Analysis: Cookies and data protection – what’s all the fuss about?

07 June 2011 Ruth Cheesley 0 Comment

Rate this item

(1 Vote)

Introduction

On 25^th May 2011 a new European Union law came into effect relating to the use of cookies on websites, which has taken many by surprise and drawn attention to the data protection and privacy issues surrounding the storage of cookies by web browsers.

The Information Commissioner’s Office has given organisations in the United Kingdom one year in which to be fully compliant with this law, on the condition that they are actively taking steps towards achieving compliance. This analysis looks at what cookies are, why we need them, the different types of cookies that are used, and what this law actually means.

What are cookies and why do we need them?

If you’ve ever visited a site which allows you to log in, add items to a shopping cart, change the size of the font, make something a different colour, the chances are you’ve had a cookie stored on your machines. In years gone by I can remember people coming to me terrified because their spyware software had found hundreds of cookies on their machine and it was clearly infested with some kind of nasty virus that put these cookies on their computer.

Cookies are simply a small file which your web browser uses to save information. This information can be used to authenticate you (such as when logging into a website), to store your preferences for a site (such as which language you wish to browse the site in, what colour or font size you prefer), adding items to a shopping cart, and so forth.

In most cases, cookies are stored without you knowing that it is happening, although if you read the privacy policy for the website it should explain to you why these cookies are being stored, and how long they last for.

There are different types of cookies depending on what they are being used for and how long they last:

Session cookies

A session cookie lasts for the duration of time that you are visiting a website, and is removed when you leave the website, or if you’ve not done anything on the site for a period of time – known as a session timeout.

Persistent cookies

Persistent cookies last longer than a user session and are often used to store preferences such as the colour or layout of a site. A time limit can be set for persistent cookies, during which the information stored in the cookie will be applied every time you visit the site.

These are sometimes known as tracking cookies, because one of the main reasons for using them is to track information about visitors to a site – for example whether they have visited your site before, how they came to your site, and so forth.

Secure cookies

The only time secure cookies are used is when you are browsing an encrypted website (which starts with https:// which ensure that the information stored within the cookie is encrypted when it is passed from your browser to the website you’re visiting. This potentially prevents people being able to find out the information from the cookie during this transaction.

HttpOnly cookies

A more modern approach to dealing with cookies, primarily to prevent people intercepting information stored in cookies using a particular type of attack vector known as ‘cross site scripting’, the HttpOnly cookie is only used when sending http or https transactions and not other scripting languages (such as Javascript, for example).

Third party cookies

Similar to car insurance, third party cookies are for someone else other than the website involved. If you were visiting www.myblog.co.uk and the site had some adverts showing for www.mytrackingsoftware.com, mytrackingsoftware.com is allows to set a cookie when the advert is shown. When you visit other websites, there might be more ads from www.mytrackingsoftware.com, and it will try to show you adverts which are relevant to the types of websites that you visit.

The reason some people object to this type of cookie is because it is building a profile of what kind of sites you visit and using this to target adverts at you. Although this information is anonymous (technically – as it’s stored on your own browser) I have to admit I find it slightly unnerving. I’ve noticed this before when I purchased a shoulder splint from a rehabilitation website, and then noticed on several other completely unrelated technology websites I was getting adverts for shoulder splints appear! Also after our IT manager and his wife had a baby and I purchased a gift online, I kept getting newborn baby adverts appearing around the web!

What is this new law all about?

The crux of this new law basically addresses the fact that most of the time we are completely oblivious that a website is storing cookies - unless you look carefully at the privacy policy or take the time to examine the cookies stored on your computer you would probably be none the wiser. Web developers, designers, and browsers are having a warning shot fired across their bow that this needs to change, and users need to make an informed decision about the cookies they wish to allow to be stored.

While I personally understand why you would want to know when certain cookies are being stored (such as tracking cookies which are not essential to the functions of the site) I can also see the inherant annoyance at being asked every time a cookie is to be stored, or when you visit a website, whether this is OK with you. People will get in the 'click to get rid of it' mentality and not actually pay attention to the question - I do it myself all the time!

Whose job is it anyway?

As many other articles on this subject have mentioned, modern browsers already have the capability at varying levels to set permissions for cookie types, but they don't explicitly explain to the user what these settings are, nor to they actively prompt the user to set them. All that would be required from what I can see, is for the browser to ask the user which cookies they do not wish to allow (explaining clearly what each type actually do, and what the consequences of allowing and denying them are) with the option to alert the user when a cookie is being blocked for the first time in case they experience problems with the site they are using.

While I strongly feel this falls on the shoudler of the browser, I also think that website designers should shoulder some responsibility by ensuring that their policies (and that of their clients) clearly state what type of cookies they use, why they are used, and have a sensible expiry date etc. It also falls to us to explain and educate people about what cookies are, why they are used, and so forth.

Conclusion

While it is important to take heed of this law and ensure that you are making actions towards compliance (especially if you're a registered data controller with the ICO), I believe it will be likely that we will see changes to browsers which facilitate compliance with this law and hence reduce the requirement for the web designer to create a solution to this problem. In the meantime, take this opportunity to drag your privacy policy off the dusty shelf and re-examine it. Check if it still reflects your site and the cookies you store, and maybe update it accordingly. If we do not have an acceptable browser-based solution within a year, I'm pretty sure there will be solutions emerging from other sources - we'll report on these as and when we hear about them.

Last modified on Tuesday, 07 June 2011 20:39

Read 510 times

Published in Analysis

Tagged under

Ruth Cheesley

Ruth is the owner and Director of Virya Technologies, having founded the company in 2002 as Essex Virus Removals and later rebranded to Suffolk Computer Services. She is primarily involved with managing the website design team and liaising with our clients from across the world.

Website: www.viryatechnologies.com