Internet Privacy
INTERNET PRIVACY
THE INTERNET AND PRIVACY LEGISLATION:
COOKIES FOR A TREAT?
Viktor Mayer-Sch6nberger
Viktor Mayer-Sch6nberger looks at the privacy threat posed by the 'cookie' which enables personal information
to be transferred to an Internet Web server every time a user directs the Web browser to display a certain Web
page from that server.
The Internet is a remarkable success story. Today, billions of
bits of information travel around the world o n a daily basis,
c o n n e c t i n g more than 80 million people not only with each
other b u t also with vast resources of data and access to
n u m e r o u s services around the globe. 1This success would n o t
have b e e n possible without the introduction of the World
Wide Web (WWW) as a tool that tmlformly organizes a wide
variety of media (text, graphics, pictures, sound and video)
available o n the Iuternet so that even the inexperienced
W W W user has access to all of it through a simple user-friend-
ly interface. 2
Users may n o w 'surf' through vast seas Of data as the Web
has b e c o m e the dominate mode of c o m m u n i c a t i o n on the
Iuternet. 3 Software companies that design Web content, and
especially those that develop Web 'browsing' software have
recently b e c o m e the hottest commodity o n Wall Street,
churning out release after release of their products at aston-
ishing speeds. 4
But despite sharp increases in both the n u m b e r of
Internet users and the amount of m o n e y involved in online
businesses, the Internet remains relatively u n t o u c h e d b y leg-
islators around the world. Only recently have law makers
b e g a n e n a c t i n g statutes aimed at regulating I n t e r n e t
content. 5 Few of these attempts are well-planned, leaving
t h e m susceptible to grave c o n s t i t u t i o n a l problems. 6
Nevertheless the legislative desire and the public d e m a n d to
limit child pornography, blatant advocacy of genocide, racism
and terrorism o n the anarchic international information and
c o m m u n i c a t i o n networks are understandable. 7
However, while the world focuses o n these fringes of
Internet communication, other, more dangerous and invasive
features of the Web have received little attention in the public
debates.This article focuses o n one such overlooked feature -
the 'cookie' - - and its broad international legal implications.
These 'Persistent Client State HTTP Cookies 's, as they have
b e e n called, can poteutially disclose personal information of
unsuspecting Web 'users' at an unimaginable rate, violating a
n u m b e r of national and international legal n o r m s protecting
designed to protect personal data.
166 Computer Law & Security Report Vol. 14 no. 3 1998
© 1998, Elsevier Science Ltd.
1.THE 'COOKIE' CONCEPT
The W W W is built o n a very simple, but powerful premise: all
material o n theWeb is formatted in a general, uniform format,
called Hypertext Markup Language (HTML) and all informa-
tion requests and responses conform to a. similarly standard
p r o t o c o l . W h e n someone accesses a service provider on the
such as the Library of Congress, the user'sWeb brows-
er will send an information request to the Library of
Congress' computer.This c o m p u t e r is called aWeb server.The
Web server will respond to the request by transmitting the
desired information to the user's computer. There, the user's
browser t h e n displays the received information o n screen.
Cookies are pieces of information generated by a Web
server and stored in the user's computer, ready for future
access. Cookies are e m b e d d e d in the HTML information flow-
ing back and forth b e t w e e n the user's computer and the
servers. Cookies were i m p l e m e n t e d to allow user-side cus-
tomization of Web information. For example, cookies are used
to personalize Web search engines9, to allow users to partici-
pate in WWW-wide contests (but only once!) and to store
shopping lists of items a user has selected while browsing
through a virtual shopping mall. 1°
Essentially cookies make use of user-specific information,
transmitted b y the Web server onto the user's c o m p u t e r so
that the information might be available for later access by
itself or other servers. In most cases n o t only does the storage
of personal information into a cookie go unnoticed, so does
access to it.Web servers automatically gain access to relevant
cookies w h e n e v e r the user establishes a c o n n e c t i o n to them,
usually in the form of Web requests.
Cookies are based o n a two stage process. 11 First, the
cookie is stored in the user's c o m p u t e r without their consent
or knowledge. For example with customizable Web search
engines, like MyYahoo!, a user selects categories of interests
from the Web page. The Web server t h e n creates a specific
cookie, which is essentially a tagged string of text containing
the user's preferences and it transmits this cookie to the
user's computer. The user's Web browser, if cookie-savvy,

receives the cookie and stores it in a special file called the
Cookie List. This h a p p e n s generally without any notification
or user consent.As a result, personal information (in this case
the user's category preferences) is formatted by the Web serv-
er, transmitted and saved by the user's computer.
During the second stage, the cookie is clandestinely and
automatically transferred from the user's machine to the Web
server.Whenever a user directs h e r W e b browser to display a
certain Web page from the server, the browser will without
the user's knowledge or consent transmit the cookie contain-
ing personal information to the Web server.
2. THE LEGAL FRAMEWORK
Information societies have widely debated the issue of access
to personal information.12 In the early 197Os, the first statutes
protecting personal information from unwarranted access
were enacted in Sweden 13 and Germany. 14 'Privacy' and the
European p e n d a n t 'data protection' have b e c o m e household
words and treasured values to the average citizen. 15 But while
the US and Europe are in general agreement o n the principle
importance and validity of privacy and the protection of
one's personal information, the scope of privacy rights differs
substantially b e t w e e n the US and Europe.
While the US has opted for very few specific data protec-
tion norms 16, such as in the area of credit reporting 17 or video
cassette rental 18, European nations have openly embraced
o m n i b u s data protection acts covering each and every elec-
tronic processing of personal data. 19 In 1981 the Council of
Europe drafted a European data protection convention, and a
large n u m b e r of European nations have subsequently signed
and ratified it. 2°
More importantly, in 1995, the European Union21 adopted
a mandatory and binding European Union Directive o n the
Protection of Personal Data ('Directive').22 The Directive dic-
tates that b y 1998, all European Union m e m b e r countries
must have a m e n d e d and adapted their national data protec-
tion laws to incorporate the rules laid d o w n Directive. 23
While compliance with the Directive may require some fine-
ttming of the European nations' laws, 24 most of the nations'
data protection acts already embody the principles of the
Directive .Thus, for reasons of brevity, this article will focus o n
h o w the Directive, n o t individual national Data Protection
Acts, will affect the cookie feature,
The Directive lays d o w n specific conditions2s, w h i c h
must be met to legally process personal data. 26 Conditions
include that personal data must be "processed fairly and law-
fully''27 and only "collected for a specified, explicit and legiti-
mate p u r p o s e "2s. No f u r t h e r p r o c e s s i n g w h i c h is
incompatible with the original, legitimate purpose is permit-
ted. 29 Processing must be "adequate, relevant and n o t exces-
sive in relation to the purpose "3° as well as "accurate and,
w h e n necessary, kept up to date". 3x Data may be stored for
" n o longer than is necessary for the purposes for which the
data was collected". 32
In addition, processing may only take place, ff the person
to w h o m the personal information refers 0.e. the ,data sub-
ject') "has unambiguously given his consent" or if processing
is otherwise necessary out of legal or contractual obligations
to the data subject. Exceptions allow processing in the public
interest or the vital interest of the data subject, or if clearly n o
Internet Privacy
fundamental privacy interests of the data subject are at
stake.33
All these conditions must be met to make the processing
of personal data lawful u n d e r the Directive. In addition, the
processing of special kinds of data, "revealing racial or ethic
origin, political opinions, religious or philosophical beliefs,
trade-union membership" or matters of health or sex life is
further restricted. 34 The data subject is given extensive legal
rights to access his or her personal data as well as the name of
the processor, the purpose for which the data was collected
and all recipients of the data. 35
3. EXAMINING THE COOKIE
Given such a rigid data protection regime focusing clearly o n
access restriction and user transparency, almost all features
and aspects of the cookie c o n c e p t can be used to violate the
Directive's principles. Cookies make unwitting and automatic
access to personal user data possible.
