Section 24.3. Possibilities and Limitations for Informed Consent: Redesigning Cookie Handling in a Web Browser | Security and Usability: Designing Secure Systems That People Can Use

24.3. Possibilities and Limitations for Informed Consent: Redesigning Cookie Handling in a Web Browser

In this section, we demonstrate that the proposed model of informed consent can be used to:

Assess how effectively a particular system design supports informed consent
Guide successive design
Identify how the underlying technology may constrain the range of possible solutions to support users' informed consent

Specifically, we examine the role the web browser plays in obtaining informed consent for cookies .

24.3.1. What Are Cookies and How Are They Used?

A cookie is a text file stored on the user's machine that can be used to maintain information about the user, such as an identifier or a log of the user's navigation on the web site. One accepted way companies use cookies is to customize their web site to the user (e.g., Amazon uses cookies to remember what users like to buy and what users put in their shopping baskets). However, cookies can also be abused by surreptitiously collecting information about the user.

When a user wants to retrieve a particular web page from the Internet, the user opens a web browser and enters the web page's address. The browser sends the request for the web page to the appropriate web server. The web server then retrieves the requested web page and sends it back to the user's browser where it is displayed. This process involves a couple of additional steps if the web server wants to set a cookie. When sending the requested web page back to the browser, the server sends the browser a request to store the cookie. Depending on how it has been programmed, and on any cookie-related preferences that have been set, the browser may or may not store the cookie as requested. If the browser stores the cookie on the user's computer, the browser will volunteer the cookie each time the user revisits that web page and possibly any other web pages in that domain, depending on the scope of the cookie.

24.3.2. Web Browser as Gatekeeper to Informed Consent

In the previous description, the browser acts as a gatekeeper by determining which web server requests to fulfill. In addition, with respect to informed consent, the web browser plays at least two other critical gatekeeping roles:

The web browser controls whether the user is notified about a server request and, to a large extent, controls the content of that notification. Thus, the components of disclosure and comprehension largely reside in the web browser.
The web browser controls whether the user has an opportunity to agree to or decline the web server's request (e.g., prompting for user input each time a server requests to place a cookie as opposed to the browser handling the request without user input). Thus, the component of agreement also resides in the browser.

Admittedly, a proactive web site could supplement the functionality provided by the web browser by explicitly addressing disclosure and agreement (e.g., privacy policies). However, relying on all web sites to do this individually would result in ad hoc methods and require users to become familiar with each web site's policies and practices.

24.3.3. Web Browser Development and Progress for Informed Consent: 1995-1999

With a conceptualization for informed consent online in hand, Millett, Friedman, and Felten^[20] conducted a retrospective analysis of how cookie handling in Netscape Navigator and Internet Explorer evolved with respect to informed consent over a five-year period, beginning in 1995. Specifically, they used the criteria of disclosure, comprehension, voluntariness, competence, and agreement to evaluate how well each browser in each stage of its development supported the users' experience of informed consent for the use of cookies. (At this early stage in their work, the criterion of minimal distraction had not yet been identified.)

^[20] Lynette I. Millett, Batya Friedman, and Edward Felten, "Cookies and Web Browser Design: Toward Realizing Informed Consent Online," CHI (Seattle, WA, March 2001).

Through this analysis, they found that cookie technology had improved over time regarding informed consent. For example, there had been increased visibility of cookies, options for accepting or declining cookies, and access to information about cookie content. However, as of 1999, some startling problems remained:

While browsers disclosed to users some information about cookies, the right kind of informationthat is, information about the potential harms and benefits from setting a particular cookiewas still not disclosed.
In Internet Explorer, if a user wanted to decline all third-party cookies, the burden fell on the user to do so one cookie at a time.
Users' out-of-the-box cookie experience (i.e., the default setting) was no different in 1999 from what it had been in 1995: to accept all cookies. That is, the novice user installed a browser that accepted all cookies and disclosed nothing about that activity to the user.
Neither Internet Explorer nor Netscape Navigator alerted a user when a cookie was sent back to a site, as opposed to when a cookie was stored.

24.3.4. Redesigning the Browser

After completing the retrospective analysis, Friedman, Howe, and Felten^[21] considered how to redesign the browser to better support informed consent. First, they identified four overarching design goals:

^[21] Friedman, Howe, and Felten.

