Internet cookies are an inherent part of Internet use. Many sites cannot function without them. Cookies are confusing, particularly because many myths surround their use. While cookies are not the source of viruses or spam, they do present potential privacy issues in their ability to track a user’s internet activity. Some of this tracking is benign, allowing for an easier, more personalized browsing experience. However, other uses of cookies are far more questionable.
When an Internet user attempts to view a website, either by clicking on a hyperlink or typing its URL, the user’s web browser sends a request to the server hosting the files of the website for the information. The web server then sends the required information back. Often this information contains a text file–the cookie–which is placed on the user’s hard drive.
Persistent Cookies–are set, by the web server, to expire some time in the future (days, weeks, months, years) and will remain on the user’s computer even after they have navigated away from the website. They are the most common type of cookie used by websites.
Session Cookie–used most often with ecommerce websites that allow the purchasing of products. Session cookies are stored on the user’s computer only when they are connected to the specific web server. It allows the server to store information regarding cart contents. It also used by other types of sites to manage online chat sessions and allow for interactive opinion surveys.
How are cookies used?
Cookies serve a variety of function which can improve the browsing experience of users and help web servers track visitors.
Cookies are also used frequently for websites that require the user to log in with a username and password before accessing all features of the site. A cookie placed on the user’s computer will allow the website to customize content and sometimes automatically input the user’s log in information when the user next returns to the site.
Cookies are often used to track an Internet user’s activity. Every time a user visits a website, the site’s server checks their machine to see if a cookie exists. If none exists one is created and they are counted as a first-time visitor. If one does exist, they are counted as a repeat visitor. This allows websites to keep an accurate count of their traffic.
How do cookies affect privacy?
There are common misconceptions about what cookies can and cannot do. However, just because they may not be capable of the more malicious things they are accused of doesn’t mean that they are harmless.
- Install viruses on a computer
- Increase the amount of pop-ups a computer experiences
- Increase the amount of spam received
- Erase or read files from the user’s computer
When visiting a website, usually if the site makes use of web-advertising, a third-party cookie may be placed on the user’s computer. The web advertiser that created that cookie can then track their activity as they visit other websites in which the advertiser places content, creating a unique profile of the user’s browsing preferences. This allows advertiser’s to display ad content based on the user’s profile. Many web users are concerned that their internet activity may be tracked and recorded by third-parties without even being aware of such activity. Further more, personal information may be stored in a cookie, if the user first inputs such information into a web form on a site. With the use of third party cookies, personal information may be shared with other parties all without the user’s consent or knowledge.
A new type of cookie called a Flash Cookie may not be deleted when a user’s delete their cookie files. These cookies make use of the capabilities in the Adobe Flash plug-in installed on most web browsers and are not stored with other cookie files. Flash Cookies may even replace the cookie files that have been deleted with new ones. Most websites do not even mention the use of such technology in their privacy policies or provide users with a way to opt-out of the service, violating the Fair Information Practice Principles.
Web users should also be aware of the potential for cookie tampering. Session cookies may often include sensitive information that has been inputed by the user into a web form. Such cookies are necessary for carrying out particular types of transactions. However, while login cookies may make use of encryption technology, many session cookies do not, leaving personally identifiable information vulnerable to hijacking.
Managing Cookies as a Web User
A web user concerned about their privacy has a few options.
Opt-out of third-party cookies– Many advertisers offer an opt-out option by allowing users to download an opt-out cookie. However there are several major advertisers for which cookies may have to be downloaded to prevent tracking activities. If a user makes use of multiple browsers, the process must be completed for each one.
Managing Cookies and Privacy Preferences as a Website Owner
Allow users to opt-out of third-party cookies– The Fair Information Practice Principle of Consent deals with a user’s right to decide how and where their information is used. Providing an opt-out option complies with this principle.
Encryption–Use encryption technology for all cookies, which includes session cookies. This prevents a user’s sensitive information from unauthorized access by hijackers. As the collector and maintainer of an individual’s personal data, an entity is responsible for the protection of their information.
Cookies have become an essential part of web browsing. While the reasons behind the use of the cookie (user preferences, session management, maintaining accurate web traffic records) are not inherently problematic in terms of privacy, the ability of a cookie to track user activity can be considered invasive. Making sure users are aware of the use of first and third party cookies as well as providing options for managing and opting out of such cookies puts some of the control back in the consumer’s hands. Web users should be continually aware of how and where their information is being used and take preventive measures to avoid any unnecessary disclosures.
CIPP Candidate Preparation
In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:
- Online Privacy: “Online identification Mechanisms” (Foundations: III.B.g.i)