Internet Cookies: Impact on Online Privacy
What are Internet Cookies?
Internet cookies are text files that contain a small amount of data, such as a username and password, and are used to identify a computer when it is connected to a computer network. HTTP Internet cookies help to identify specific users and to improve the web browsing experience. The server creates the data stored in an internet cookie when the user connects. This information is labeled with an ID that is unique to the user and their computer. When an internet cookie is exchanged with a network server, the server reads the ID and knows what specific information to serve the user.
How Are Internet Cookies Used?
Session Management - Internet cookies, for example, allow websites to recognize users and remember their unique login information and preferences, such as sports news versus politics.
Personalization - The most common way internet cookies personalize user sessions is through customized advertising. When the user views specific items or parts of a website, internet cookies use this information to help build targeted ads that may interest them.
Tracking - Shopping sites use internet cookies to track items that users have previously viewed, allowing the sites to suggest other goods that may interest users and to keep items in shopping carts while they continue shopping.
Internet cookies are stored locally on the user’s device to free up space on a website's servers. This allows websites to be customized while saving money on server maintenance and storage.
Types of Internet Cookies
First-Party Internet Cookies - First-party internet cookies are those that are stored on a website (domain) that the user has visited directly. Publishers use these internet cookies to collect analytical data and optimize website functionality, such as remembering language preferences. Further, First-party internet cookies are enabled by default and aren't going away anytime soon. This is because they are required to carry out key website functions.
Third-Party Internet Cookies - Third-party internet cookies are set by domains other than the one the user visited. This occurs when a user visits a website that contains a third-party internet cookie file, such as an ad. Third parties use these internet cookies for tracking, ad serving, and retargeting. Third-party internet cookies are already blocked by default in web browsers such as Safari and Firefox.
Session Internet Cookies - internet cookies, also known as non-persistent internet cookies, act as a website's memory. They only keep track of the users' visits until they close the browser, i.e., they expire immediately after the session. Session internet cookies allow the publisher's website to track users’ activity across multiple pages during a single session. For example, items placed in an e-commerce store's cart would disappear every time a user refreshed the page or proceeded to checkout if session internet cookies were not used. This is because websites typically treat each new page request as if it were from a new user.
Persistent Internet Cookies - The publisher usually specifies an expiration date for persistent Internet cookies, also known as permanent Internet cookies. Users' devices remember the information they set, such as language preference, settings, login details, and so on. These internet cookies are also known as tracking internet cookies. This is because they track users' behavior on the website over time.
Secure Internet Cookies - Secure internet cookies will only be present on a website with an HTTPS protocol. This ensures an encrypted connection and prevents internet cookie theft.
Zombie Internet Cookies - Zombie internet cookies, also known as ever internet cookies and super internet cookies, are not internet cookies in the traditional sense. They are usually in the form of an image, a locally shared object, or HTML5 Web storage. They reappear as regular internet cookies even after the original internet cookies have been deleted, giving rise to the term "zombie internet cookies.
How Does Internet Cookie Work?
An internet cookie comprises three parts: the name, the value, and the attribute. An internet cookie is identified by its name by a website or a third-party server. The server generates a random alphanumeric value to identify users when they return to the website or cross-track across websites. The attributes store internet cookie information such as the expiration date, domain, path, and flags.
What Information Does Internet Cookie Hold?
We know that every internet cookie contains at least the name of a website as well as an ID for the user. However, some websites will include additional information in the Internet Cookie that is stored on your the user’s computer. An internet cookie, for example, could contain any of the following:
How much time does the user spend on a website
The links the user visits while on the website
The options, preferences, or settings the user selects
Keeping track of which pages have been visited in the past
Items in a shopping cart
Internet Cookie Size Limit per Domain
Another limitation imposed by some browsers is the amount of space that a single domain can use for internet cookies. This means that if the browser has a limit of 4,096 bytes per domain and one can set 50 internet cookies, the total amount of space those 50 internet cookies can use is 4,096 bytes — approximately 4KB. Some browsers do not impose a size restriction. As an example:
Chrome has no limit on the maximum number of bytes per domain.
