Cookies, Privacy and Cybersecurity

Introduction:

In today’s time, it seems inconceivable to imagine a world without the internet being an integral part of it. Internet is in every facet of our lives; it is preferred as an essential platform for not only e-commerce but also for our entertainment, education, data storage, communication and the list can go on. With the development in internet, it is making our lives easier and efficient on one hand, but it also endangers our privacy and private details to the unknown person with unrevealed intentions on the other side of the screen.  This progress with the internet has brought up the concept of cybersecurity and privacy as a major concern for everybody.

The term privacy with respect to the internet means to have control over your data and private information while browsing the internet and keeping your information private. It is the anonymity an individual’s data and identity has while connected to the internet. Therefore, to protect the sensitive data and privacy on the internet from being violated by unauthorized access, cybersecurity comes in place. Cybersecurity is the practice to safeguard computers, servers, mobile devices, electronic systems, networks, and data from malevolent attacks. Cybersecurity and privacy protection should be considered as intertwined as the more personal data is being processed or stored on the internet; privacy protection depends more and more on effective cybersecurity implementation to protect the data in both states transit as well as rest.[1]

There are many threats to user’s privacy on the internet; one among them which discreetly monitors browser- server interaction is cookies. In this article, we will discuss about the cookies and how it raises the concerns of privacy and cybersecurity for internet users.

What are Cookies?

In the case of the internet and technology, cookies are not the treats we get on the dessert menu. A cookie is a small text file extension stored on web browser to recollect the data of a user. The file is generated by the server-side and is stored on a web browser to remember the user. Cookies were designed by Netscape in 1995. Cookies were developed as a solution to improve the HTTP (Hypertext Transfer Protocol) communication and make it more efficient and less complicated.

HTTP communication is used between the web browser and web server, which is very stateless and session less experience. It means that every event happening on the server by web browsers like page load or request is an independent event, unrelated to the events happening before or after it.  This is only efficient for simple data searchers but with anything more complicated like searching for user-specific information, it doesn’t work effectively. Cookies help to accomplish in making search more efficient as it alerts the server if the requests are related to the previous requests made are similar and gives the appropriate results as it identifies the user.

Thereby, Cookies are produced and modified by the server; it is stored by the browser and is used in communication between the server and browser at each interaction to identify the user and his requests. There are many different types of cookies generated over a period of time to facilitate the needs of every server. The purpose of cookies is different depending upon the work it does and the life span it has. Cookies generally fall under the following two categories:

1. Non-persistent cookies, temporary cookies or session cookies– It is used more commonly and it is temporary. These cookies expire as the browser shuts and is used to manage single browsing sessions.
2. Persistent cookies or permanent cookies– These cookies identify the user over multiple independent sessions and it customizes the content on the server according to the user.  Permanent cookies are used in the analysis and performance data tracking. They survive through various sessions and have an expiration date.

How Cookies Work and Where they are Used?

To get a better understanding of how cookies work we can divide the whole process into steps. Thus, the procedural steps of how cookies operate are mentioned below:

• Step 1. The user contacts the webserver for the first time; in response to this request, the web page generates a session identifier (id) which is a part of the cookie.
• Step 2. The server sends the cookie to the user; the cookie is then stored by the client’s browser. This cookie will contact the server each time the client issues a new query to the server. Every time a user enters a URL (Uniform Resource Locator) in a browser, the browser will search its local memory to identify whether it has any cookie associated with it. If a cookie is found, it will be inserted in the query sent to the server to recognize the user.
• Step 3. Gradually, the content of the web page is retrieved from the webserver(s). The text portion of the content is received first and a web page may contain some URL-identified links to other content, such as images, animations, videos or ads that are gradually retrieved. Such URLs could point to the original web server where the text has been received or to other web servers.

Cookies are not only used to identify the user but also in advertising. Third-party cookies are used by advertising agencies for marketing and ad serving. These cookies are received by the browser while the user is visiting a web page that contains third-party content from third-party providers. The third-party cookies are a bit controversial due to privacy concern of user which we will discuss in the next section

Privacy Concerns due to Cookies

Although cookies alone are unable to dig or search your data or search your computer, they store personal information in at least two ways: form data and ad tracking. Cookies are set by the websites we visit, or even by third parties at times. There are chances that we will even get website cookies that we’ve never heard of or visited, but those websites are the websites we visit are associated with. These websites do different activities, such as advertising, helping to market the brand or product, increasing revenue or even monitoring the brand or product and users. These websites may set cookies that can monitor user movement from one website to another and synthesize personal data and making it available for anyone with interest. The privacy invasion by cookies can be explained by this real-life illustration.

“Imagine, being stopped at the doorway to your local food market or petrol station and asked to show identification so as to get in. While you are there, imagine being observed by a guard who takes notes on what you are doing or being recorded by a hidden camera as you walk around. Information gathering cookies aren’t nearly obvious; however, this can be primarily what they are doing once they get within your browser.”[2]

There is one more addition to the above situation, the websites don’t just stop tracking, they start showing advertisements, campaigns which are carried out around you. Forcing you to buy or look at something because you had it once or often intrigued by something. This eliminates the ability to look for new things for us; it restricts the possibility of seeing something new, giving us the same preferences.

