Consent is the Philosophers' Stone of the law: it can transmute an unconstitutional search into a lawful one, a criminal act into a legal one, or a tort into a contract. As technology has evolved, so has this fundamental legal concept. New forms of communication call for new ways to obtain and manifest consent. Examples include shrink-wrap licenses, click-to-accept licenses, faxed signatures, e-mails, and e-signatures. Each of these forms, however, requires some affirmative action by the person sought to be bound. An emerging issue is whether permissions granted by a computer program can constitute consent on behalf of the computer's owner, particularly where the permissions are set by default in the distributed form of the program rather than by a conscious decision by the owner to set them.
On November 8, 2005, the Boston Globe reported that Computer Associates International had concluded that Sony BMG was distributing music compact discs which contained not only the music that purchasers wanted, but also code which would run on the purchaser's computer, collect information about the purchaser, and report that information back to Sony. On November 18, 2005 (following Microsoft's decision to classify the Sony program as spyware and provide tools to remove it), Sony recalled the CDs and offered to replace those that had already been sold.
On December 29, 2005, the New York Times reported that the National Security Agency had used cookies in transactions on its website in violation of agency guidelines which had been in place since at least as early as 1999. On January 6, 2006, CNET reported that "[s]ixty-six politicians in the U.S. Senate and House of Representatives are setting permanent Web cookies even though at least 23 of them have promised not to use the online tracking technique." These are clear examples, and probably isolated instances, of violations of computer users' rights. There are, however, widespread uses of similar technology that pose significantly more far-reaching issues.
Technically, a browser will not accept a cookie from a website unless its permissions have been set to do so. Does this technical answer- cookies are used only when permission has been given in a technical sense-equate to "consent" in the legal sense sufficient to authorize the transaction and insulate the setter of the cookie from the above types of liability?
If the answer is "no," then websites which set cookies are at risk for civil and criminal liability, government websites which set cookies further risk violating constitutional rights, and the distributors of web browsers face potential secondary liability for the use of their products.
Max Stul Oppenheimer,
Internet Cookies: When is Permission Consent?,
85 Neb. L. Rev.
Available at: http://digitalcommons.unl.edu/nlr/vol85/iss2/3