Firefox has no limit on the maximum number of bytes per domain.
Internet Explorer allows between 4,096 and 10,234 bytes.
Opera allows 4,096 bytes.
Safari allows 4,096 bytes.
Accepting and Rejecting Internet Cookies
A shopping website, for example, would use internet cookies to remember the items the user has placed in a virtual basket before checking out. On the other hand, a social network may use Internet cookies to track the links they click and then use that information to show them more relevant or interesting links in the future. internet cookies are typically used to enhance the user experience. However, privacy advocates have expressed concern that information about themselves, particularly their browsing habits, may be stored.
On the other hand, some companies will simply refuse to allow a user to use their website if they do not accept internet cookies. Some websites will no longer allow access without internet cookie permission, especially since the implementation of GDPR (and the hefty fines that come with it). It's usually because some websites simply won't function properly without internet cookies. However, the majority of the internet is accessible without accepting internet cookies. Of course, there are advantages to accepting internet cookies. Accepting internet cookies will give the user a more tailored experience with more relevant content, so it's usually worth it unless one is particularly concerned about privacy.
Dangers of Accepting Internet Cookies
It's not like one can get a virus from an internet cookie; they're just plain text files with no executable code. However, depending on how internet cookies are used and exposed; they can pose a significant security risk.
Internet cookies, for example, can be compromised. Because most websites use internet cookies as the only identifiers for user sessions, an attacker who hijacks an internet cookie may be able to impersonate a user and gain unauthorized access.
Capturing Internet Cookies over Insecure Channels - Any authentication internet cookie should always be transmitted securely, but this is not always the case. Internet cookies without a security flag are one example. When an internet cookie is marked with the Secure flag, the browser is informed that the internet cookie can only be accessed via secure SSL/TLS channels. If the secure flag is not set, an internet cookie can be sent in cleartext, for example, if the user visits any HTTP URLs within the scope of the internet cookie. An attacker eavesdropping on network traffic could easily capture the internet cookie and use it to gain unauthorized access.
Session Fixation – This is another attack that allows an attacker to hijack a legitimate user session. This time, it takes advantage of a flaw in the way the web application manages the session ID. For example, if an application allows a session token in the query parameters, an attacker could send a user a URL that includes a specific session ID in its arguments. The attacker can now hijack the session if the user authenticates using this URL.
Internet Cookie Tossing - An internet cookie tossing attack involves delivering a malicious internet cookie disguised as coming from the targeted site's subdomain to the user. This is especially problematic when a website allows untrusted individuals to host subdomains under its domain. When a user visits the target site, all internet cookies, both valid and those that appear to be from subdomains, are sent.
How to Protect Data Privacy on Websites with Internet Cookies?
Third-party tracking internet cookies are the only type of internet cookie that website visitors who want to protect their privacy should be concerned about. Although most internet cookies on popular websites are safe, many are used to serve relevant advertisements.
Consider the following options to block internet cookies and protect data privacy:
Internet cookies can be blocked in modern browsers. The user can disable all internet cookies, but this will break many websites' features and functions.
A better approach would be to only block third-party internet cookies. It should be noted that not all third-party internet cookies are classified as "bad internet cookies." This option will almost certainly break some sites that use third-party internet cookies, even if they are not tracking internet cookies. As a result, some of these sites may not function properly or at all.
The user can also block and allow internet cookies on a per-site basis. This will require more work and monitoring, but it will give them more flexibility and control over their privacy and user experience on the various websites they visit.
Modern browsers also include an "incognito" mode. An incognito browser session starts with a blank slate. There are no browsing histories or internet cookies. Because internet cookies are accepted by the browser in incognito mode, all websites will function normally. However, those internet cookies are not saved indefinitely, becoming essentially session internet cookies. One disadvantage is that you will have no saved logins if these internet cookies are not present. Nonetheless, this option will defeat third-party internet cookie tracking attempts.
There are third-party Chrome extensions that provide internet cookie-related functionality, such as deleting internet cookies after leaving a site.
Laws Governing Internet Cookies
EU Internet Cookie Consent Laws - The EU Internet cookie laws apply to any website with EU visitors, regardless of the business's physical location. They require businesses to:
Obtain permission before installing trackers or internet cookies on users' browsers.
