COMMENTS OF NETSCAPE CONCERNING CONSUMER ON-LINE PRIVACY-P954807 NETSCAPE 16 April 1997 Secretary Re: Consumer Privacy 1997 -- Comment P954897 Dear Secretary: Netscape Communications Corporation would like to file comments focusing on the technological developments that have taken place since June 1996 with respect to HTTP state management information, otherwise known as cookies. Generally, cookies permit a web site operator to place information on the client software of a computer user who accesses information on a web site by visiting that site. Cookies are technically necessary to maintain information flows between the client and server software when transactions or ongoing relationships (e.g., magazine or newspaper subscriptions) between the client and server are taking place. However, many users are not aware of what information a web site operator may place on their client software on their computer or may not be aware of what they can do to control what information is placed on their client software. Recent developments in the open technical standards process and by software manufacturers have led to the further evolution of cookies. Unfortunately, the details of the recent meeting of the Internet Engineering Task Force (IETF) are not yet available. As a result, Netscape is not able to file complete comments at this time. However, please find attached our preliminary comments. Please do accept my apologies for this partial filing and its delay. Also, Netscape will submit a full report on cookie technology in approximately a month's time in advance of the upcoming FTC conference. I would like to request consideration to participate in Session 2 of the Consumer Privacy portion of the FTC Conference. Thank you. Sincerely, Peter F. Hartley cc: Martha Landesberg 2.14 Interactive technology has evolved since June 1996 to address many of the privacy concerns expressed regarding cookies and what information was placed on a user's computer and with what notice and consent. Software manufacturers and open technical standards bodies have produced innovations that enable users to have more control over cookies and how web site operators are able to place information on one's computer. At this point in time many web site operators and related third parties are reviewing the technical standards concerning cookies. These improvements and changes in cookie technology will be implemented in upcoming versions of Netscape products. However, as Netscape is an open standards company we cannot at this time specifically detail the latest version of this cookie standard until the report of the most recent IETF meeting is released and reviewed. 2.15 Cookie technology enables web site operators and consumers to use the Internet for transactions and ongoing information relationships. The hypertext transfer protocol (HTTP) is a connectionless or stateless method of communication data. In other words, once a browser (i.e., client software directed by the consumer or users) accesses a web site a file containing the information that comprises the page to be viewed by the user is transmitted from the web site server machine via the HTTP to the client machine. The browser software interprets this information into a format that is perceptible by the user. This file remains in a cache or storage area on the client machine. Once the file is transmitted from the server to the client the connection between the two machines is terminated. When a user goes to access another page of information on that same server a new connection is initiated. The server cannot recognize this new connection as the same user -- to the server the same user is a complete stranger. Cookies overcome this connectionless aspect of HTTP by providing a tool for servers to place some reference information on the client side of the communication. Commonly, when a user is shopping on a web site store and selects goods displayed on different pages, information about the items selected has to be collected somehow so that when the user goes to pay for them the server knows what items are in this particular user's shopping basket. The other example of the utility of cookies is that online publications that require some sort of user password and verification can use cookies to automatically log users in. As a result users do not have to type in their password with each visit; the web site automatically recognizes the user via the cookie stored on the client machine. Also, the web site can present the content in a customized format (e.g., desired font size, language, text only) all to the convenience of the consumer. While there are many benefits associated with cookies, there are some perceived and potential risks that industry and the open standards process are addressing. Primarily, such risks to consumers concern user control over the data that is placed on their machine by a web site server. Fortunately, the increasing sophistication of client software enables users to take more control over what information is placed on their hard drive via cookies. As for risks to web site operators, the risks may rest with possible liability for management of the information that they may collect -- an activity that is neutral to the particular tool employed (i.e., cookies). At some point in the ongoing discussion of the role of technology and industry in providing solutions and self-regulatory standards for protecting privacy there may be the need to identify means available to web site operators to somehow state on their web site what their cookie practices are. This sort of notice to users should not be intrusive and negatively impact the economic value of the finite space of a web page. However, it should also be conspicuous enough so that users are aware of such notice. Perhaps such a notice could be as simple as the current practice by many web sites that have a "Copyright" link on their main page that takes a user to a page setting forth the site's copyright policy. Netscape Communications
Corporation, 501 East Middlefield Road Mountain View, CA
94043 |