Enhance users' understanding of specific cookie events
Enhance users' global understanding of the common uses of cookie technology, including what a cookie is and its potential benefits and risks
Enhance users' ability to manage cookies
Achieve these goals while minimizing distraction for the user

By iterating through three design prototypes, each followed by small-scale usability studies (see the earlier sidebar, "Value Sensitive Design"), Friedman et al. redesigned the Cookie Manager tool of the Mozilla browser (the open source version of Netscape Navigator).^[22]

^[22] Mozilla version 0.8 was used in the prototype designs.

In consideration of the design goals and design strategies, Friedman et al.^[23] implemented a peripheral awareness mechanism by implementing a small application they named the "Cookie Watcher" docked in Mozilla's existing sidebar. In their final design (see Figure 24-1), users were notified in real time not only about the occurrence of cookie events, but also about the domain and type of cookie being set. Visual cues such as background color and font style were used to represent domain and duration information, respectively, as follows: third-party cookies were displayed in red; cookies from the same domain were displayed in green; italicized fonts were used for session cookies; and bold fonts were used for cookies with durations of more than a year.

^[23] Friedman, Howe, and Felten.

Two just-in-time interventions were implemented:

Users can click on any installed cookie (once displayed in the sidebar) to bring up a cookie manager tool. With that tool, the user can learn more information about the specific cookie, delete the cookie, and ban that site from resetting cookies.
At the bottom of the sidebar, users can click on a "Learn About Cookies" button to prompt a Cookie-Information Dialog Box with information about the potential benefits and harms of cookies, and label information on what the colors and font sizes represent.

Participants of the usability studies commented favorably on the just-in-time management tools. Their comments suggested that the Cookie Watcher helped to enhance understanding about cookies as well as eased cookie management. Evidence showed that direct access to information on individual cookies supported the design goals.

24.3.5. Technical Limitations to Redesigning for Informed Consent

Although the Mozilla prototypes made good progress toward achieving the design goals, there remained changes that Friedman et al. were unable to make as a result of the underlying technology. For example, many users would like to know not only when a web site wants to set a cookie, but also when a web site wants to use a cookie. However, because the web browser automatically volunteers cookies whenever the user revisits the domain, it is currently not possible to provide users with that information.

In order to fully disclose when and why a particular cookie is being set and then used and its potential harms and benefitschanges would need to be made to the network

Figure 24-1. Taking advantage of Mozilla's sidebar structure, a new peripheral awareness sidebar (the Cookie Watcher) was developed to dynamically notify users whenever a cookie is set (as shown above); in addition, two just-in-time mechanisms were implemented and supported in the Cookie Watcher: (1) by clicking on a cookie, the user can bring up a cookie manager tool (as shown above); (2) by clicking on the Learn About Cookies button, the user can bring up a dialog box with information about the potential harms and benefits of cookies, and about what the colors and font styles in the Cookie Watcher represent (not shown)

protocol that, in turn, would necessitate changes to the web browser and the remote web site, as follows:

The underlying network protocol (in this case, HTTP) would need to support the description of the harms and benefits of the cookie as well as provide a means for the web site to request to use (not just set) a cookie.
The browser then would need to be programmed to display these harms and benefits in a clear and accessible way both when the cookie is being set and when the cookie is requested.
Finally, the web site would need to provide accurate information by filling in the appropriate HTTP fields.

While each entity has a critical role to play, the network protocol constrains possibilities for the other two.

24.3.6. Reflections

This section has highlighted how the model of informed consent can be used to evaluate and design information systems. We note that some of the design ideas presented here, such as the use of peripheral awareness mechanisms, can now be seen in the current version of both Mozilla (version 1.73) and Internet Explorer (version 6). For example, both browsers now use a peripheral awareness mechanism in the form of a small "eye" icon displayed in the bottom righthand corner of the browser window to indicate when a web site attempts to set a cookie that is restricted or blocked by the users' privacy preferences. Thus, the design methods presented in this section have pragmatic value.

We have also explicated the interaction between the underlying technical infrastructure (in this case, the HTTP protocol) and what solutions can be designed and implemented to support users' informed consent. Along these lines, the Platform for Privacy Preferences (P3P) (discussed in Chapter 22 in this volume) represents one recent effort that works around the protocol limitations to provide a mechanism that evaluates web site privacy practices against user-specified privacy preferences.

Finally, we point to the interaction between technical implementation and business practice: even if there were no technical limitations on redesigning the web browser for informed consent, in order for the web browser to provide complete disclosure to the user, web sites would need to provide an accurate and clear description of what information their cookies collect and how the collected information will be used. In this and other ways, business practice must work in consort with technical implementations.