24.3. Possibilities and Limitations for Informed Consent: Redesigning Cookie Handling in a Web BrowserIn this section, we demonstrate that the proposed model of informed consent can be used to:
Specifically, we examine the role the web browser plays in obtaining informed consent for cookies . 24.3.1. What Are Cookies and How Are They Used?A cookie is a text file stored on the user's machine that can be used to maintain information about the user, such as an identifier or a log of the user's navigation on the web site. One accepted way companies use cookies is to customize their web site to the user (e.g., Amazon uses cookies to remember what users like to buy and what users put in their shopping baskets). However, cookies can also be abused by surreptitiously collecting information about the user. When a user wants to retrieve a particular web page from the Internet, the user opens a web browser and enters the web page's address. The browser sends the request for the web page to the appropriate web server. The web server then retrieves the requested web page and sends it back to the user's browser where it is displayed. This process involves a couple of additional steps if the web server wants to set a cookie. When sending the requested web page back to the browser, the server sends the browser a request to store the cookie. Depending on how it has been programmed, and on any cookie-related preferences that have been set, the browser may or may not store the cookie as requested. If the browser stores the cookie on the user's computer, the browser will volunteer the cookie each time the user revisits that web page and possibly any other web pages in that domain, depending on the scope of the cookie. 24.3.2. Web Browser as Gatekeeper to Informed ConsentIn the previous description, the browser acts as a gatekeeper by determining which web server requests to fulfill. In addition, with respect to informed consent, the web browser plays at least two other critical gatekeeping roles:
Admittedly, a proactive web site could supplement the functionality provided by the web browser by explicitly addressing disclosure and agreement (e.g., privacy policies). However, relying on all web sites to do this individually would result in ad hoc methods and require users to become familiar with each web site's policies and practices. 24.3.3. Web Browser Development and Progress for Informed Consent: 1995-1999With a conceptualization for informed consent online in hand, Millett, Friedman, and Felten[20] conducted a retrospective analysis of how cookie handling in Netscape Navigator and Internet Explorer evolved with respect to informed consent over a five-year period, beginning in 1995. Specifically, they used the criteria of disclosure, comprehension, voluntariness, competence, and agreement to evaluate how well each browser in each stage of its development supported the users' experience of informed consent for the use of cookies. (At this early stage in their work, the criterion of minimal distraction had not yet been identified.)
Through this analysis, they found that cookie technology had improved over time regarding informed consent. For example, there had been increased visibility of cookies, options for accepting or declining cookies, and access to information about cookie content. However, as of 1999, some startling problems remained:
24.3.4. Redesigning the BrowserAfter completing the retrospective analysis, Friedman, Howe, and Felten[21] considered how to redesign the browser to better support informed consent. First, they identified four overarching design goals:
By iterating through three design prototypes, each followed by small-scale usability studies (see the earlier sidebar, "Value Sensitive Design"), Friedman et al. redesigned the Cookie Manager tool of the Mozilla browser (the open source version of Netscape Navigator).[22]
In consideration of the design goals and design strategies, Friedman et al.[23] implemented a peripheral awareness mechanism by implementing a small application they named the "Cookie Watcher" docked in Mozilla's existing sidebar. In their final design (see Figure 24-1), users were notified in real time not only about the occurrence of cookie events, but also about the domain and type of cookie being set. Visual cues such as background color and font style were used to represent domain and duration information, respectively, as follows: third-party cookies were displayed in red; cookies from the same domain were displayed in green; italicized fonts were used for session cookies; and bold fonts were used for cookies with durations of more than a year.
Two just-in-time interventions were implemented:
Participants of the usability studies commented favorably on the just-in-time management tools. Their comments suggested that the Cookie Watcher helped to enhance understanding about cookies as well as eased cookie management. Evidence showed that direct access to information on individual cookies supported the design goals. 24.3.5. Technical Limitations to Redesigning for Informed ConsentAlthough the Mozilla prototypes made good progress toward achieving the design goals, there remained changes that Friedman et al. were unable to make as a result of the underlying technology. For example, many users would like to know not only when a web site wants to set a cookie, but also when a web site wants to use a cookie. However, because the web browser automatically volunteers cookies whenever the user revisits the domain, it is currently not possible to provide users with that information. In order to fully disclose when and why a particular cookie is being set and then used and its potential harms and benefitschanges would need to be made to the network Figure 24-1. Taking advantage of Mozilla's sidebar structure, a new peripheral awareness sidebar (the Cookie Watcher) was developed to dynamically notify users whenever a cookie is set (as shown above); in addition, two just-in-time mechanisms were implemented and supported in the Cookie Watcher: (1) by clicking on a cookie, the user can bring up a cookie manager tool (as shown above); (2) by clicking on the Learn About Cookies button, the user can bring up a dialog box with information about the potential harms and benefits of cookies, and about what the colors and font styles in the Cookie Watcher represent (not shown)protocol that, in turn, would necessitate changes to the web browser and the remote web site, as follows:
While each entity has a critical role to play, the network protocol constrains possibilities for the other two. 24.3.6. ReflectionsThis section has highlighted how the model of informed consent can be used to evaluate and design information systems. We note that some of the design ideas presented here, such as the use of peripheral awareness mechanisms, can now be seen in the current version of both Mozilla (version 1.73) and Internet Explorer (version 6). For example, both browsers now use a peripheral awareness mechanism in the form of a small "eye" icon displayed in the bottom righthand corner of the browser window to indicate when a web site attempts to set a cookie that is restricted or blocked by the users' privacy preferences. Thus, the design methods presented in this section have pragmatic value. We have also explicated the interaction between the underlying technical infrastructure (in this case, the HTTP protocol) and what solutions can be designed and implemented to support users' informed consent. Along these lines, the Platform for Privacy Preferences (P3P) (discussed in Chapter 22 in this volume) represents one recent effort that works around the protocol limitations to provide a mechanism that evaluates web site privacy practices against user-specified privacy preferences. Finally, we point to the interaction between technical implementation and business practice: even if there were no technical limitations on redesigning the web browser for informed consent, in order for the web browser to provide complete disclosure to the user, web sites would need to provide an accurate and clear description of what information their cookies collect and how the collected information will be used. In this and other ways, business practice must work in consort with technical implementations. |