Could “Undeletable” Cookies Be a Felony in Pennsylvania?
Could “Undeletable” Cookies, Zombie Cookies, Flash Cookies, “Super-cookies” or Malcookies Be a Felony in Pennsylvania?
Insidious web tracking. “Undeletable” cookies. Zombie cookies. Malcookies.[FN1] Flash cookies. Euphemistically termed “super-cookies.” Web cookie viruses. No matter what term is applied, the distribution of the code that delivers these technologies and the use of the technology by companies arguably might be felonies in Pennsylvania.[FN2]
Secret Web Tracking
Recent news reports allege that companies are deploying “undeletable” web cookies, or what might be called cookie viruses or malcookies, to track web users.[FN3] Web tracking is nothing new. The stateless nature of HTTP has traditionally posed legitimate challenges for web application developers.
But, these new cookie viruses may have the potential to go beyond maintaining mere persistence and instead (1) intentionally circumvent the security and privacy settings of the user’s web browser and (2) may be able to insidiously re-spawn (replicate) themselves even if the web user deletes the “cookie.” The initial reports indicate that the cookie virus writers apparently use tiny computer programs [FN4] to replicate, or re-spawn, the cookie and to track users. Whether in reality or in theory, such computer programs potentially raise interesting and novel questions in light of Pennsylvania criminal law.
Pennsylvania Computer Offenses Laws
Pennsylvania has a specific computer crimes section of law. Several of the crimes defined in the section are felonies—i.e., serious crimes. At least two sections of the Criminal Code might apply to the “undeletable” cookies (and perhaps generally to other forms of web tracking that similarly circumvent the user’s settings).
A Case for Felony Distribution of [Cookie] Viruses in Pennsylvania
The Pennsylvania Computer Offenses Law (18 Pa. C.S. 7601) defines a computer virus as:
A computer program [("an ordered set of instructions or statements")] copied to, created on or installed to a computer, computer network, computer program, computer software or computer system without the informed consent of the owner of the computer, computer network, computer program, computer software or computer system that may replicate itself and that causes or can cause unauthorized activities within or by the computer, computer network, computer program, computer software or computer system.
The “undeletable” cookies appear to meet this definition. The computer software creating the cookie performs unauthorized activities on the target computer because the cookie software intentionally ignores the express settings and possibly actions of the user (such as deleting cookies). The owner presumably has not given informed consent because the cookie software might circumvent the express settings and because the owner might not even be aware of the actions. Thus, arguably, the “undeletable” cookie code might be a computer virus under Pennsylvania law.
In Pennsylvania, virus distribution or even possession with intent to distribute can be a felony. The crime of Distribution of Computer Virus (18 Pa.C.S. 7616(a)) is defined as:
A ... person intentionally or knowingly ... distributes ... computer software ... that is designed or has the capability to: ... control, ... or disrupt [or degrade] the normal operation or use of a computer, computer program, ... [or] World Wide Web site ....
In addition, if the examples of ETAG use related to some “undeletable” cookies are accurate, there is additional evidence that the distributors of the ETAG [abusing] scripts are “disrupting the normal operation of the computer” because ETAGS are intended to reduce web site download times and not to act as a repository for secret tracking information.[FN5]
Thus, the writers and distributors of these “undeletable” cookie, or cookie viruses, might be committing a felony under Pennsylvania law. (See 18 Pa.C.S. 7616(b)). Ironically, because of the very way the cookie viruses operate, even if these cookie virus writers and distributors claim to reside outside Pennsylvania, the offense occurs in Pennsylvania if the end-user’s computer is in Pennsylvania. See 18 Pa.C.S. 7602.
A Case for Unlawful Use of Computer and Other Computer Crimes in Pennsylvania
In addition to the potential virus aspects of these technologies, the Pennsylvania Computer Offenses Law also defines a felony crime of Unlawful use of computer and other computer crimes (18 Pa.C.S. 7611). While the definition is lengthy and detailed, essentially one commits the felony if a person:
intentionally and without authorization accesses or exceeds authorization to access, alters, interferes with the operation of, damages or destroys any computer, computer system, computer network, computer software, computer program, computer database, World Wide Web site or telecommunication device or any part thereof.
