive seeks to prevent abuse of personal data and lays down comprehensive rules, including a responsibility to collect data only for specified, unambiguous and legal purposes, as well as to only hold data if it is appropriate, accurate and up to date. The Directive requires all data processing to have a proper legal basis and grants subjects a number of important rights, including the right of access to the data, the right to know where the data originated from, the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use data in certain circumstances. The Directive specifically sets forth the only cases in which personal data may be stored and collected. These include situations where: The data subject has given consent clearly; Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject entering into a contract; Processing is necessary for conformity with a legal compulsion to which the controller is a subject; Processing is necessary in order to protect the essential interests of the data subject; Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; Processing is necessary for the purpose of the lawful interest perused by the controller or by the third party or parties to whom the data are disclosed, except where such interest is overridden by the interests of fundamental rights and freedoms of that data subject who requires protection under article 1(1). Additionally the Directive creates a Supervisory Authority (SA) for every member state and requires all collectors of personal data to register with the SA of each member state before processing information on data subjects located in that state. After such registration the collector must make extensive disclosures to the SA concerning the use of personal information. The SA furthermore, has the power to monitor compliance with the Directive within a member state’s territory. Thus companies operating in the 15 EU member states and transmitting data outside the EU are not allowed to do so unless the third country protects personal information at standards acceptable to the EU. As the EU and the United States hold very different views on information privacy protection, the Directive urged trade meetings on acceptable standards, congressional activity and calls from the White House for progress (Buys, N.D.). Conclusion The benefits of e-commerce are plenty and its obligations are few. Those obligations are arising out of the reasonable and equitable requirements of “accountability”. A right without limitations cannot be visualised in a civilised and democratic country like India. At the same time, it would not only be unjust but also unreasonable to ask for a “blanket protection” from the rigours of the law, while enjoying the fruits and benefits of the same. The needs of “accountability” are not only sub-minimum but also vital for a sound, systematic, transparent and genuine business functioning. Law courts exist for the society and ought to rise up to the occasion to do the needful in the matter, and as such ought to act in a manner so as to sub serve the basic requirement of the society. The greatest moral excellence of the law is its flexibility and its adaptability; it must change from time to time so that it answers the cry of the people, the need of the hour and the order of the day. The law controls the social interests, decides conflicting claims and demands security of persons and property of the people and is a vital function of the state. It could be achieved through instrumentality of criminal law (Dalal, 2006). Certainly, there is a cross cultural conflict where law must find answer to the new challenges and the courts are required to frame the sentencing system to meet the challenges. The harmful effect of lawlessness would undermine social order. Protection of society and stamping out criminal inclination must be the object of the law, which must be accomplished by imposing proper sentence. Hence, law as a corner stone of the edifice of “order” should meet the challenges confronting the society. In operating the sentencing system, law should adopt the corrective machinery. The sentencing process should be stern where it should be, and tempered with mercy where it warrants to be. The undue sympathy to impose inadequate sentence would do more harm to the justice system. It is, therefore, the duty of every court to award proper sentence having regard to the nature of the offence and the manner in which it was executed. The imposition of sentence without considering its effects on the social order may be in reality a futile exercise. Thus, the web-site owners and NSPs cannot agitate and claim immunity from the rigours of the law when they have not taken the “sub-minimum precautions” as provided by the law. The law courts cannot be influenced in this regard. As a matter of fact, Indian Judiciary by formulating the “Doctrine of Basic Structure” has shown its positive and justice oriented approach toward the society. It is agreed that the “Executive”, “Legislature” and the “Judiciary” will not yield to any pressure tactics in this regard from any section of the society. References Buys, R. (N.D.) Privacy and the Right to Information. [Online]. Sonnenberg Hoffman & Galombik Attorneys, Cape Town, Available from: [Accessed 17 December 2006] Cookies, (N.D.) [Online]. Available from: < http://www.leave-me-alone.com/cookies.htm> [Accessed 17 December 2006]. Dalal, P. (2006) Legal Risks of Electronic Commerce. [Online]. Available from: [Accessed 18 December 2006]. DoubleClick, (2001) In re DoubleClick Inc. Privacy Litigation, 2001 WL 303744 (S.D.N.Y. March 29, 2001). Intuit, (2001) In re Intuit Inc. Privacy Litigation, 2001 WL 370081 (C.D. Cal Apr. 10, 2001). Lin, R. (N.D) Session 4: Consumer Privacy [Online]. Available from: [Accessed 17 December 2006] Perry, C. (N.D.) World Wide Wicked: A Look At The Endless Stream Of Online Dangers. [Online]. Available from: [Accessed 18 December 2006] TechFAQ, (N.D) What is a trojan horse? [Online]. Available from: [Accessed 18 December 2006] Wikipedia, (2006) Encryption. [Online]. Wikimedia Foundation, Inc. Available from: [Accessed 18 December 2006] Whalen, D. (2002) The Unofficial Cookie FAQ. [Online]. Available from: [Accessed 17 December 2006]. Read More