Limitations of the CFAA: “Cookie” jar out of reach

In previous blog entries, the increased broadening of the CFAA spelled problems for convictions of acts that should not be punishable. However, despite Congress’ use of ambiguous language in order to cover all the bases, some acts that should be punished under the CFAA are immune to its provisions. One example is the abuse of cookies.

Cookies are defined by Microsoft, rather optimistically, as “a very small text file placed on your hard drive by a Web Page server…[that] saves [] time” and aids in personalizing webpages. [1] While some cookies expire after a set session, some are more or less permanently stored on a computer. [2] However, in actuality cookies are not as harmless as Microsoft and other online content providers based on customization would like you to believe. A quick search reveals several blogs and sites revealing how to exploit cookies. In conjunction with the plethora of “how to” sites on “cookie stealing,” most average internet users don’t know what cookies are and whether or not a particular site is using cookies (unless cookies are not enabled and a site urges you to use cookies). Therefore, stealing another’s cookies can amount to identity theft and unauthorized possession of private information.

Subsection (a)(2)(C) of the CFAA contains broad language that seems to cover this act: “Whoever…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer…shall be punished.” Subsection (a)(5)(A) is another alternative as it covers “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” Stealing cookies involves at the very least the access of cookies stored on another’s computer, whether that access is direct or through the sending of a program. Under the language of the statute alone, it seems like any manipulation of cookies would easily violate (a)(2)(C) as few users would be inclined to allow access to their cookies apart from sites they determine. Cookies are arguably abused by relatively legitimate sites through the collection of data for personalize or targeted ads.

How has case law ruled on cookies? Cases brought under the CFAA have been overwhelmingly dismissed for lack of damage. A landmark case for internet cookies and the CFAA is In re Doubleclick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y.2001). Doubleclick placed cookies on users’ computers that collected data purportedly on from “partner sites” and used this information to provide targeted advertising. (id.) Plaintiffs claimed that their loss was manifested in in “an invasion of their privacy, a trespass to their personal property, and the misappropriation of confidential data by DoubleClick … [as well the cost of the] affirmative steps [plaintiffs must take] to negate DoubleClick’s wrongful unauthorized access of their computers.” (id. at 523) However the court does not find that these amount to damages over $5,000. (id.) It also compares online advertisements to real world advertisements by denying the claim that using cookies for customer data is not unjust enrichment. (id. at 525) The court also defers to Congress by mentioning that the “Consumer Internet Privacy Enhancement Act” (H.R. 237, 107th Cong. (2001) which never got passed) was currently being considered by Congress and aims to address issues the Plaintiffs brought up. (id. at 526) In re Intuit Privacy Litigation, 138 F.Supp.2d 1272 (C.D. Cal., 2001) similarly dismissed the charge under the CFAA due to lack of showing of damages that amount to $5,000 although the court acknowledges that placing cookies satisfies the scienter element of subsection (a)(2)(C) and subsection {a)(5)(A). (id. at 1280).

Cookies are just one of many methods individuals and service providers can use to collect information (usually) without the knowledge of users they target. Still, the fact that case law has not used the CFAA to crack down on cookies demonstrates that the legislation could address (narrowly) privacy issues that don’t necessarily equate massive financial damage.


~ by alyssaufl on January 11, 2010.

One Response to “Limitations of the CFAA: “Cookie” jar out of reach”

  1. […] permission. However, despite its ability to reach far and wide, the CFAA does not fully address issues that seem to comport with its initial intent of combating hackers or new organized methods of hacking and […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: