Could “Undeletable” Cookies Be a Felony in Pennsylvania?

Could “Undeletable” Cookies, Zombie Cookies, Flash Cookies, “Super-cookies” or Malcookies Be a Felony in Pennsylvania?

Insidious web tracking. “Undeletable” cookies. Zombie cookies. Malcookies.[FN1] Flash cookies. Euphemistically termed “super-cookies.” Web cookie viruses. No matter what term is applied, the distribution of the code that delivers these technologies and the use of the technology by companies arguably might be felonies in Pennsylvania.[FN2]

Secret Web Tracking

Recent news reports allege that companies are deploying “undeletable” web cookies, or what might be called cookie viruses or malcookies, to track web users.[FN3] Web tracking is nothing new. The stateless nature of HTTP has traditionally posed legitimate challenges for web application developers.

But, these new cookie viruses may have the potential to go beyond maintaining mere persistence and instead (1) intentionally circumvent the security and privacy settings of the user’s web browser and (2) may be able to insidiously re-spawn (replicate) themselves even if the web user deletes the “cookie.” The initial reports indicate that the cookie virus writers apparently use tiny computer programs [FN4] to replicate, or re-spawn, the cookie and to track users. Whether in reality or in theory, such computer programs potentially raise interesting and novel questions in light of Pennsylvania criminal law.

Pennsylvania Computer Offenses Laws

Pennsylvania has a specific computer crimes section of law. Several of the crimes defined in the section are felonies—i.e., serious crimes. At least two sections of the Criminal Code might apply to the “undeletable” cookies (and perhaps generally to other forms of web tracking that similarly circumvent the user’s settings).

A Case for Felony Distribution of [Cookie] Viruses in Pennsylvania

The Pennsylvania Computer Offenses Law (18 Pa. C.S. 7601) defines a computer virus as:
A computer program [("an ordered set of instructions or statements")] copied to, created on or installed to a computer, computer network, computer program, computer software or computer system without the informed consent of the owner of the computer, computer network, computer program, computer software or computer system that may replicate itself and that causes or can cause unauthorized activities within or by the computer, computer network, computer program, computer software or computer system.

The “undeletable” cookies appear to meet this definition. The computer software creating the cookie performs unauthorized activities on the target computer because the cookie software intentionally ignores the express settings and possibly actions of the user (such as deleting cookies). The owner presumably has not given informed consent because the cookie software might circumvent the express settings and because the owner might not even be aware of the actions. Thus, arguably, the “undeletable” cookie code might be a computer virus under Pennsylvania law.

In Pennsylvania, virus distribution or even possession with intent to distribute can be a felony. The crime of Distribution of Computer Virus (18 Pa.C.S. 7616(a)) is defined as:

A ... person intentionally or knowingly ... distributes ... computer software ... that is designed or has the capability to: ... control, ... or disrupt [or degrade] the normal operation or use of a computer, computer program, ... [or] World Wide Web site ....

If the initial reports are accurate, the distribution or use of the “undeletable” cookies code might meet this definition because the Javascript controls and disrupts the web browser cache by re-spawning the cookie and plainly disrupts the normal operation of the web browser cache (which apparently is what makes the cookie viruses so enticing to web marketers because this type of activity is expressly not normal). Furthermore, the “undeletable” cookie intentionally circumvents web user’s choices regarding privacy settings, Do Not Track settings, and cookie settings and thus takes control from the user and disrupts the user’s actions (for example, deletion)—again, this is likely what makes the cookie viruses so enticing to web marketers.

In addition, if the examples of ETAG use related to some “undeletable” cookies are accurate, there is additional evidence that the distributors of the ETAG [abusing] scripts are “disrupting the normal operation of the computer” because ETAGS are intended to reduce web site download times and not to act as a repository for secret tracking information.[FN5]

Thus, the writers and distributors of these “undeletable” cookie, or cookie viruses, might be committing a felony under Pennsylvania law. (See 18 Pa.C.S. 7616(b)). Ironically, because of the very way the cookie viruses operate, even if these cookie virus writers and distributors claim to reside outside Pennsylvania, the offense occurs in Pennsylvania if the end-user’s computer is in Pennsylvania. See 18 Pa.C.S. 7602.

A Case for Unlawful Use of Computer and Other Computer Crimes in Pennsylvania

In addition to the potential virus aspects of these technologies, the Pennsylvania Computer Offenses Law also defines a felony crime of Unlawful use of computer and other computer crimes (18 Pa.C.S. 7611). While the definition is lengthy and detailed, essentially one commits the felony if a person:

intentionally and without authorization accesses or exceeds authorization to access, alters, interferes with the operation of, damages or destroys any computer, computer system, computer network, computer software, computer program, computer database, World Wide Web site or telecommunication device or any part thereof.

Again, if the reports are accurate, “undeletable” cookies likely meet this definition because the distributors of the Javascript apparently intentionally exceed authorization and intentionally interfere with the operation of the web browser program by (1) ignoring the Do Not Track, privacy, and normal cookie settings specified by the user or (2) by circumventing the actions by the end user such as deleting cookies.

Similar to the cookie virus argument above, if the examples of ETAG use are accurate, there is additional evidence that the distributors of the ETAG [abusing] scripts are “alter[ing]” or “disrupt[ing]” the functions of the web browser and computer (remember, ETAGS are intended to reduce web site download times and not to act as a repository for secret tracking information and thus by definition are altering or disrupting).[FN5]

Thus, the writers and distributors of these “undeletable” cookie, or cookie viruses, might be committing another type of felony under Pennsylvania law. (See 18 Pa.C.S. 7611(b)). Again, ironically, because of the way the cookie viruses operate, even if these cookie virus writers and distributors claim to reside outside Pennsylvania, the offense occurs in Pennsylvania if the end-user’s computer is in Pennsylvania. See 18 Pa.C.S. 7602.

