What began as an effort to give Web browser users more control over their privacy has put Microsoft in the cross-fire of Web advertisers and privacy advocates.
With Internet Explorer 5.5, Microsoft is testing a cookie management feature that blocks certain kinds of cookies -- data records created by a browser that preserve information about Web sessions.
The seemingly innocuous add-on has raised the ire of Web advertising services and e-commerce vendors that claim the feature unfairly excludes them from the benefits of cookies: driving traffic and ad dollars to a site and supplying key demographic data to e-businesses.
Microsoft's technology blocks cookies that come from outside companies or advertisers that supply content to a site. These third-party cookies enable services to track, but not identify, a user throughout the Web. The feature concerns some parties that fear the software giant is once again using its heavy hand.
Opposing views
"Whether this act is pernicious or not, Microsoft has set themselves to be the arbiters of what technological options will be available to Web servers in terms of screening the information," said Jason Mahler, general counsel of the US Computer and Communications Industry Association.
Others, however, view the cookie management application as a step in the right direction to improve Internet privacy.
"Privacy advocates have been asking for this since 1996," said Jason Catlett, president of Junkbusters, a company that develops software to combat cookies and other marketing tactics. "The issue here is that third-party cookies are tracking Web surfers' movements across the Web without them knowing it."
Nevertheless, cookies are absolutely crucial to many e-commerce business models. Sites rely on the services of companies such as DoubleClick and Engage Technologies, which use cookies to measure site traffic in order to target advertisers. Third-party cookies allow smaller sites to band together and have ads sold and delivered by ad networks to compete with larger Web sites.
How it works
With the cookie management feature in IE 5.5, every third-party cookie sent to the browser generates a dialog box that asks the user whether to accept or block the cookie. Users can check a box that eliminates further warnings.
"I tried it. Forget it. You just have to turn it off," said Rich LeFurgy, head of the Internet Advertising Bureau. LeFurgy said users receive too many cookies to have a dialog box pop up every time a server wants to send one.
Users receive no warning when a first-party cookie -- one that returns only to the site to which the user is connected -- is set on their hard drives. In effect, IE 5.5 treats third-party cookies as less secure technology than first-party cookies. Further, LeFurgy and others said, the barrage of "security alert" dialog boxes will scare users, inviting them to shut off third-party cookies.
"This is a beta test to test market acceptance of the concept of differentiated cookie settings," said Richard Purcell, director of corporate privacy at Microsoft. "We find that when there's a third party involved [privacy] information is generally hard to get. So we began planning ways that our technology might be useful to consumers."
Fear of third-party cookies is an understandable position given the notorious case of DoubleClick, which was investigated in May for plans to connect aggregate cookie data with a database that included names, addresses and other personal information. DoubleClick eventually backed off its plans; officials there had no comment on Microsoft's cookie management technology.
Such incidents, however, are an example of the pressure that e-businesses and advertisers are under to capture critical customer data.
"The average consumer doesn't understand what they're giving up when they block cookies," said Stefan Tornquist, marketing director at Bluestreak.com, an online advertising and marketing company that offers technology that tracks traffic without cookies or in conjunction with cookies. "Today's invasion of privacy is tomorrow's convenience."
Bonnie Lowell, chief technology officer of the Personalisation Consortium and co-chair of the group's privacy committee, also extolled the virtues of cookies -- as long as they're used prudently.
"I really would be concerned if people thought [Microsoft's cookie management] was the answer to the online privacy problem," Lowell said. "People have an expectation that all cookies are bad, but most are good cookies."
Nevertheless, the issue of cookies will likely end up under the microscope of the government on an ever-increasing pile of high-technology issues. Late last week, the US Federal Trade Commission endorsed a plan by members of the Network Advertising Initiative, including DoubleClick, Engage, AdForce LLC and others, to regulate themselves under a set of privacy principles that give consumers more control over what those vendors do with data collected through third-party cookies.
Labs Eye View: The cookie fuss
Microsoft is making waves by addressing the issue of third-party cookies in Internet Explorer, but the controversy has been around for quite some time. In fact, Netscape's Navigator browser has included an option to block third-party cookies for several years.
Advertising Web sites generate third-party cookies when other companies display content references on their sites, such as an image reference to a URL at DoubleClick.net or another advertising site. Continuing with the DoubleClick example, when a browser connects to an outside server to retrieve an image, DoubleClick has the opportunity to set its own cookie containing a unique identifier. If that browser connects later to another DoubleClick site, DoubleClick can retrieve its own cookie and determine that the same browser visited both sites.
It's relatively simple for Web site designers to build their applications to work perfectly well with browsers that don't accept cookies; doing so would avoid a technology that many consumers either don't trust or don't understand. Applications can pass state identifiers in URLs or in hidden form fields and thus avoid cookies altogether. We advocate that Web sites switch to URL state encoding and fully disclose what user information is collected at their sites.
