New Knowledge: Browsers and Cookies

Outside the Internet of Things, the primary contact individuals have with the realm of Big Data is through their devices, especially smartphones and computers. Every single action made on a computer may be recorded, whether it be something that clears as a survey or an order form asking for personal information for a delivery, clicks on a webpage or the movement of a mouse. Through the various interactions individuals have

330 _Ibid

331 _{FTC Staff report Internet of Things: Privacy and Security in a Connected World, January}

2015 at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff- report-november-2013- workshop-entitled-internet-things-privacy/150127iotrpt.pdf (herafter FTC, 215).

332 _{Akamai, akamai’s [state of the internet] report (2014), p. 1, at}

https://www.antel.com.uy/wps/wcm/connect/2e38bd0047ad6c9682d3e7af6890d810/q3-2014- state-of-the-internetreport+(2).pdf?MOD=AJPERES .

88

with their devices, the controllers of those websites can easily record and track individuals333_{. Because any connection requires identification, some exchange of data is} necessary. In order to identify the individual over multiple visits, a website will install a cookie on the user’s computer, a small text file which will contain information about the website and the user. Cookies can be stored for a lengthy amount of time, and most users are not aware of how to find, much less review or remove, these cookies334_. Cookies can also be shared through multiple websites and across various services335_, which creates an invisible web in which individuals are reinforcing the data profiling operations of various third parties without being aware of it.

Originally, cookies, much like the rest of the Web, were varied and tailored to and by each website. As time went by, unified protocols and standards - Hypertext Transfer Protocol (HTTP), Uniform Resource Locator (URL) - ensured that everything about the connections between computers became easier336_{. As websites became more complex,} organisations started creating cookies which could be identified through their multiple servers337_{. This laid the groundwork for the modern cookie: a tool which can be used to} communicate from the user’s computer with various servers to transmit information.

Through the use of cookies, it is possible to track individuals through multiple websites: if an individual has a cookie from website X, and then visits website Y, it is possible for website Y to identify the individual from that cookie338_{. Many online advertisers have such} cookies, tracking and identifying individuals throughout multiple websites, and using the cookies to record data about user activity339_{. Variety being a major theme in the trends} of Big Data, the ability to link together data from multiple sources is vitally important, and has exponential effectiveness as the number of sources grows.

333 _{Hirsch, D. (2011), The Law and Policy of Online Privacy: Regulation, Self-Regulation, or Co-}

Regulation? Seattle University Law Review, Vol. 34, No. 2, 2011. Available at SSRN: http://ssrn.com/abstract=1758078

334 _{Nenoist, E. (2008) Collecting Data for the Profiling of Web Users, in Profiling the European}

citizen. Springer Netherlands

335 _{Brimsted, K. (2010), Behavioural Advertising: time to tame the cookie?, Privacy and Data}

Protection, 11 2 (, 7)

336_{Kristol, D. (2001). HTTP Cookies: Standards, privacy, and politics. ACM Transactions on} Internet Technology (TOIT) 1.2 : 151-198.

337 _Ibid

338_{Lin, D., & Loui, M. C. (1998). Taking the byte out of cookies: privacy, consent, and the Web} (Vol. 28, No. 2, pp. 39-51). ACM.

339 _{Brimsted (n.335)}

89

This practice has become very common across the industry340_{. Because more and more} consumers have been deleting cookies on a regular basis in response341_{, finding cookies} which last longer and are more reliable has been the source of much research. Because cookies are a main way in which websites track the number of visitors to a website, in particular in order to attract advertisers towards a website, being able to gauge traffic accurately has an important impact342_.

Several practices have sprung up in order to create ‘’stickier’’ cookies. An example is an online advertising company named “United Virtualities”, which developed a “Persistent Identification Element”, tagged to the user’s browser but not deletable343_{. These “Flash} Cookies” first came to prominence in 2005: they cannot be removed, have no expiry date, are stored in a different location from regular cookies, and are not controlled by the browser (and as such cannot be removed through clearing browser history). Even “Private Browsing” included in most browsers does not deter Flash Cookies, and a majority of major websites use them344_.

Cookies are being used in increasingly-creative ways to collect data. For example, some ultrasonic pitches have been embedded in various audio media - into TV commercials, browsers or apps - which are then detected by nearby devices, allowing cookies to pair a single user to multiple devices and keeping track of what the individual sees, how long they watch the ad, and how the person acts in reaction to the ad (such as buying a product, for example)345_{. There is a vast amount of value in creating a cohesive net} capturing all the data linked to one individual, which prompts such creations346_{, but also} represents a challenge to one’s informational privacy.

This cross-linking of data to ensure one individual is identified is not only limited to cookies, and is clearer than anywhere in the example of Google. In 2012, Google announced that all its accounts would be merged into one, whether they be Google+, Gmail, Youtube, or any other Google services347_{. One of the purposes of this ambitious}

340_{Soltani, A,, et al. (2010). Flash Cookies and Privacy. AAAI spring symposium: intelligent} information privacy management. Vol. 2010.

341 _Ibid

342_{Pierson, J., & Heyman, R. (2011). Social media and cookies: challenges for online privacy.} info, 13(6), 30-42.

343 _Ibid 344 _Ibid

345_{Soltani (n.340)} 346 _Ibid

347 _{The Guardian Staff and agencies (2012), Google user data to be merged across all sites}

under contentious plan, The Guardian, available at:

https://www.theguardian.com/technology/2012/jan/25/google-merge-user-data-privacy

90

move was, once and for all, to have only one individual, one identity, and one account owner to apply one profile to348_{, giving Google a very strong competitive position, to the} point that Google was fined €4.34 billion for abusing its competitive position in favor of its search engine349_{. This move has been followed by multiple platforms, including} Microsoft, uniting such wide services as Microsoft Office, Bing, Skype, MSN, or Microsoft’s Cloud service OneDrive (the name “One Drive” being another indicator of this trend to unite, aggregate, centralise a full suite of services).

This push towards creating one entity, one account, and merging digital and real-world identities has several implications, but the most important one is that it becomes possible for one entity not only to possess tremendous amounts of data about a person’s habits - tracking them from their e-mail to their office work all the way through their Cloud storage and online chat - but also become gatekeepers of that knowledge.

As we can see, data is being collected and centralised in wholly new ways, ways which allow us to gather a myriad of small, previously-unrecorded data points. As we will show later on, this change is part of what makes the notion of “personal data” more and more obsolete.

Overall, as we have seen, the “data collection” step, which should in principle be as unbiased and objective as possible since the data that is collected is raw, unchanged, actual data, in fact has a large number of factors which will determine what kind of Information can be created from that data. Depending on what data can be collected in the first place, what means the observer has to collect it, the limitations of the technology and the possible biases which drive the collection, the Information which will come out of the data collection will be entirely different.

This modularity of Information undermines the idea of “personal data” as understood by European data protection regulation. Under the “Information” paradigm, the same data can lead to privacy-invasive Information or not, depending on these factors. Nevertheless, one might argue that at the collection stage, the data collected can still be classified as “personal” and “non-personal”. It is in the following stages that things become even more difficult. We will now investigate the storage and aggregation steps and show how the resulting “sculpture” becomes more and more uncertain.

348 _Ibid

349 _{Commission Press Release, IP/18/4581 (Jul 18, 2018)}

91

II. Storage and Aggregation: the “Volume” and