Conclusion

While web tracking is, to some, a controversial issue, the specific technologies mentioned in the recent news reports might run afoul the Pennsylvania Computer Offenses Laws. Even the potential for such technologies, at minimum, raises novel issues and questions after review of the Pennsylvania Computer Offenses Laws.

Update: Facebook Tracking Cookies Suit

In an apparently related context, a litigant seeking federal class action lawsuit status claims cookie tracking constitutes a federal wiretap (remember, Pennsylvania has a very similar Wiretap Act, 18 Pa. C.S. 5701 et seq.) violation. See Brett Barroquere, Ky. Man Sues Facebook Over Tracking Web Habits, Law Technology News (October 12, 2011) http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202518567824&Ky_Man_Sues_Facebook_Over_Tracking_Web_Habits_=&et=editorial&bu=LTN&cn=LTN_20111012&src=EMC-Email&pt=Law%20Technology%20News&kw=Ky.%20Man%20Sues%20Facebook%20Over%20Tracking%20Web%20Habits

Update: FTC Action on Flash Cookies

The FTC has taken action against one purported “flash cookie” vendor. ScanScout apparently told consumers that cookies were being deleted when they were not. According to news reports, the FTC settled the action by requiring more explicit ability to actually delete the cookies. See Dan Goodin, Advertiser settles charges for use of Adobe Flash cookies, The Register (Nov. 8, 2011) http://www.theregister.co.uk/2011/11/08/flash_cookie_privacy_settlement/ and Tom Loftus, FTC Settles with Online Advertiser over Flash Cookie Use, Wall Street Journal (Nov. 8, 2011) http://blogs.wsj.com/digits/2011/11/08/ftc-settles-with-online-advertiser-over-flash-cookie-use/ .

The FTC action illustrates an important issue. As I list above, there are several types of undeletable technologies. Flash cookies are only one type. Note that the FTC action addresses only the deceptiveness of one type of undeletable cookie but not the Pennsylvania criminal code issues identified above.

Footnotes

FN1—I suggest this term to generally describe malicious cookies or cookie viruses.

FN2—This posting is not intended to comment on specific companies. The posting merely suggests that general technology of this type (if true and accurate) might raise novel and interesting issues related to the Pennsylvania Criminal Code.

FN3—At least one company implicated in the discussion claims that the reports are wrong. See Hiten Shah, Official KISSmetrics Response to Data Collection Practices, KISSmetrics Website (2011) http://blog.kissmetrics.com/official-kissmetrics-response-to-data-collection-practices/

FN4—The cookie programs are written Javascript and thus importantly meet the definition of “computer software” which is defined in the criminal code as “an ordered set of instructions or statements.” See 18 Pa. C.S. 7601.

FN5—See, e.g., HTTP ETag, Wikipedia, https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_ETag .

General References

Mika Ayenson, Dietrich James Wambach, Ashkan Soltani, NathanGood, and Chris Jay Hoofnagle, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (July 29, 2011) http://ssrn.com/abstract=1898390

Dan Goodin, Sneaky tracking code (finally) purged from Microsoft sites, The Register (Aug. 22, 2011) http://www.theregister.co.uk/2011/08/22/microsoft_zombie_cookie_disclosure/

Dan Goodin, Man reveals secret recipe behind undeletable cookies, The Register (Aug. 16, 2011) http://www.theregister.co.uk/2011/08/16/cookie_respawning_secrets_revealed/

Jabulani Leffall, Microsoft Cuts ‘Supercookies’ out of its Diet, Microsoft Certified Professional Magazine (Aug. 23, 2011) http://mcpmag.com/Leffall1011 (cited in SuperCookies Crumble, Redmond Magazine 4 (Oct. 2011).)
Jonathan Mayer, Tracking the Trackers: Microsoft Advertising, The Center for Internet and Society (Aug. 18, 2011) http://cyberlaw.stanford.edu/node/6715

Microsoft Privacy Team, Update on the issue of ‘supercookies’ used on MSN, TechNet Blogs: Microsoft Privacy & Safety (Aug. 18, 2011) https://blogs.technet.com/b/privacyimperative/archive/2011/08/19/update-on-the-issue-of-supercookies-used-on-msn.aspx

Hiten Shah, Official KISSmetrics Response to Data Collection Practices, KISSmetrics Website (2011) http://blog.kissmetrics.com/official-kissmetrics-response-to-data-collection-practices/

Ryan Singel, Spotify, Spokeo, AOL, Others Sued Over Web Tracking, Wired (Aug. 3, 2011) http://www.wired.com/epicenter/2011/08/tracking-lawsuit/

Ryan Singel, Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged, Wired (July 29, 2011) http://www.wired.com/epicenter/2011/07/undeletable-cookie/

Ryan Singel, Web-Analytics Firm KISSmetrics Reverses Course on Sneaky Tracking, Wired (Aug. 1, 2011) http://www.wired.com/epicenter/2011/08/kissmetrics_reversal/

Publication Information

Original Research: 18 August 2011
Original Publication: 24 August 2011
Update: 09 October 2011
Update: 12 October 2011
Update: 14 November 2011