But as in real life, not all cookies are equal.At first glance,
the impact of cookie information access may be seen as
rather limited.According to the noble purposes of the origi-
nal Netscape cookie standard, cookies exist b y default only
for the duration of the actual Web browsing session. 36 Once
the user exits the browser, cookies acquired during the ses-
sion are deleted. In addition cookies, by default, can only be
accessed by the Web server and the Web page that stored the
cookie in the first place.37Thus the accuracy and the transito-
ry nature of personal information cookies are ensured.
The original Netscape standard, but even the revised
cookie standards allow Web servers to overwrite these cook-
ie defaults.AWeb server may extend the life-span of a cookie
to several years (l) by giving it an expiration date in the year
1999 u n d e r the original cookie standard, or to tens of thou-
sands of seconds of active browsing u n d e r more recent draft
cookie standards.A server may also specify that a cookie can
be accessed from any of its Web p a g e s ) 8 Also a Web server
may set a cookie so that an almost unlimited n u m b e r of other
servers have access to the cookie information as well.39While
the default cookie settings are benign, the options available to
overwrite t h e m are n o t . A n d Web survey by the author failed
to find cookie implementations based o n the cookie standard
defaults. Instead;Web servers make extensive use of the trou-
blesome overwrite options.
Obviously, these cookie 'options' allow circumvention of the
most basic data protection and data security principles which
were considered in the original c o n c e p t i o n and default
implementation of cookies:
• Because of the expiration date option, cookies may vio-
late the'accuracy' and 'timeliness' principles enshrined in
Article 6 of the Directive.
• Furthermore, the average u s e r surfing t h r o u g h the
Internet with any of the popular Web browsers is
unaware of cookie depositing and access.This is contrary
to the extensive information and access rights granted to
the u s e r (and supplier of her personal information) by
Article 10 to 12 o f the Directive. According to the
Directive, users may c o n s e n t to the storing of a cookie in
their computer. But they cannot. In fact, only recent ver-
sions of the popular Web browsers may be configured to
warn a user that a cookie is going to be stored, and only
Computer Law & Security Report Vol. 14 no. 3 1998 167
© 1998, Elsevier Science Ltd.
Internet Privacy
the latest version of Netscape's b r o w s e r contains an
option to suppress cookies altogether. However, and
again contrary to the Directive's letter and spirit, the pop-
ular browsers n e e d to be specifically configured to issue
such cookie warnings.
In addition, such warnings do not contain the informa-
tion r e q u i r e d u n d e r the Directive for the user to give
their 'informed' c o n s e n t . T h e warning routinely contains
text like:
The server 209.10.56.12
wishes to set a cookie
that will be sent back only to .10.56.12
The name and value of the cookie are
s=pc8744648763
Do you want this cookie to be set?
Certainly it is hard to imagine h o w the average user could
make an informed decision based on this cryptic warning.
The text is misleading. What it fails to c o m m u n i c a t e is that
o n c e the cookie is set, it will be freely accessible to Web serv-
er(s). W h e t h e r or not the user consents to such access and
not only to the setting of the cookie is a different question
altogether.
• O n c e the cookie is stored (i.e.'set'), it resides in the user's
computer. But for the Web browser, it is as easily available
as information stored in it. Even t h o u g h the user consents
to the setting of the cookie, they have a guaranteed right
to access the personal information contained in the cook-
ies. However, cookies cannot be accessed easily by users.
O n e n eed s to k n o w the exact name and location of the
cookies file and an editor application to display them.
Certainly, such knowledge cannot be an acceptable pre-
requisite to e x e c u t e ones legal right. Even if an experi-
e n c e d user w o u l d be able to track d o w n the file and fmd
t he co o k i e, t h e i n f o r m a t i o n c o n t a i n e d in it, like
's=pc8744648763' certainly will not fulfill the strict
re q u i r em en t of the Directive of access to processed data
'in an intelligible form'. 4°
Even w o r s e is the cookie 'warning' option i m p l e m e n t e d in
Microsoft's Internet Explorer 4. There the user is told in no
unclear terms that "if you select 'no' [thus refusing the cook-
ie], the page might not be displayed correctly", thus implying
that refusing the cookie might actually n o t only be not bene-
ficial, but cause harm instead.
• But the Directive goes o n e step further and mandates
that a user must be given u p o n request
"confirmation as to w h e t h e r or n o t data relating to
him are being processed and information at least as to
the purposes of the processing, the categories o f data
c o n c e r n e d , and the recipients or categories of recipi-
ents to w h o m the data are disclosed". 41
Cookie implementations together w i t h W e b browsers cur-
rently do not provide at all for such a broad information and
access obligation. 42
• W h e n e v e r a cookie is transferred from the user's com-
put er to a Web server, the conditions o f Article 7 of the
Directive must again be met. Because the user is unaware
of the cookie transfer at that point, there can be no con-
168 Computer Law & Security Report Vol. 14 no. 3 1998
© 1998, Elsevier Science Ltd.
sent. 43 Without user consent, processing may only take
place - - as has already b e e n m e n t i o n e d - - if the process-
ing is within a contractual or precontractual arrange-
ment, or if a legal obligation or a vital interest of the
public or the data subject is present. 44 Neither a legal
obligation, nor vital interests may be assumed w h e n set-
ring cookies as part of a W W W communication.
