Microsoft cookie tool stirs controversy

What began as an effort to give Web browser users more control over their privacy has put Microsoft Corp. in the cross-fire of Web advertisers and privacy advocates.

What began as an effort to give Web browser users more control over their privacy has put Microsoft Corp. in the cross-fire of Web advertisers and privacy advocates.

With Internet Explorer 5.5, Microsoft is testing a cookie management feature that blocks certain kinds of cookies -- data records created by a browser that preserve information about Web sessions.

The seemingly innocuous add-on has raised the ire of Web advertising services and e-commerce vendors that claim the feature unfairly excludes them from the benefits of cookies: driving traffic and ad dollars to a site and supplying key demographic data to e-businesses.

Microsoft's technology blocks cookies that come from outside companies or advertisers that supply content to a site. These third-party cookies enable services to track, but not identify, a user throughout the Web. The feature concerns some parties that fear the Redmond, Wash., company is once again using its heavy hand.

Opposing views

"Whether this act is pernicious or not, Microsoft has set themselves to be the arbiters of what technological options will be available to Web servers in terms of screening the information," said Jason Mahler, general counsel of the Computer and Communications Industry Association, in Washington.

Others, however, view the cookie management application as a step in the right direction to improve Internet privacy.

"Privacy advocates have been asking for this since 1996," said Jason Catlett, president of Junkbusters Corp., a Green Brook, N.J., company that develops software to combat cookies and other marketing tactics. "The issue here is that third-party cookies are tracking Web surfers' movements across the Web without them knowing it."

Nevertheless, cookies are absolutely crucial to many e-commerce business models. Sites rely on the services of companies such as DoubleClick Inc. and Engage Technologies Inc., which use cookies to measure site traffic in order to target advertisers. Third-party cookies allow smaller sites to band together and have ads sold and delivered by ad networks to compete with larger Web sites.

How cookies works

With the cookie management feature in IE 5.5, every third-party cookie sent to the browser generates a dialog box that asks the user whether to accept or block the cookie. Users can check a box that eliminates further warnings.

"I tried it. Forget it. You just have to turn it off," said Rich LeFurgy, head of the Internet Advertising Bureau, in San Francisco. LeFurgy said users receive too many cookies to have a dialog box pop up every time a server wants to send one.

Users receive no warning when a first-party cookie -- one that returns only to the site to which the user is connected -- is set on their hard drives. In effect, IE 5.5 treats third-party cookies as less secure technology than first-party cookies. Further, LeFurgy and others said, the barrage of "security alert" dialog boxes will scare users, inviting them to shut off third-party cookies.

"This is a beta test to test market acceptance of the concept of differentiated cookie settings," said Richard Purcell, director of corporate privacy at Microsoft. "We find that when there's a third party involved [privacy] information is generally hard to get. So we began planning ways that our technology might be useful to consumers."

Fear of third-party cookies is an understandable position given the notorious case of New York-based DoubleClick, which was investigated in May for plans to connect aggregate cookie data with a database that included names, addresses and other personal information. DoubleClick eventually backed off its plans; officials there had no comment on Microsoft's cookie management technology.

Such incidents, however, are an example of the pressure that e-businesses and advertisers are under to capture critical customer data.

"The average consumer doesn't understand what they're giving up when they block cookies," said Stefan Tornquist, marketing director at Bluestreak.com Inc., a Newport, R.I., online advertising and marketing company that offers technology that tracks traffic without cookies or in conjunction with cookies. "Today's invasion of privacy is tomorrow's convenience."

Bonnie Lowell, chief technology officer of the Personalization Consortium and co-chair of the group's privacy committee, also extolled the virtues of cookies -- as long as they're used prudently.

"I really would be concerned if people thought [Microsoft's cookie management] was the answer to the online privacy problem," Lowell said. "People have an expectation that all cookies are bad, but most are good cookies."

Nevertheless, the issue of cookies will likely end up under the microscope of the government on an ever-increasing pile of high-technology issues. Late this week, the Federal Trade Commission endorsed a plan by members of the Network Advertising Initiative, including DoubleClick, Engage, AdForce LLC and others, to regulate themselves under a set of privacy principles that give consumers more control over what those vendors do with data collected through third-party cookies.