Similar to the cookie virus argument above, if the examples of ETAG use are accurate, there is additional evidence that the distributors of the ETAG [abusing] scripts are “alter[ing]” or “disrupt[ing]” the functions of the web browser and computer (remember, ETAGS are intended to reduce web site download times and not to act as a repository for secret tracking information and thus by definition are altering or disrupting).[FN5]
Thus, the writers and distributors of these “undeletable” cookie, or cookie viruses, might be committing another type of felony under Pennsylvania law. (See 18 Pa.C.S. 7611(b)). Again, ironically, because of the way the cookie viruses operate, even if these cookie virus writers and distributors claim to reside outside Pennsylvania, the offense occurs in Pennsylvania if the end-user’s computer is in Pennsylvania. See 18 Pa.C.S. 7602.
While web tracking is, to some, a controversial issue, the specific technologies mentioned in the recent news reports might run afoul the Pennsylvania Computer Offenses Laws. Even the potential for such technologies, at minimum, raises novel issues and questions after review of the Pennsylvania Computer Offenses Laws.
Update: Facebook Tracking Cookies Suit
Update: FTC Action on Flash Cookies
The FTC action illustrates an important issue. As I list above, there are several types of undeletable technologies. Flash cookies are only one type. Note that the FTC action addresses only the deceptiveness of one type of undeletable cookie but not the Pennsylvania criminal code issues identified above.
FN1—I suggest this term to generally describe malicious cookies or cookie viruses.
FN2—This posting is not intended to comment on specific companies. The posting merely suggests that general technology of this type (if true and accurate) might raise novel and interesting issues related to the Pennsylvania Criminal Code.
FN3—At least one company implicated in the discussion claims that the reports are wrong. See Hiten Shah, Official KISSmetrics Response to Data Collection Practices, KISSmetrics Website (2011) http://blog.kissmetrics.com/official-kissmetrics-response-to-data-collection-practices/
FN5—See, e.g., HTTP ETag, Wikipedia, https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_ETag .
Mika Ayenson, Dietrich James Wambach, Ashkan Soltani, NathanGood, and Chris Jay Hoofnagle, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (July 29, 2011) http://ssrn.com/abstract=1898390
Dan Goodin, Sneaky tracking code (finally) purged from Microsoft sites, The Register (Aug. 22, 2011) http://www.theregister.co.uk/2011/08/22/microsoft_zombie_cookie_disclosure/
Dan Goodin, Man reveals secret recipe behind undeletable cookies, The Register (Aug. 16, 2011) http://www.theregister.co.uk/2011/08/16/cookie_respawning_secrets_revealed/
Jonathan Mayer, Tracking the Trackers: Microsoft Advertising, The Center for Internet and Society (Aug. 18, 2011) http://cyberlaw.stanford.edu/node/6715
Microsoft Privacy Team, Update on the issue of ‘supercookies’ used on MSN, TechNet Blogs: Microsoft Privacy & Safety (Aug. 18, 2011) https://blogs.technet.com/b/privacyimperative/archive/2011/08/19/update-on-the-issue-of-supercookies-used-on-msn.aspx
Hiten Shah, Official KISSmetrics Response to Data Collection Practices, KISSmetrics Website (2011) http://blog.kissmetrics.com/official-kissmetrics-response-to-data-collection-practices/
Ryan Singel, Spotify, Spokeo, AOL, Others Sued Over Web Tracking, Wired (Aug. 3, 2011) http://www.wired.com/epicenter/2011/08/tracking-lawsuit/
Ryan Singel, Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged, Wired (July 29, 2011) http://www.wired.com/epicenter/2011/07/undeletable-cookie/
Ryan Singel, Web-Analytics Firm KISSmetrics Reverses Course on Sneaky Tracking, Wired (Aug. 1, 2011) http://www.wired.com/epicenter/2011/08/kissmetrics_reversal/
Original Research: 18 August 2011
Original Publication: 24 August 2011
Update: 09 October 2011
Update: 12 October 2011
Update: 14 November 2011