Sometimes contractual obligations might permit the trans-
fer to take place, but in many cases of cookie implementation
there are insufficient contractual ties b e t w e e n the user and
the co n t en t provider that w o u l d necessitate the cookie trans-
fer. The only other possibility to legitimize the cookie trade
t h e n w o u l d be to successfully balance the interests of the
processing Web server w i t h the user, w h e r e the cookie trans-
fer itself is 'necessary for the p u r p o se of the legitimate inter-
ests pursued '45 by the Web server.While it is conceivable that
some cookie implementations will succeed in fulfilling these
c o m p l e x criteria, it is by no means certain.
• However, one might argue that European data protection
n o r m s do not apply to cookies processed on servers
located outside the European Union. 46 Preempting such
a line of argument, the Directive stipulates that if data is
to be transferred outside the European Union, as is the
case if the Web server resides in the United States, addi-
tional safeguards c o m e into play. 47 A transfer outside the
European Union is lawful only, if the recipient country
'ensures an adequate level of p r o t e c t i o n '48 o f personal
data.The European Union assesses the adequacy. 49 As the
United States has not yet passed an omnibus data protec-
tion act, the level of protection in the US is likely to be
found inadequate. Such being the case, data transfers are
only allowed if - - among o t h er less important exemp-
tions 5° - - the user has unambiguously co n sen t e d to the
transfer or if contractual obligations w i t h the user require
it. 51As m e n t i o n e d earlier, it is difficult but not impossible
to m e e t such requirements.
Thus, e v e n plain cookie implementations violate the data
p r o t e c t i o n norms set forth in the Directive on a n u m b e r of
different and i n t e r c o n n e c t e d levels.The simple use of cookies
poses serious legal problems vis-a-vis the European national
data protection norms, exemplified by reference to the EU
Directive on data protection. But cookies can be used in a
variety of m o r e c o m p l e x circumstances, as is the case in the
real life example that follows:
4. THE USER AS HER OWN DIRECT MAIL
AGENT
A simple page on the W W W called the 'Macintosh Daily
Rumor Page '5z contained information about breaking n e w s
for the Apple Macintosh community. Like thousands of o t h e r
Web sites the page was supported by the sale of advertising
space at the b o t t o m of the page.This space was o c c u p i e d by
a graphic ad banner, hyperlinked to o n e of the special adver-
tisement services o n the Web. 53 As the Daily Rumor Page
loaded, the advertiser's banner was d o w n l o a d e d from its serv-
er and it appeared as a small, c o l o ~ , sometime animated
graphic near the b o t t o m of the page.As this transpired, some-
thing quite clandestine happened: the advertisement server
set a special cookie in the user's computer.The next time the
user accessed the 'Daily Rumor Page' or - - and this is impor-

tant - - any o t h e r W e b page the advertisement server has con-
tracts with, the cookie data residing in the user's c o m p u t e r
was transmitted automatically to the advertisement server. In
an instant, the advertisement server k n e w what ad was dis-
played the last time and w h e t h e r the user had clicked o n it.
Using the information to construct a user profile, the server
was able to select the ad most fitting this profile. In essence
then, the user had b e c o m e the unpaid agent of the direct mar-
keting agency, supplying it with all the personal information
and preferences, needed, but without ever k n o w i n g it. The
Web site 'Dejanews' together with its advertisement b a n n e r
server 'focalink' had a similar system in place. 54 These two
examples are mentioned, because both providers have since
ceased this practice. But m a n y other c o n t e n t providers o n the
Web c o n t i n u e to do it.
Even experts o n cookie standardization and design con-
cede, that this practice contradicts the original intention of
the cookie concept. 55 But because of the lack of an o m n i b u s
Data Protection Act in the United States, such invasions of
user privacy are not illegal.The situation is different, however,
in Europe. In addition to the already m e n t i o n e d general data
protection norms, the Directive provides for special rules
regarding the processing of personal data used for direct mar-
keting. According to the Directive users affected by such
direct marketing have the right to be "expressly offered the
right to object free of charge "56 to disdosure or use of their
personal data for direct marketing purposes. Consequently,
such direct advertising practice based o n cookies would be
illegal within the European U n i o n data protection regime.
5. RESPONSIBILITY AND LIABILITY
According to the Directive, the entity "which alone or jointly
with others determines the purposes and means of the pro-
cessing of personal data "57, w h o m the Directive calls the 'con-
troller', is legally responsible and liable for the compliance of
the data processing with the data protection statutes. 5s O n
the Web, the "controller' in most cases is the c o n t e n t provider
using the Web server to create a n d set the cookies.
Consequently, he is liable for the breach of existing European
data protection statutes caused by the use of cookies.
Affected users could sue the controller in European national
courts and possibly succeed in obtaining a court order enjoin-
ing the controller from using cookies in the future.
Civil action could also extend to recovery of actual dam-
ages suffered b y the user through, for instance, the disclosure
of her personal information.Taking this a step further, a num-
ber of European Data ProtectionActs already shift the b u r d e n
of proof in such instances to the controller. 59 Then the con-
troller has to show that the damage to the data subject was
n o t caused b y his actions. Given the volatility and dynamic of
W W W communication, many cookie using c o n t e n t providers
would be hard-pressed to present such exonerating evidence.
So far, only examples of cookies violating various substan-
tive data protection rules have b e e n described. Every opera-
tor of Web servers that contains sites that use cookies risks
legal liability. Particularly p r o n e to legal attacks are multina-
tional corporations, with Web servers spread across European
countries. 6° Because theirWeb servers at least partially reside
in Europe, the national data protection statutes are directly
applicable to them and processing must at all times comply
In t e r n e t Privacy
with their dictates. Corporations continuing to use cookies
will have to proceed at their o w n risk.
The issue is substantially more complex, however, where
the Web server and the controller are located in a c o u n t r y
with n o 'adequate' level of data protection (the US for exam-
ple).The data protection mandates, particularly regarding the
transfer of information and data outside of the European
Union are still directly applicable and breach or circumven-
tion of these n o r m s may trigger legal action. But issues of
standing and v e n u e may proof obstacles to effective enforce-
m e n t of national European data protection norms in such
instances. 61
Users affected b y the u n w a n t e d and illegal disclosure of
personal data through cookies may consequently search for a
different avenue to gain relief. As the illicit transfer and pro-
cessing of personal information through cookies is depen-
dent o n browser software support, users may turn to the
producers of such browser software. Their liability may not
be openly discernible from the letters of the data protection
norms. But rules of product liability, another field in which
the European Union has passed far-reaching legislation, might
come into play.62
The current implementation of the cookie c o n c e p t in
popular browsers particularly Microsoft's Internet Explorer 63
and to a lesser extent Netscape's Navigator64 facilitates and
supports the circumvention and disregard of accepted and
applicable European data protection norms by allowing the
free flow of cookies without providing adequate data protec-
tion safeguards. In that respect, these browser producers
could be likened to car manufacturers w h o supply a safety
belt, but place them in the trunk so that they must be taken
out and hooked up manually every time. Though not illegal
p e r se, the browser companies provide a structure that not
only creates loopholes b u t makes compliance with specific
requirements of data protection norms, like notification and
consent, difficult to conceive and realize. Thus c o n t e n t
providers controlling Web servers, w h o are being sued for
non-compliance and damages might point to browser soft-
ware producers (as well as server operators) w h o made it
through lack of cookie m a n a g e m e n t features - - so difficnlt
for them to implement a lawful cookie application.
