Court Says No Harm, No Foul With Flash Cookies
from the what's-the-harm? dept
There were some articles a few months back about the use of “flash cookies,” which could potentially record more information about visitors than regular cookies, and were much more difficult to turn off. As with pretty much every new privacy fear, class action lawsuits quickly followed. However, a judge in one of them has pointed out that there’s no evidence of harm, at least not enough harm to matter to the court under the law. While some people are quick to jump on every privacy scare, it seems like the courts are pointing out that just because people freak out about privacy issues, it doesn’t mean any real harm occured. This is probably a good thing. While privacy is important, all too often we see people freak out about issues they claim are “privacy” issues when they’re really just more “well, I don’t like this” issues.
Filed Under: flash cookies, privacy
Comments on “Court Says No Harm, No Foul With Flash Cookies”
Where
At what point does personal responsibility come in?
Anybody can learn how to block such things from ever reaching their computer in the first place.
Re: Where
You should read more about the issue. There’s really nothing you can do to block those cookies, not without basically removing all plugins and turning off all scripts and so on.
http://www.wired.com/epicenter/2011/07/undeletable-cookie/
http://en.wikipedia.org/wiki/Zombie_cookie
Re: Re: Where
If you’re promiscuous about running any script on the ‘net, then you should expect to get pwn3d.
No, you’re not ?asking for it?. Very few people want their computers compromised. And I agree that in a civilized culture any drunken girl wearing a miniskirt should be able to walk down a random dark alley in the worst part of town?absolutely fearlessly.
If you’re promiscuous about running any script on the ‘net, then you should expect to get pwn3d.
Re: Re: Re: Where
And in an imperfect world you should also expect the legal system to punish your rapist.
I think that the more knowledgeable one becomes on a technology and its dangers, the less qualified they are to opine about what security measures average people should be expected to take. The vast majority of people I know over 35 probably haven’t even heard of JavaScript. And if they have they probably think its Java.
Re: Re: Re:2 Where
Great. Glad you have an opinion.
The current state of the art is not capable of delivering the features that the market wants coupled together with acceptable security. The system is being driven towards an non-optimal outcome. That’s actually kinda predictable when there’s an information gap.
If you are an average person who takes average measures today then you run a high risk of getting pwn3d.
If you’re a little bit smarter than average, you can reduce your risk.
Re: Re: Re:3 Where
I apologize for my tone – it was more snotty than warranted (although more appropriate to the preceding comment that “[a]nybody can learn how to block such things” which implied a lack of expertise was some kind of person failure on the part of victims).
However, I do think people who are promiscuous about running scripts generally don’t know that they are doing so. Its a mistake to expect people to take precautions against dangers they don’t know exist and to give them no recourse if they don’t. That’s basically a darwinian approach – only the strong/savvy have a right to privacy.
Re: Re: Re:4 Where
I’ve spent enough time in some of the worst hell-holes of usenet to grow a thick skin.
You got a better word than ?expect? to use for ?a predictable outcome? ?
Look, you seem to be arguing normatively, and I’m describing what I see happening. If I could drive the system in a better direction, then I would. But right now, the best I can do is a warning to sauve qui peut.
Re: Re: Re:4 Where
I’ve spent enough time in some of the worst hell-holes of usenet to grow a thick skin.
You got a better word than ?expect? to use for ?a predictable outcome? ?
Look, you seem to be arguing normatively, and I’m describing the market failure that I see happening. If I could drive the system in a better direction, then I would. But right now, the best I can do is a warning to sauve qui peut.
Re: Re: Re:5 Where
I’m not sure you can draw a clean line between descriptive and normative statements in this situation. Should is, generally, a normative word as it implies a duty or obligation when used in conjunction with human action. Promiscuous is a normative word as it describes actions outside of the acceptable bounds prescribed by a group’s norms. In that context “expect” can mean both/either that the outcome can be predicted and/or that the individual bears some responsibility for predicting it.
If we are talking about individual actions, then no there is not much we can do and the statement can be mostly descriptive. If we are talking about collective societal actions, acquiescence in the face of market failure is choosing the norms of the free market over the norms of privacy protection through political action. One way to drive the system towards protection of privacy is to allow lawsuits for its violation. Or to allow legislation or regulation.
