December 29, 2005

How the Cookie Crumbles

By Evan Schuman, Ziff Davis Internet

Opinion: The National Security Agency, licking its wounds from reports of more warrantless data searches, publicly apologizes for using Web cookies. What's wrong with this picture?

The National Security Agency, whose NSA initials are typically preceded by "super secret" or a similar cool-sounding phrase, is known as the home for code-breakers extraordinaire.

After 9/11, the NSA was given even more freedom to do whatever it takes to track terrorists and identify their plots. The New York Times recently reported about their efforts to conduct more domestic surveillance without warrants or any court authorization.

So it was a bit curious when the NSA this week was accused of violating federal government procedure and harboring cookies on their public Web site. More curious yet that the NSA leaped into action to remove the offending cookies and that the Associated Press covered this.

These cookies were not spyware (although if any site had a right to have spyware, it would be the NSA) or anything malicious.

They didn't even pose a privacy threat, as the NSA site requires no passwords and seeks no registration. There is no newsletter to flag updated content because there isn't much content to update and that which is there isn't updated very often.

Privacy aficionado Daniel Brandt found the cookies on his machine after visiting the NSA site and contacted the agency, which apparently had the cookies because of a default ColdFusion setting.

Brandt said the violation is not sexy in and of itself, but it is a violation of Clinton era government policy and it should be followed strictly.

"It's kind of a boring site," Brandt said. "But even if it's a non-issue, as it appears to be in this case, you have to call them on it."

What's more interesting, though, is that the NSA complied and complied so quickly. Yes, the super-secret agency was freaked out by the bogeyman of Web sites: the misunderstood cookie.

An innocuous piece of code (in this case at least) accidentally placed on the site merited national wire service attention along with stories in The Fort Wayne Journal-Gazette, Fort Worth Star-Telegram, The Kansas City Star, The Miami Herald, The Philadelphia Inquirer, The Atlanta Journal-Constitution and The San Jose Mercury News, among many others.

What does this have to do with retail IT? Cookies are chronically misunderstood and are perceived as vaguely dangerous.

Cookies are typically safe and not even especially intrusive. For the vast majority of sites, they are indeed conveniences allowing users to not have to re-register or repeatedly key in their password.

Yes, they do have marketing value in knowing what pages customers look at, but few use that information, other than in aggregate.

But, as this column has said many times, reality can't hold the proverbial candle to perception.

Privacy policies are rarely taken seriously, but they should be. If for no other reason, take the privacy policies seriously and detail all cookie usage so that you can later say that all site visitors knew about the usage.

After all, consumers routinely read privacy policy statements, don't they?, he asked cynically.

Another important take-away from this NSA situation is consumer education. Most consumers that fully understand cookies and registration forms and whatnot don't have an issue with them.

Those consumers generally want the information being offered and appreciate the convenience. They must appreciate the implicit trade-off: give us a little information instead of having to give us money.

Privacy policy respect and consumer education are two decent ways to take the scare out of the cookie bogeyman. If they can scare an NSA spook, imagine what it will do to an uninformed consumer casually reading the local newspaper?