How the Cookie Crumbles

Written by Evan Schuman
December 29th, 2005

The National Security Agency, whose NSA initials are typically preceded by “super secret” or a similar cool-sounding phrase, is known as the home for code-breakers extraordinaire.

After 9/11, the NSA was given even more freedom to do whatever it takes to track terrorists and identify their plots. The New York Times recently reported about their efforts to conduct more domestic surveillance without warrants or any court authorization.

So it was a bit curious when the NSA this week was accused of violating federal government procedure and harboring cookies on their public Web site. More curious yet that the NSA leaped into action to remove the offending cookies and that the Associated Press covered this.

These cookies were not spyware (although if any site had a right to have spyware, it would be the NSA) or anything malicious.

They didn’t even pose a privacy threat, as the NSA site requires no passwords and seeks no registration. There is no newsletter to flag updated content because there isn’t much content to update and that which is there isn’t updated very often.

Privacy aficionado Daniel Brandt found the cookies on his machine after visiting the NSA site and contacted the agency, which apparently had the cookies because of a default ColdFusion setting.

Brandt said the violation is not sexy in and of itself, but it is a violation of Clinton era government policy and it should be followed strictly.

“It’s kind of a boring site,” Brandt said. “But even if it’s a non-issue, as it appears to be in this case, you have to call them on it.”

What’s more interesting, though, is that the NSA complied and complied so quickly. Yes, the super-secret agency was freaked out by the bogeyman of Web sites: the misunderstood cookie.

An innocuous piece of code (in this case at least) accidentally placed on the site merited national wire service attention along with stories in The Fort Wayne Journal-Gazette, Fort Worth Star-Telegram, The Kansas City Star, The Miami Herald, The Philadelphia Inquirer, The Atlanta Journal-Constitution and The San Jose Mercury News, among many others.

What does this have to do with retail IT? Cookies are chronically misunderstood and are perceived as vaguely dangerous.

Cookies are typically safe and not even especially intrusive. For the vast majority of sites, they are indeed conveniences allowing users to not have to re-register or repeatedly key in their password.

Yes, they do have marketing value in knowing what pages customers look at, but few use that information, other than in aggregate.

But, as this column has said many times, reality can’t hold the proverbial candle to perception.

Privacy policies are rarely taken seriously, but they should be. If for no other reason, take the privacy policies seriously and detail all cookie usage so that you can later say that all site visitors knew about the usage.

After all, consumers routinely read privacy policy statements, don’t they?, he asked cynically.

Another important take-away from this NSA situation is consumer education. Most consumers that fully understand cookies and registration forms and whatnot don’t have an issue with them.

Those consumers generally want the information being offered and appreciate the convenience. They must appreciate the implicit trade-off: give us a little information instead of having to give us money.

Privacy policy respect and consumer education are two decent ways to take the scare out of the cookie bogeyman. If they can scare an NSA spook, imagine what it will do to an uninformed consumer casually reading the local newspaper?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.