•  
  •  
 

Abstract

Consent is the Philosophers' Stone of the law: it can transmute an unconstitutional search into a lawful one, a criminal act into a legal one, or a tort into a contract. As technology has evolved, so has this fundamental legal concept. New forms of communication call for new ways to obtain and manifest consent. Examples include shrink-wrap licenses, click-to-accept licenses, faxed signatures, e-mails, and e-signatures. Each of these forms, however, requires some affirmative action by the person sought to be bound. An emerging issue is whether permissions granted by a computer program can constitute consent on behalf of the computer's owner, particularly where the permissions are set by default in the distributed form of the program rather than by a conscious decision by the owner to set them.

On November 8, 2005, the Boston Globe reported that Computer Associates International had concluded that Sony BMG was distributing music compact discs which contained not only the music that purchasers wanted, but also code which would run on the purchaser's computer, collect information about the purchaser, and report that information back to Sony. On November 18, 2005 (following Microsoft's decision to classify the Sony program as spyware and provide tools to remove it), Sony recalled the CDs and offered to replace those that had already been sold.

On December 29, 2005, the New York Times reported that the National Security Agency had used cookies in transactions on its website in violation of agency guidelines which had been in place since at least as early as 1999. On January 6, 2006, CNET reported that "[s]ixty-six politicians in the U.S. Senate and House of Representatives are setting permanent Web cookies even though at least 23 of them have promised not to use the online tracking technique." These are clear examples, and probably isolated instances, of violations of computer users' rights. There are, however, widespread uses of similar technology that pose significantly more far-reaching issues.

Cookies are files stored on a user's computer (the client) on instruction from a second computer (the server) when the client's web browser software (browser) communicates with the server's website. These files typically contain encrypted information relating to the transaction between the client and server. By default, current browsers "accept cookies," that is, they allow the server to write these files to the client and to store them for a period of time determined by the server. Since the data in the file is under the control of the server, it can be used to record and monitor the transactions between the client and server. If the server has appropriate decrypting capability, it can also monitor transactions between the client and other servers. The use of cookies without consent of the user raises a number of issues:

* First, does the use of cookies constitute a trespass on the client computer?

* Second, when the server is controlled by a private party, does its use of cookies constitute unauthorized access to a computer in violation of criminal law?

* Third, when the server is controlled by a government agency, does its use of cookies constitute (in addition to the above violation of rights) an unlawful search in violation of the Fourth Amendment or an unlawful seizure of property in violation of the Fifth Amendment?

* And fourth, if the use of cookies without permission violates criminal law, individual constitutional rights, or other rights, is there potential secondary liability for the providers of the browser software under the principles announced by the Supreme Court in MGM v. Grokster?

Technically, a browser will not accept a cookie from a website unless its permissions have been set to do so. Does this technical answer- cookies are used only when permission has been given in a technical sense-equate to "consent" in the legal sense sufficient to authorize the transaction and insulate the setter of the cookie from the above types of liability?

If the answer is "no," then websites which set cookies are at risk for civil and criminal liability, government websites which set cookies further risk violating constitutional rights, and the distributors of web browsers face potential secondary liability for the use of their products.

Share

COinS