Provide specific details about all trackers and internet cookies used on their websites.
Make it simple for users to withdraw or opt out of consent.
Internet Cookie Consent Laws in the United States - While several states in the United States have passed or are considering legislation, federal privacy laws in the United States are generally lax in comparison to other major countries. Except for the Children's Online Privacy Protection Act (COPPA), which regulates the activity of websites and online services aimed at children under the age of 13, the United States does not require consent for internet cookies.
COPPA only applies to the collection of personal information from children under the age of thirteen. If any of the following apply, one must comply with COPPA:
The website or app's content is directed at children under the age of 13, and it collects their personal information;
The website or app is intended for a general audience, but the operators are aware that children under the age of 13 visit their site and that they collect personal information from them.
In its Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, the Federal Trade Commission (FTC) defines "website or online service" as including all of the following:
Mobile apps that send or receive data over the internet
Platforms for online gaming
Advertising networks with plug-ins
Location-based services with Internet access
Services for voice over internet protocol
Internet Cookie Consent Laws in Canada - Canada's privacy laws are much stricter than those in the United States but not as strict as those in the European Union. Canada's anti-spam and privacy laws govern the use of internet cookies through:
Personal Information Protection and Electronic Documents Act (PIPEDA)
Anti-Spam Legislation in Canada (CASL)
PIPEDA recognizes both "express" and "implied" consent. Express consent, also known as "opt-in" consent, is provided explicitly through a specific action. Inaction can be used to infer implied consent or "opt-out" consent.
Before installing certain computer programs, including internet cookies, websites, and apps operators must obtain express consent under CASL. Website operators can assume that a user has given explicit consent for internet cookies under CASL if "the person's conduct is such that it is reasonable to believe that they consent to the program's installation.”
Internet Cookie Consent Laws in the United Kingdom - The Data Protection Act of 2018 governs privacy and consent in the United Kingdom. Before collecting personal data from users, the Data Protection Act requires the operators to obtain their express consent. The act is the UK's implementation of a GDPR directive that applies to all member countries.
Notably, the British government recently proposed departing from EU data protection laws. To reduce the barrage of internet cookie consent banners, the United Kingdom is considering switching to an opt-out rather than an opt-in framework.
Internet Cookie Consent Laws in China - China's Personal Information Protection Law (PIPL) was passed in 2021, and it imposes some of the most stringent requirements for collecting personal data. Under the PIPL, very specific conditions must be met to remove personal data from within China's borders. Violations of the law can result in significant fines for the company as well as individual employees.
Future of Internet Cookies
According to a recent statement, Google intends to phase out the use of internet cookies by 2023. This is part of a larger strategy to strengthen privacy regulation in light of international laws such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
By the end of 2022, Google hopes to have new technology in place to replace third-party internet cookies. This way, developers can begin to adopt the new technology, allowing internet cookies to be phased out by the 2023 deadline. What exactly are the technologies? Unfortunately, the answer is still a mystery. According to some reports, Apple intends to make the mobile device ID, also known as the Identifier for Advertisers (IDFA), opt-in only. According to USA Today, "a technique that hides users in large online groups based on their interests while keeping web browsing histories on devices to maintain privacy" is one of Google's leading ideas to replace third-party internet cookies.
The emphasis should be on ensuring that cookies are used in a secure manner. Many simple steps can be taken by a developer to mitigate vulnerabilities; for example, enabling the HTTP Only flag when generating a cookie reduces the risk of a client-side script accessing the protected cookie. Similarly, the Secure Cookie flag prevents the cookie from being sent over an unencrypted HTTP request, removing the possibility of unauthorized parties observing it due to cleartext cookie transmission.
A user can also take simple steps to avoid cookie-related security risks. For example, it is critical for the user to keep their browser up to date. Furthermore, most modern browsers allow the user to delete or even block cookies. If the users are not satisfied, there are several browser plugins/extensions available to manage or even delete cookies automatically. This can also be used to address privacy concerns, as it makes it easier to block those pesky advertising cookies.