The European Union has repeatedly indicated its shift of
regulatory focus to a more structural view in many areas.
Relevant Community legislation in the area of information
and commtmication has continuously emphasized structure
and structural concerns over pure outcome. 65 Looking at the
structure that facilitates and supports the cookie trade and
scrutinizing the suppliers of these structural elements is a
possible, if not plausible legal argument; and one that browser
producers should be aware of.
A similar development has already taken place in the area
of workplace safety. There the European Union has estab-
lished a Directive66 targeted at regulating work with Video
DisplayTerminals.Accordingto this Directive, the employer is
liable for providing software to his employees that complies
with the accepted standards of ergonomics. Fearing court
action, a n u m b e r of large employers, particularly in the ser-
vice sector, n o w require their software suppliers to indemnify
them for any such court actions.67Thus although not certain,
it is likely that a similar development will occur in the data
protection field.
Computer Law & Security Report Vol. 14 no. 3 1998 169
© 1998, Elsevier Science Ltd.
Internet Privacy
6. WHAT CAN BE DONE?
For a browser producer, waiting for a court decision might
prove to be a cheap short-term solution, b u t a finding of lia-
bility for data protection damages could prove costly. Instead
it might be substantially more cost effective to p r e e m p t pos-
sible legal action b y incorporating a more 'privacy enabled'
cookie m a n a g e m e n t in the very next versions of their
browsers.
The February 1997 RFC2109 cookie standard describes a
n u m b e r of steps browser companies could take to reduce
their liability. It foresees a c o m m e n t field as part of cookies, in
which pertinent information about the content, purpose and
processors of the cookie could be stored, to be displayed as
part of a cookie m a n a g e m e n t system built into browsers.The
standard also alters the way the expiration date of cookies is
calculated, emphasizing the desire to minimize cookie lifes-
pan. Browser software producers are advised, b u t n o t
required to i m p l e m e n t cookie handling and m a n a g e m e n t
options of various degrees.
A revised standard 68 is currently u n d e r discussion and
w o u l d add to cookies a c o m m e n t URL field, w h i c h once a
cookie w a r n i n g is displayed in a n e w generation of privacy-
e n h a n c e d browsers would permit users to hyperlink to aWeb
page further describing and detailing this particular cookie
setting. 69 In a substantially expanded and e n h a n c e d privacy
section, the draft urges browser producers to include more
complete cookie management functions.7° Through another
optional cookie field, the exchange of cookies can be limited
to certain ports of Web browsers, thus e n h a n c i n g overall
security. 71 Furthermore, the draft'strongly encourages' brows-
er companies to prevent the sharing of cookies through ad
servers as described above. 72
The browsers will have to be modified further, however,
to avoid the cookie liability altogether. 73 Unfortunately, the
latest version of Microsoft's l n t e r n e t Explorer does n o t even
fully i m p l e m e n t the user interface and privacy considerations
envisioned by the RFC2109 standard, m u c h less the current
draft version. Netscape's Navigator fares better, permitting the
automatic denial of'linked' cookies (as in the ad server exam-
pie above), but still n o t providing a workable cookie manage-
m e n t system. TM
Help might come from software utilities, however.Among
others, Phil Zimmerman, the acclaimed author of the encryp-
tion software of Pretty Good Privacy (PGP) has designed an
add-on product for the popular Microsoft and Netscape
Footnotes
1Because the Internet is a network of networks, there is no
way to calculate or even estimate accurately the a m o u n t of
traffic o n it.The main Internet backbone in the United States
until spring of 1994 was NSFNet.Their statistics showed at
least general trends o f Internet service usage. However,
NSFNet has seized to do statistics in April 1994 after their
significance as an Internet backbone has dropped with their
reorganization and the advent of powerful commercial
backbones. Thus all available data are wild guesses or out-
dated material and I will refrain from citing either.
2Tim Berners-Lee et al., The World-Wide Web,
170 Computer Law & Security Report Vol. 14 no. 3 1998
© 1998, Elsevier Science Ltd.
browsers that permits users to manage and ensure their pri-
vacy and confidentiality. The innovative and helpful 'PGP-
cookie-cutter' has b e e n released. 75
And while the n e w draft standard has incorporated a num-
ber of direct references to privacy issues and recommends
that browser and cookie applications take these issues seri-
ously into account 76, it could be further 'privacy enhanced' by
explicitly requiring that cookies contain a description of
themselves and their value. This would facilitate the user's
understanding of what information a particular cookie con-
tains and for what purpose.
7. CONCLUSION
The W W W offers a wide variety of communication, informa-
tion and interaction. Cookies provide for necessary cus-
tomization. But the Internet is not outside the law. Existing
regulations, targeted at protecting personal information, limit
the use and application of cookies. Current cookie usage vio-
lates such norms. Content providers continuing to use cook-
ies that violate these regulations and browser producers
unwilling or incapable of bringing their products in accor-
dance with these laws both risk legal liability. It should be
their c o n c e r n to avoid legal action; and it should be our con-
cern to safeguard our privacy.
Victor Mayer-Sch6nberger
Mag.iur., Dr.iur. University of Salzburg Law School, LL.M.
Harvard University School of Law, M.Sc.Econ London School
of Economics, currently with the University of Vienna Law
School; E-mail: vms@acm.org.
This is an updated and expanded version of the article origi-
nally published in the West Virginia Journal of Law &
Technology, 1 W. Va. J. L. & Tech. 1 (1997), <http://www.
wvjolt.wvu.edu/wvjolt/cm~nt/~suel/aI~cles/mayer/mayer.htm.
Parts of this article have b e e n presented at the EICAR '96 con-
ference in November 1996.The article benefited substantially
from the thoughtful c o m m e n t s and criticism offered by David
Kristol of Bellcore, w h o has b e e n coordinating the drafting of
the cookie standard. I am particularly grateful for his genuine
understanding of the data protection problems involved and
his openness in discussing these issues with me. I am as
always, indebted to Professor Herbert Hausmaninger for pro-
viding a research-conductive environment.
Communications of the ACM, August 1994, at 76-82.
3By 1994, w h e n statistics were available, the W W W had, in
terms of actual network traffic, overtaken all other Internet
services with the exception of file transfer (FTP). See Tim
Berners-Lee et al.The World-Wide Web, supra note 2 at 80.
