The Zombie Cookie Threat

The use of so-called Zombie cookies, that survive the user deleting them from the browser, has been attracting attention recently, with a number of high profile companies being caught using them.

MSN is one of the latest companies found to be using cookie re-spawning techniques, as reported recently in The Register – a UK online magazine read widely by the IT industry.

Microsoft has blamed this on ‘old code’ that they say has now been removed from their websites, but they are not alone in use of these techniques.  Kissmetrics, a web analytics company was also found to be using similar techniques designed to get round users trying to protect privacy by deleting their cookies.  See the earlier article also in The Register.

It is important to note that Kissmetrics have issued a response to accusations about their technology, which is well worth a read.  Both companies are keen to point out that they respect user privacy.

I am not a legal expert, and am not claiming that either of these companies have broken any law, or that they are any less than professional and open about what they do with the data they collect.  What is interesting to me is the reaction this has provoked from some quarters in respect of the EU cookie legislation.

Some people have suggested that techniques used to continue tracking website visitors, despite their actions or desire to prevent it, show that the law is unworkable, and therefore should be scrapped or ignored.

I disagree.  The fact that such tracking techniques exist, and are being put to use (you can bet that these are not isolated instances), goes to show how important it is that users privacy wishes need to be respected.  Many less reputable companies could easily be using similar techniques.

Websites gather information about visitors, and this is valuable to the point that it enables many services to be offered to consumers free of charge in exchange.

There is nothing wrong with this, but it is important that people are made aware of what is happening, and be given a choice about what to do about it.  This means either agreeing to the exchange or not and accepting the consequences of that choice – which might mean fewer free websites for them.

The cookie legislation is all about creating an environment where visitors are given that choice up front – and enshrines in law the presumption of privacy being the default option.

There should be nothing controversial about this – in fact we expect this presumption in the real world.  When I walk down my local high street, I do not expect to give up my privacy, just to be allowed to look into the shop windows, but this is exactly what happens online every second.

It is true that the cookie law is imperfect, and may have unforseen consequences or fail to fulfill its aims, but that does not mean it is not a step in the right direction.