Re: Re: Re:6 Where
The first fact to keep in mind is that we now have an estimated global internet userbase of about 2 billion people worldwide.
While the rate of growth in the userbase is flattening, we expect to eventually reach close to universal access. So, maybe eight or nine billion people spread out across every nation on the planet. And as the userbase has grown, and as it’s expected to grow, the average level of education and technical sophistication drops.
Re: Re: Re:7 Where
So the market failure cause by information asymmetry will worsen. This weighs more strongly in favor of non-market solutions, such as through legislation, regulation and litigation.
Re: Re: Re:8 Where
That’s the conventional answer.
But that conventional answer is limited by problems of international cooperation. International diplomacy is… s…l…o…w.
Further out in time, as the userbase approaches the total world population, then it’s possible that the average user’s experience with the built, technological environment increases faster than new users are acquired. However, we do not expect computing and communications technology to remain static and frozen. So instead, it’s possible that the average user will continue to adopt technology that they understand less and less well. It’s awfully difficult to make predictions that far out. Anything beyond about five years out is a guess in the dark.
Re: Re: Where
As a point of clarification here are instructions on how to prevent Flash Cookies from being set:
http://kb2.adobe.com/cps/526/52697ee8.html
Re: Where
BetterPrivacy addon for Firefox all the way.
If they inform about the use of them and the purpose it maybe will be ok but otherwise it seems very suspect.
It pains me to say this but I don’t believe courts should be involved in this case, if it was something being done secretly, Adobe should be punished, but since it is common knowledge and every one who has an interest knows about it, this is much more a case of people starting to use their freewill and don’t do business with Adobe, or take measures to stop it from collecting that data.
Now if this was an evercookie undeletable and difficult to detect then I think people have a very legitimate concern.
Also most of the evercookies depend on scripts to be create, if you don’t allow them that takes care of most of them, with the others being easily erased if you just clean the browser cache and history.
People should be worried about the next HTML 5 standard that the W3C putting out, there is apparently no considerations about privacy issues they just don’t care about that stuff, and that is the place to pressure if people want somethings to change.
WebGL the danger to privacy
Almost forgot the 3D standard for a 3D web is a problem, because 3D depends on system drivers to operate and that opens possibilities not only for security breaches but for privacy ones.
What is it about these perverted websites anyways?
Why do they need to execute their code on your computer? There is no compelling need to run foreign code in order to render a web page, stating such is pure horse hockey. If you knew exactly what they were doing on your computer with their code, you would probably avoid them at all costs. I sincerely doubt they have any regard for your well being at all and are only in it for the money they get from selling information gleaned from your computer.
Anything for a buck eh? To hell with self respect. If this is how one must make a living then I really do not need to visit that pathetic website.
FWIW, I routinely surf with javascript turned off. It is not a big hindrance. If I really need the services provided by such a website, I may turn it on – or then again, I may go elsewhere.
Lazy web site designers that rely upon javascript and their ilk are only doing themselves and everyone else a disservice.
Made me think of Cookie Monster
Court did find plaintiff alleged harm
I would recommend reading the decision itself (http://www.scribd.com/doc/62531370/Bose-v-Interclick) in addition to the commentary, as this is statement is inaccurate.
The court dismissed plaintiff’s claims under 18 USC 1030 because Congress has mandated that civil claims are only authorized by this statute when the plaintiff has suffered at least $5,000 in economic harm. This is a much narrower articulation of “harm” than that implied by the article.
The court found plaintiff’s allegations of deceptive business practices (NY GBL Sec. 349) and trespass to chattel to be sufficient (dismissing against Interclick’s Adertiser clients, but not Interclick itself) stating that “courts have recognized similar privacy violations as injuries for the purposes of section 349” (at 21)
Also, to be pedantic, no decision was made as to whether there was evidence to support the allegations. A motion to dismiss addresses only whether the allegations, if true, create a valid cause of action.