4An indicator for the trust put into such Internet start-ups
b y even seasoned i n v e s t m e n t firms are the IPOs of
Netscape, Yahoo and Excite!; Iuteruet? IPO Yahoo!, cnnfn
Archive, April 11, 1996, < h t t p : / / w w w . c n n f n . c o m /
n e w s / 9 6 0 4 / l l / y a h o o / i n d e x . h t m > ; Yahoo.t, Excite file for
Initial Public Offering, CPNet Archive, March 7, 1996,
<http ://www.cpnet. com/lobby/archives/96/03/ipo.html>.

Microsoft and Netscape are b o t h engaged in w h a t t h e y
themselves call the 'Browser war', to develop and market
the b e s t , fastest and most c o m p l e t e software to access and
' b r o w s e ' the ~ Peter H. Lewis, Netscape MOves to Raise
Stakes in Browser War, The New York Times, August 19,
1996, available o n l i n e at < h t t p : / / w w w . c o n c e p t o n e .
c o m / n e t n e w s / n n l 8 0 6 . h t m > ; a 'war' though w h i c h is, at least
according to some, already 'over'; Browser War is Over,
Internet online, O c t o b e r 24, 1996, or still going on: Browser
War Results, < h t t p : / / w w w . i s p - r e s o u r c e . c o m / w a r / c o n c l u -
sions.shtml>.
5For attempts in Britain see Hard line on porn, The
Economist,August 10, 1996 (online); in Germany, see Sex on
the Internet, The Economist, January 6, 1996, p.18; in the
European Union see Illegal and harmful content on the
Internet, Communication to the European Parliament,
the Council, the Economic a n d Social Committee a n d the
Council o f Regions, COM (96) 487 final, (visited 10/22/96),
<http : / / w w w 2 . echo.lu/legal/en/internet/content/commu-
nic.html>; in t h e United States t h e infamous
Communication D e c e n c y A c t 1996 47 U.S.C. ~ 609 provides
a p r i m e example; b u t see also N e w child pornography law
redefines "depictions', CNN W e b site, (visited 10/1/96),
<http://www.cnn.com/US/9610/O1/congress.porn.reut/ind
ex.html>; see United States v Thomas, 74 E3d 701 (6th Cir.
1996), cert. denied O c t o b e r 7, 1996, for an actual conviction
based on c o n t e n t m a d e available online and its troubling
commtmity-analysis,; for a m o r e general analysis, see Richard
S. R o s e n b e r g , Free Speech, Pornography, Sexual
Harassment, a n d Electronic Networks, < h t t p : / / w w w .
droit .umontreal. ca/CRDP/Conferences/AE/Rosenberg.html
>, Rohan Samarajiva, Cybercontent Regulations: From
Proximate-Community Standards to Virtual-Community
Standards?, (last modified September 1996),
< h t t p : / / w w w . c t r . c o l u m b i a . e d u / v i / p a p e r s / c i t i r s i h t m > and
Viktor Mayer-Sch6nberger & Teree E. Foster, A Regulatory
Web: Free Speech a n d the Global Information
Infrastructure, in Borders in Cyberspace." Information
Policy a n d the Global Information Infrastructure (forth-
coming) (Brian Kahin & Charles Nesson eds., 1997); for a
global overview (although s o m e w h a t outdated already) of
net c o n t e n t regulations, see Silencing the Net."The Threat to
Freedom o f Expression On-line, H u m a n Rights Watch, May
1996, (visited 10/22/96), <http ://www.epic. org/
free_speech/hrw_report_5_96.html>.At least one commen-
tator, however, has labelled the data p r o t e c t i o n a n d privacy
legislation m e n t i o n e d infra as protectionist and content-
controlling. Stewart Baker, The Net Escape? Ha.t, Wired,
S e p t e m b e r 1995, p. 125.
6The Communication D e c e n c y A c t o f 1996,for e x a m p l e , h a s
in large part b e e n held tmconstitutional;ACLU v. Reno, No.
96-963 (E.D. Pa.), available o n l i n e at < h t t p : / / w w w .
access.digex.net/~epic/cda/cda_opinion,html>.
7See generally Teree E. Foster / V i k t o r Mayer-Sch6nberger,
More Speech, Less Noise:Amplifying Content-Based Speech
Regulations Through Binding International Law, 18
B.C.Int'l & Comp.L.Rev. 59-136 (1995).
8Netscape, Persistent Client State H17~P Cookies,
Preliminary Specifications (last visited 1/5/96),
<http://home.netscape.com/newsref/std/cookie_spec.html
Internet Privacy
>; a m o r e general cookie standard, altering, but n o t substan-
tially changing the concept, has b e e n agreed u p o n in
February 1997 as RFC2109 HTTP State Management
Mechanism, http://www.internic.net/rfc/rfc2109.txt; it is
u n d e r review; the version of the most recent revision draft is
3.1; see David Kristol and Lou Montulli, HTTP State
Management Mechanism, HTTP Working Group, INTERNET
D R A ~ , (last modified 2/16/98), <http://portal.research.bell-
labs.com/-dmk/cookie.txt>
9See eg MyYahoo!, at <http://my.yahoo.com> or Microsoft's
personal h o m e p a g e system at < h t t p : / / w w w . m s n . c o m >
l°For m o r e examples and in-detail explanations, see Eamonn
Sullivan,Are Web-based Cookies a treat or a recipe for trou-
ble?, June 26, 1996, PC Week Labs, < h t t p : / / w w w . p c w e e k .
c o m / r e v i e w s / O 6 2 4 / 2 4 c o o k 2 . h t m l > ; Malcolm Hughes,
Malcolm's Guide to Persistent Cookies resources,
< h t t p : / / w w w . e m f . n e t / - m a l / c o o k i e s i n f o .html>; Christopher
Barr, The Truth a b o u t Cookies, CNET 4/29/96,
< h t t p : / / w w w cnet.com/Content/Voices/Barr/042996/>;
Glenn Fleischman, Cookies: Fresh From Your Browser's
Oven, Web Developer, July~August 1996, at 14-.
i l O n e can safely try out the cookie c o n c e p t o n the net at
<http: ://www.emf.net/~ mal/cookiesinfo.html>
12The debate on privacy and electronic processing of per-
sonal information started well back in the 1960s. See e.g.
Kenneth Karst, "the Files': Legal Controls Over the Accuracy
and Accessibility o f Stored Personal Data, 31 Law &
Contemp.Probs. 342 (1966); Vance Packard, The Naked
Society (1964);Alan EWestin, Privacy a n d Freedom (1967);
Arthur Miller, Personal Privacy in the Computer Age, 67
Mich. L. Rev. 1089 (1969);Arthur Mifier, Assault on Privacy
(1972). For a detailed recount of t h e development, see Colin
J.Bennett, Regulating Privacy- Data Protection and Public
Policy in Europe and the United States (1992) and David
H. Flaherty, Protecting Privacy in Surveillance Societies
(1989).