Cyber Security Concerns Regarding Cookies

Anyone can issue cookies to any website. In addition, the information stored by a website in a cookie is generally coded in plain text and can be modified every time the web page is visited by the user. As a result, it is easy to retrieve cookies (snooping) and forge them. In the past, cookies were not used to run code (programs) or to deliver viruses to the computers of users. However, they have a series of vulnerabilities. Three varieties of cookie threats have been identified: network threats, end-system threats and threats to harvest cookies.

Threats to the network arise from the fact that cookies are transmitted in plain text and maybe replayed (spoofed) or altered during the transfer, End-system threats relate to vulnerabilities, such as cookie information forgery and impersonation of other users and by imitating a legitimate website and collecting cookies from users, an attacker can perform a cookie-harvesting attack.

Some of the attacks may expose the cookies while others can exploit the cookies vulnerability making it an easier target for another attack. Some among them are:

Sniffing cache – The attacker could also obtain the cookie content if the attacker accesses the browser or the proxy cache.

XSS cookie sniffing- When a web application maliciously collects data from a user, cross-site scripting (also abbreviated as XSS) cookie sniffing occurs. XSS attacks allow hijacking of accounts, changing user settings, theft/poisoning of cookies, or false ads. The attacker can capture and extract data from the cookie.

Computer systems cannot be infected by cookies with malware. Nevertheless, cyber-attackers can hijack the data, track the user’s browsing history in these cookies and commit malicious activities making cyberspace unsafe for users. SSL (Secure Socket Layer) can be used to protect cookies from attacks.

Policies Regarding Cookie Regulation

1. European Union Cookie Regulation; the General Data Protection Regulation (GDPR)

The European Union (EU) has laws precisely regulating the use of cookies on websites and web applications. These laws apply to any website emerging in an EU member country and may also apply to websites specifically targeting users within the EU. The GDPR law was introduced in 2016 replacing Data Protecting Directive from 1995. There is only one section of the law that actually addresses cookies directly, which states:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”[3]

In spite of singular mention, cookies are considered as a mode to collect personal data and fall under GDPR’s extensive guidelines governing the management and storage of personal data.

Therefore, Organizations need to meet the following requirements in order to use cookies and to align with the GDPR:

1. Consent must be freely given, specific, informed and unambiguous: Transparency is one of the most important objectives of the GDPR, so it is essential to communicate clearly about what information has been collected and how it has been shared.
2. Consent must be a clear affirmative action: The consent of the user should be asked in a clear manner. This can range from clicking the opt-in box, pushing the accept button, or from the drop-down menu to choosing specific settings. On consent forms, pre-ticked boxes are not allowed and can result in substantial penalties.
3. Users must be able to withdraw: Users should be able to withdraw consent as simply as they have provided consent. With cookies, this could mean data subjects will revoke consent through identical action they used when they gave consent.
4. Users must have a choice: Just because a user uses a website does not mean that all cookies need to be agreed to. User needs to have the option to accept or reject certain cookies with a clearly stated purpose for each type of cookie. Consent should not be bundled with other purposes or processing activities for these cookies, such as grouping cookie consent to a privacy policy or combining functional and advertising cookies.
5. Users that reject cookies must still receive full access to the website: A server is not allowed to offer limited functionality or access to users who don’t give consent to cookies

However, not all cookies require consent under the GDPR; Therefore, certain cookies (e.g., authentication, multimedia content player, load-balancing, third-party social plug-in content-sharing) are exempt from the need for consent before data collection. Many cookies are essential for creating a strong user experience on websites.

2. The California Consumer Protection Act (CCPA) and Cookies

Although there’s not a comprehensive federal cookie law within the U.S., the CCPA is safeguarded to the non-public data of web users in California like the GDPR, the CCPA views cookies as personal data, thus in order for a business to own compliant cookie policy, it should embody the subsequent information:

1. The categories of cookies used in the website server.
2. List of personal information the server collects
3. The reason for collecting the data
4. The memory period of that information
5. The third parties that give the scripts behind the cookies \

Unlike the GDPR, CCPA cookie consent relies on an opt-out mechanism, which implies websites will use cookies without previous consent but it is compulsory to provide users with a simple way to opt-out at any time The CCPA additionally needs businesses to disclose what data is being collected by cookies and the way that data is employed before or at the point of assortment, however it doesn’t need express cookie consent. Gaining consent for practicality, performance, or analytic cookies is facultative.

Conclusion

In this article, we have identified the meaning of cookies, how it works and its most common types used on the internet. Cookies were initially invented to solve the problems in HTTP sessions and now it has progressed to be used in advertising and marketing. Concerns regarding privacy and cybersecurity due to cookies are serious predicament as cyber attackers can hijack cookies and commit dangerous crimes. There are not many regulations to monitor the use of cookies apart from GDPR and CPPA. Therefore, one should take precautions while sharing private information on the internet and users should avoid using servers which makes the use of cookies compulsory. Users should also disable the use of cookies on their browser as this will reduce the sharing of information.

---

References:

[1] OPC speech, available at https://www.priv.gc.ca/en/opc-news/speeches/2011/sp-d_20110223_cb , visited on 26/09/20.

[2] Real time Scenario; http://www.artbusiness.com/cookies.html.

[3] GDPR, Recital 30