Blocking cookies, flash cookies, and silverlight cookies aren’t a big deal. However this issue changes when it comes time to block Nevercookies. According to what I’ve read on Nevercookie, they were designed not to be deleted once on a computer. Hidden in up to 15 different places, they can resort a deleted cookie and continue to track user info despite what the user might not want.
There was and I don’t know if there still is, an app for Firefox to deal with this Nevercookie. Last I saw of it was it was not updated with the last update version of Firefox.
Re: Re:
http://threatpost.com/en_us/blogs/researchers-find-methods-kill-persistent-evercookie-101910
Unless you are using a mobile phone as primary browsing tool, evercookies are not a problem.
Disable scripts and clear history and cache.
Mobile users on the other hand are screwed unless they have root privileges there is little they can do about it.
I’m curious as to how a court decides the value of privacy.
My browsing history is worth a fair bit to me personally. I’m sure there are companies who collate many people’s history as market research and may pay as little as a few pennies per. Is market value == value of harm caused?
Re: Re:
also, http://noscript.net/
more also, I believe http://www.hotcleaner.com/clickclean_firefox.html will fully clear evercookies.
Re: Re: Re:
more also, Part II:
http://www.sandboxie.com/
No corporation has a right to track anyone, only the power,
and they mostly do it by stealth, which alone tells you a great deal. By stealth I mean you techdroids may know that it’s done and how to avoid, but the unwashed masses don’t — heck, even techy types barely speculate on what’s done with that tracking, or the massive collation of it that’s tied into the national surveillance network.
ANY information gleaned without informed consent is an injury, doubly so when sold commercially for profit, doubled again when fed to national security. Just the potential for misuse is plenty justification for the people to put an end to it. My opinion is that once widely known, there’ll be plenty of outrage at “free”, “do no evil” Google and all others.
And note that yet again, “libertarian” Mike isn’t concerned with actual tracking. Long as the discussion stays theoretical, he’s libertarian, but when it comes to putting liberty into practice by arresting the lying criminals at Standard & Poor, or preventing the tracking of /natural persons/, he’s a staunch defender of corporate rights.
Re: No corporation has a right to track anyone, only the power,
You see, the stealth part I agree, if it is not being disclaimed that is an issue but if it is and in the case of Adobe it is, then that is a consumer problem not the company.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
I don’t like it but I like the legal system even less, this could cause also collateral damage into research being done on things that could be useful for society.
As long as there is disclosure and people can remove those damn things if they do research on it, I’m willing to accept any harm done to privacy to people ignorant on the tech aspects of it.
Re: No corporation has a right to track anyone, only the power,
https://addons.mozilla.org/en-US/firefox/addon/ghostery/
Whatch the watchers with Ghostery and similar addons.
Also if you know anything about javascript and CSS one could use JSView to get a hang of what the website is doing.
Seriously? You have to wait until the lack of privacy harms you in the amount of $5,000 or more before it’s a concern? What the fuck is wrong with you?
Virtual the future.
Dell’s virtual appliance that you can reset to an original state.
http://www.kace.com/products/freetools/secure-browser/
Sandboxing Firefox using Fedora/SeLinux
http://www.bress.net/blog/archives/195-Firefox-in-a-sandbox-with-Fedora.html
BitBox sandbox
http://translate.google.com/translate?hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=de&tl=en&twu=1&u=http://www.sirrix.de/content/pages/57064.htm
Making a virtual appliance using Vmware/Qemu, DamnSmallLinux and Firefox
http://howto.gumph.org/content/build-a-lightweight-browser-appliance/
Browser appliance.
http://wiki.rpath.com/wiki/Appliance:Browser_Appliance
For those that don’t want to create a browser appliance from scratch there are many on the internet that others have done the hard work.
browsing security
Ask your self who has interest to track user online EVERBODY for so ever purposes !
Just that the tech is available doesnt meant it will not be used for illegal purposes and saying no harm done but we track you all ready is nonsense !!! Just to the point when someone harm the same judge who say that ”no harm done” and he is approving it ! Its getting even worse:
http://www.laquadrature.net/en/softpedia-google-admits-handing-over-european-user-data-to-us-intelligence-agencies
Do you approve this kind of behavior now for all users on the world with ip cop on every computer even on yours ???