13Datalag (1973:289); an English translation is available in
Spiros Simitis et al. (ed.), Data Protection in the European
Community - The statutory Provisions (1996).
~4In the state of Hessia: Hessisches Datenschutzgesetz vom
7.10.1970, GVB1 1970 I, p. 625.
15According to the 1995 Equifax/Harris poll, 47% of the
American consumers are v e r y and another 35% are some-
w h a t c o n c e r n e d about threats to their personal privacy. See
1995 Equifax/Harris Consumer Privacy Survey, (visited
1/5/97), < h t t p : / / w w w . e q u i f a x . c o m / c o n s u m e r / p a r c h i v e /
svry95/survy95a.html>.
]6The Privacy Act of 1974, 5 U.S.C. ~ 552a (1988), is only
binding t h e federal government and contains a vast n u m b e r
o f exceptions making it a less than effective document. In
addition, it does not provide for a stringent enforcement sys-
tem.
]7Fair Credit Reporting Act, 15 U.S.C. ~ 1681-1681t; see also
Right to Financial PrivacyAct, 12 U.S.C. ~ 3401-3422.
18TheVideo Privacy ProtectionAct of 1988, 18 U.S.C. ~ 2710-
11 was a direct result of the publication of video rental
records of then Supreme Court n o m i n e e Robert Bork. See
Joel R. Reidenberg, Privacy in the Information Economy.'A
Fortress or Frontier for Individual Rights?, 44 Fed.
Comm.L.J. 195, at 218.
Computer Law & Security Report Vol. 14 no. 3 1998 171
© 1998, Elsevier Science Ltd.
Internet Privacy
19See e.g. in Austria: Bundesgesetz fiber den Schutz person-
e n b e z o g e n e r D a t e n v o m 18.10.1978, idF BGBI. Nr.
632/1994; in Belgium: Wet tot Bescherming v a n de
Persoonlijke Levensfeer ten Opzichte van de Verwerking
van Persoonsgegevens, van 8 December 1882; in Denmark
Lov om offentlige myndigheders registre hr. 654 af 20.sep-
t e m b e r 1991 and Lov om private registre m.v. nr. 622 af
2.oktober 1987; in Germany Bundesdatenschutzgesetz vom
20 Dezember 1990, idF BGB1. S. 2325; in Spain: Ley de
Regulaci6n del Tratamiento Automatizado de los Datos de
Carftcter Personal, Ley organlca 5/1992 de 29 de octubre
1992; in France: Loi No 78-17 relative ~t l'informatique, aux
fichiers et aux libert~s, du 6 Janvier 1978, m o d i f i ~ par loi
n o 94-548 du 1 juillet 1994; in Great Britain: Data Protection
Act 1984, a m e n d e d 1995; in Irleland: Data Protection Act
1987; in Luxemburg: Loi R~glementant l'Utilisation des
Donn6es Nominatives dans les Traltements Informatiques,
du 31 mars 1979, modifi~e par la loi di 1 octobre 1992; in
the Netherlands:Wet h o u d e n d e regels ter bescherming van
de persoonlijke levenssfeer in verband met persoonsregis-
traties, van 28 d e c e m b e r 1988 mit wijzingen per 26 juli
1995; in Portugal: Lei da Protecq~o de Dados Pessoais face ~t
Informfitica, Lei n o 10/91, 12 de Abril de 1991; in Sweden:
Datalg (1973:289) utf~irdad d e n 1 d e c e m b e r 1994; in
Finland: Henkil6rekisterllaki, N:o 471 A n n e t t u Helsingiss~ 30
p~iiviJnii huhtikuuta 1987; only Italy and Greece have not yet
passed o m n i b u s Data P r o t e c t i o n Acts. For a general
overview and translations of these statutes in English, see
Spirts Simitis et al. (ed.), supra note 13; see also Jonathan
Graham, Privacy, Computers a n d the Commercial
Dissemination o f Personal Information, 65 Tex.L.Rev.
1395 (1987), note 148 et. seq. comparing the European and
American legislative tradition o n privacy.
2°Convention f o r the protection of individuals with regard
to automatic processing of personal data, January 28,
1981, Europ.T.S. No. 108 (1981). In addition, the OECD has
created guidelines c o n c e r n i n g the transborder flow of data;
see OECD Guidelines on the Protection o f Privacy and
Transborder Flows o f Personal Data, C (80) 58 (final),
<http://www.oecd.org/dsti/iccp/legal/priwen.html>.
21These are (in alphabetic order): Austria, Belgium,
Denmark, Finland, France, Germany, Greece, Great Britain,
Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain,
Sweden.
22Directive 95/46/EC o f the European Parliament and of
the Council of 24 October 1995 on the protection of indi-
viduals with regard to the processing o f personal data
a n d on the free m o v e m e n t of such data, OJ No L 281,
23.11.1995, p.31, online versions of the Directive can be
f o u n d at <http://www2.echo.lu/legal/en/dataprot/dat-
aprot.html>
23Article 32 of the Directive states: "1. Member States shall
bring into force the laws, regulations and administrative pro-
visions necessary to comply with this Directive at the latest
at the e n d of three years from the date of its adoption."
24See Herbert Burkert, Some Preliminary Comments o n the
Directive 95/46/OC OF THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL of 24 October 1995 o n the protection of
individuals with regard to the processing of personal data
and o n the free m o v e m e n t of such data, Cybernews,Volume
172 Computer Law & Security Report Vol. 14 no. 3 1998
© 1998, Elsevier Science Ltd.
II No III (Spring 1996), (visited 10/20/96), <http://www.
droit.umontreal.ca/CRDP/
Cybernews/ArtlNo3.html>; Issue No. 3 of the Journal of
Information, Law and Technology (JILT) is entirely devot-
ed to the EU Directive. See <http://elj.warwick.ac.uk/
elj/jilt/issue/defanlt.htm>.
ZSSee generally Section I and II of the Directive.
26The Directive defines 'personal data' in Article 2(a) as "an
information relating to an identified or identifiable natural
person ('data subject'); an identifiable person is one w h o
can be identified, directly or indirectly, in particular by refer-
ence to an identification n u m b e r or one or more factors
specific to his physical, physiological, mental, economic, cul-
tural or social identity;".
27Section I Article 6.1.a.
28Section I Article 6.1.b.
29Id.
3°Section I Article 6.1.c.
31Section I Article 6.1.d.
32Section I Article 6.1.e.
33Article 7.
