Managing cookies to protect
patron privacy
An Educational Service of
the American Library Association
Office for Information
Technology Policy
Prepared by Leslie Harris
& Associates www.lharris.com in conjunction with OITP
staff www.ala.org/oitp
------------------------------------------------------
Active management of cookies
and other possible means of third party online data collection is critical to
protecting patron privacy in the library.
As discussed in prior tutorials, many web sites, especially commercial
sites, use cookies to analyze traffic and purchase patterns, and to customize
users' online experiences. Some use
only "session" or "transient" cookies that track a user for
a single session while other sites use "persistent cookies" that may
track a user's Internet habits over an extended period of time.
Cookies of both types may be
set to capture personally identifiable information. Whether personal
information is successfully obtained may depend both on the design of the web
site using the cookies and on the set up of library's computer facilities. Web sites that request personally
identifiable information, such as an e-mail address, may include some of that
information in a cookie. The cookies may
also include details about the user's indicated preferences for that web
site.
Libraries may
unintentionally provide additional personally identifiable information that can
be captured by cookies. It often
depends on how the computer login system is designed. If the library requires users to login using library card
information or their name, some cookies may capture that information. On the other hand, anonymous login systems
may thwart privacy breaches. For
example, it is not as harmful for a cookie to capture the fact that
123456789@your.library.state.us visited a particular web site than the fact
that jennifer.jones@your.library.state.us did so.
Librarians may wish to
develop cookie management policies to help ensure both the privacy and
confidentiality of library users, and to protect the security of their networks. Cookie management generally includes
frequent removal of cookies from the cookie file and temporary Internet files
at least once per day, and if possible, setting up computer systems so that
cookies and temporary Internet files are completely erased when a user logs off
the network. Additionally, if a library
uses a personal identifier for Internet users, it may want to consider avoiding
the use of actual names or a library card number that can be linked to a
particular person. Libraries should
also ensure that their own use of cookies (if any) is consistent with their
policy for managing other cookies.
-----------------------------------------------------
Further information:
Webopedia Definition &
Links: http://www.webopedia.com/TERM/c/cookie.html
NYT Article "Fighting
to Make a City's Cookie Files Public" on a legal battle over whether
"cookie" files are public records. (Site requires registration, and
cookie acceptance)
http://www.nytimes.com/library/cyber/law/121897law.html
Cookie Central - Frequently
Asked Questions About Cookies:
http://www.cookiecentral.com/faq/
Microsoft/Internet Explorer
Information on Cookies:
http://www.microsoft.com/info/cookies.htm
Netscape Tech Support,
"Cookies: What They Are and How They
Work":
http://help.netscape.com/kb/consumer/19970226-2.html
"A recipe for cookie
management: Integrate an easy-to-use library for client-side cookie
handling" (highly technical article on using java for cookie management) http://www.javaworld.com/javaworld/jw-04-2002/jw-0426-cookie.html
Two products that advertise
themselves as cookie management software are listed below. Neither LHA nor the
ALA endorses them over other possible technology solutions. They are listed as
examples and for informational purposes only.
Cookie Pal - cookie
management software:
http://www.kburra.com/cpal.html
Cookie Crusher - cookie
management software:
http://www.thelimitsoft.com/cookie/
-----------------------------------------------------
Copyright 2002, American
Library Association, Office for
Information Technology
Policy
Disclaimer
This Online Privacy Tutorial
is a service of the American Library Association. The content of this tutorial
is primarily the work of Leslie Harris & Associates in Washington, DC. The
views expressed in these messages are not necessarily the views of ALA or
Leslie Harris & Associates. This tutorial is for information only and will
not necessarily provide answers to concerns that arise in any particular
situation. This service is not legal advice and does not include many of the
technical details arising under certain laws. If you are seeking legal advice
to
address specific privacy
issues, you should consult an attorney licensed to practice in your state.