34Article 8 prohibits all processing of such sensitive data. A
n u m b e r of restrictive exceptions allow processing of sensi-
tive data, if (1) the data subject has given her explicit con-
sent and such consent is possible u n d e r the applicable
national data protection statutes, or if (2) processing is nec-
essary if obligated within the e m p l o y m e n t law, b u t only if
authorized b y national law; or (3) if processing is necessary
to protect the 'vital interests' of a p e r s o n where the data
subject is "physically or legally incapable of giving his con-
sent"; or (4) if processing is within a non-profit organization
and with regards to its members; or (5) data has already
b e e n made public by the data subject or is necessary in legal
disputes; or (6) in the area of health data. National data pro-
tection acts may lay d o w n additional exceptions.
35Articles 10, 11 and 12.
36Netscape, Persistent Client State HTTP Cookies,
Preliminary Specifications, and David Kristol & Lou
Montulli, HTTP State M a n a g e m e n t Mechanism, supra
note 8.
37Cookies are be default tied to the URL-Path (Uniform
Resource Locator).
38This is clone by setting the 'path' value in the cookie head-
er information to 'path:/' .The cookie is then available to the
entire server.A cookie thus set at the Compuserve Web serv-
er w o u l d t h e n be available to all Compuserve users having
personal Web space o n the Server. See Netscape, Persistent
Client State HTTP Cookies, supra note 8 and David Kristol
and Lou Montulli, HTTP State Management Mechanism,
supra note 8, at 8.
39The Netscape specifications state that such information
sharing across servers is not limitless. Only hosts within a
particular d o m a i n can exchange information b e t w e e n
them. The domain names b e t w e e n such cookie sharing
hosts must match for the portion containing at least three
domain periods (at least the three rightmost subdomains) or
two domain periods within the three letter (US) top level
s u b d o m a i n s (.corn, .org., .edu, .gov etc.). So f.e.
www.aids.or.at and ftp.aids.or.at would match, because they
share the subdomains aids.or.at in their domain name, while

w w w . h e l p . c o . g e and www.danger.co.ge w o u l d not match.
However, in gravely overlooking international (non-US) sub-
domain structuring, this allows for all hosts in the Austrian
geographic subdomain sbg (for the state o f Salzburg) to
share all c o o k i e s w i t h each other, as w o u l d
www.church.sbg.or.at and www.sex.sbg.or.at. See
Netscape, Persistent Client State H1TP Cookies, supra note
8, and DaVid Kristol & Lou Montulli, HTTP State
M a n a g e m e n t Mechanism, supra note 8, at 7.
4°Article 12(a).
41Id.
42Laudably, and contrary to the situation in March 1997,
w h e n this article first appeared, the r e c e n t draft cookie stan-
dard (Version 2.77 and 3.1) do, p e r m i t such information to
be contained in cookies.They also p e r m i t a URL to be con-
tained in cookies w h i c h hyperlinks to a descriptive page of
the specific cookie content, usage and processor. The stan-
dard, however, does in contrast to the Directive n o t require
such information to be p r e s e n t in cookies.
43It may be argued, that the user c o n s e n t e d to the transfer
w h e n the cookie was set. However, as w e have seen, cookies
are set w i t h o u t giving full and c o m p l e t e information on
their intended use. As such, the user will have to consent
w i t h o u t k n o w i n g the relevant facts: Given the clear lan-
guage of the Directive, users will most certainly have little
p r o b l e m to s h o w that they have b e e n misled w h e n 'con-
senting' in such a manner.
44Article 7: ' M em b er States shall provide that personal data
may be p r o ces s ed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the p e r f o r m a n c e of a con-
tract to w h i c h the data subject is party or in order to take
steps at the request of the data subject prior to entering into
a contract; or
(c) processing is necessary for compliance with a legal
obligation to w h i c h the controller is subject; or
(d) processing is necessary in order to p r o t e c t the vital
interests of t h e data subject; or
(e) processing is necessary for the p e r f o r m a n c e of a task
carried out in the public interest or in the exercise of offi-
cial authority vested in the controller or in a third party to
w h o m the data are disdosed; or
(f) processing is necessary for the purposes of the legiti-
mate interests p u r s u e d by the controller or by the third
party or parties to w h o m the data are disclosed, e x c e p t
w h e r e such interests are over-ridden by the interests for
fundamental rights and freedoms of the data subject w h i c h
require p r o t e c t i o n u n d e r Article 1.'
45Id.
46But w h a t is the location of processing? O n c e the cookie
has b e e n set, it resides in the user's c o m p u t e r and will be
pr oc es s ed for transmittal there. Isn't the Browser t h e n an
agent of the Web server? Isn't the Web server t h e ' c o n t r o l l e r '
in the terms of the Directive of the cookie transfer taking
place?
47Article 25 and 26.
48Article 25 ] 1:
"1. The M e m b e r States shall provide that the transfer to a
third co u n t r y o f personal data w h i c h are undergoing pro-
cessing or are intended for processing after transfer may
Internet Privacy
take place only if, w i t h o u t prejudice to compliance w i t h the
national provisions adopted pursuant to the other provi-
sions o f this Directive, the third c o u n t r y in question ensures
an adequate level o f protection;"
49Article 25 § 2:
"2. The adequacy o f the level of p r o t e c t i o n afforded by a
third co u n t r y shall be assessed in the light of all the circum-
stances surrounding a data transfer operation or set of data
transfer operations; particular consideration shall he given
to the nature of the data, the purpose and duration of the
p r o p o s e d processing operation or operations, the c ount r y
o f origin and co u n t r y o f final destination, the rules of law
both general and sector, d, in force in the third co unt r y in
question and the professional rules and security measures
w h i c h are c o m p l i e d with in that country."
5°Article 26:
"1.By w ay of derogation fromArticle 25 and save w h e r e oth-
erwise provided by domestic law governing particular
cases, Member States shall provide that a transfer or a set of
transfers of personal data to a third country w h i c h does not
ensure an adequate level of protection within the meaning
o f Article 25 (2) may take place on condition that: [...]
(b) the transfer is necessary for the p e r f o r m a n c e o f a con-
tract b e t w e e n the data subject and the controller or the
i m p l e m e n t a t i o n o f p r e c o n t r a c t u a l m e a s u r e s taken in
response to the data subject's request: or
(c) the transfer is necessary for the conclusion or perfor-
m an ce of a contract co n cl u d ed in the interest of the data
subject b e t w e e n the controller and a third party.: or
(d) the transfer is necessary or legally required on important
public interest grounds, or for the establishment, exercise or
defence o f legal claims; or
(e) the transfer is necessary in order to p r o t ect the vital
interests of the data subject; or
(f) the transfer is made from a register w h i c h according to
laws or regulations is intended to provide information to the
public and w h i c h is o p e n to consultation either by the pub-
lic in general or by any p e r s o n w h o can demonstrate legiti-
mate interest, to the extent that the conditions laid d o w n in
law for consultation are fulfilled in the particular case"
2. Without prejudice to paragraph 1, a M e m b e r State m a y
authorize a transfer or a set of transfers of personal data to a
third co u n t r y w h i c h does not ensure an adequate level of
p r o t e c t i o n within the meaning of Article 25 (2), w h e r e the
controller adduces adequate safeguards w i t h respect to the
p r o t e c t i o n of the privacy and fundamental rights and free-
doms of individuals and as regards the exercise of the corre-
sponding rights; such safeguards may in particular result
from appropriate contractual clauses."
51Article 26 ~ 1 (a): '(a) the data subject has given his con-
sent unambiguously to the p r o p o s e d transfer:'
52Its URL w as < h t t p : / / h o m e . e a r t h i i n k . n e t / - e a l l e n l g /
day.html>.
53The ad link was to <http://ad.linkexchange.com>.
54See http://www.cookiecentral, com/version4.htm
for m o r e information on the 'dejanews' and 'focalink'
cooperation.
55See David Kristol and Lou Montnlli, HTTP State
M a n a g e m e n t Mechanism, supra note 8 and personal com-
munication with David Kristol, on file with author.
Computer Law & Security Report Vol. 14 no. 3 1998 173
© 1998, Elsevier Science Ltd.
Internet Privacy
56Article 14 specifies a n u m b e r of data subject rights vis-a-
vis direct marketing entities: "Member States shall grant the
data subject the right:
(b) to object, o n request and free of charge, to the process-
ing of personal data relating to him w h i c h the controller
anticipates being processed for the purposes of direct mar-
keting, or to be informed before personal data are disclosed
for the first time to third parties or used o n their behalf for
the purposes of direct marketing, and to be expressly
offered the right to object free of charge to such disclosures
or uses.
Member States shall take the necessary measures to ensure
that data subjects are aware of the existence of the right
referred to in the first subparagraph of (b)."
57Article 2 (d).
58Article 6 § 2:"It shall be for the controller to ensure that
paragraph 1 is complied with."The Directive does allow for
a n u m b e r of enforcement measures, including through spe-
cial regulatory bodies and court action by data subjects:
CHAPTER III - JUDICIAL REMEDIES, LIABILITY AND SANC-
TIONS
Article 22 Remedies
Without prejudice to any administrative remedy for w h i c h
provision may be made, inter alia before the supervisory
authority referred to in Article 28, prior to referral to the
judicial authority, Member States shall provide for the right
of every p e r s o n to a judicial remedy for any breach of the
rights guaranteed him b y the national law applicable to the
processing in Question.
Article 23 Liability
1. Member States shall provide that any person w h o has suf-
fered damage as a result of an unlawful processing opera-
tion or of any act incompatible with the national provisions
adopted pursuant to this Directive is entitled to receive
compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in
whole or in part, if he proves that he is not responsible for
the event giving rise to the damage.
Article 24 Sanctions
The Member States shall adopt suitable measures to ensure
the frill implementation of the "provisions of this Directive
and shall in particular lay d o w n the sanctions to be imposed
in case of infringement of the provisions adopted pursuant
to this Directive:'
59See eg. § 8 of the German Bundesdatenschutzgesetz
(BDSG):"If a data subject asserts a claim for damages against
a non-public body o n account of automated data processing
impermissible or incorrect tinder this Act or u n d e r other
data protection provisions, and if it is disputed w h e t h e r the
damage results from a circumstance for w h i c h the con-
troller of the data file is responsible, the b u r d e n of proof
shall rest with the controller of the data file" (unofficial
translation of German text, from Spiros Simitis et al. (ed.),
Data Protection in the European Community, supra note 13,
at D(E)-5.
6°Microsoft is still r u n n i n g a n u m b e r of servers of its MSN - -
Microsoft Network in Europe, but has vowed to close them
174 Computer Law & Security Report Vol. 14 no. 3 1998
© 1998, Elsevier Science Ltd.
d o w n soon;America Online (AOL) and Compuserve are mir-
roring c o n t e n t in Germany and other European nations and
add c o u n t r y specific content o n servers located there as
well.
61See Ernst O. Brandl /Viktor Mayer-Sch6nberger, Das Recht
am Internet, in Das Internet-Lesebuch (Marion Fuglewicz
ed., 1996).
62Council Directive on General Product Safety, 92/59/EEC,
w h i c h had to be i m p l e m e n t e d into national laws b y
European nations by 1994 and cleared the path for strict lia-
bility for c o n s u m e r products.
63Internet Explorer does n o t permit cookies to be refused
altogether, informs the user about cookies in a misleading
way, has no option to prevent 'linked' cookies, as described
in the direct mail example above and does not provide for
access to the cookie file. Some have argued that the reason
for this rather blatant disregard for privacy is rooted in the
fact that Microsoft itself is a very heavy user of cookies o n
its Web servers. See http://www.cookiecentral.com/ver-
sion4.htm for a more detailed description of Internet
Explorer's cookie features (or lack thereof).
64<http://home.netscape.com>.
65See e.g. the Directive on the application o f open n e t w o r k
provision (ONP) to voice telephony a n d on universal ser-
vice f o r telecommunications in a competitive environ-
m e n t , COM(96) 419, < h t t p : / / w w w . i s p o . c e c . b e / i n f o s o c /
legreg/docs/96419.html>.
66Council Directive 9 0 / 2 7 0 / E E C on the m i n i m u m safety
a n d health requirements f o r w o r k with display screen
e q u i p m e n t (VDT Directive), the 5th individual Directive
w i t h i n the m e a n i n g of the Framework Directive
87/391/EEC, OJ L 156 (1990), p. 14.
67See only Hans Bullinger ed., SANUS - Sicherheit,
Gesundheit u n d Produktivit~t a m Bildschirmarbeitsplatz
(1995).
68David Kristol and Lou Montulli, HTTP State M a n a g e m e n t
M e c h a n i s m Version 3.1, supra note 8.
69Id, at 4.
7°Id, at 16-17.
7lid, at 10.
72Id, at 18.
73I have suggested such modifications in Viktor Mayer-
Sch6nberger, Improving Computer Security o n the Internet
through Novel Legal Venues - Cookies for a Treat?, in
Proceedings Eicar '96 (1996), 155-159 at 158. Cookies
would have to be as manageable for the average user as
bookmarks. In addition, a cookie warning should be issued
n o t only w h e n a cookie is set, but also w h e n e v e r a cookie is
transmitted back to a Web server. Such warnings could be
designed to be switched off if desired, but b y default should
be t u r n e d on.
74See Cookie Central,Version 4 Update, <http://www.cook-
iecentral.com/version4.htm>.
75<http://www.pgp.com>.
76See David Kristol a n d Lou Montulli, HTTP State
Management Mechanism, supra note 8, at 15.