May 16, 2012

 What are cookies?

Cookies have been around for a long time. They were originally used simply to make online access easier, and over the years have become useful tools in terms of authentication of web users and fraud prevention.

However, they are now being used for other purposes, such as tracking and profiling web users, and allowing advertisers, and third parties working for them, to target advertising based on web user behaviour. This, the report says, lays the door wide open for exploitation of user information which could, ultimately, breach EU privacy laws. 

It will come as no surprise to anyone that cookies have developed in the way they have. As the importance and reach of websites have grown, so the tools used by advertisers have had to change with them. New types of ‘‘supercookies’’, such as ‘‘Flash cookies’’ and ‘‘evercookies’’, have been developed which are more sophisticated in terms of their tracking, identification and pro-filing abilities, and are much harder for the web user to manage and control.

Flash Cookies

Flash cookies begin life in Adobe’s Flash Player. They can track users in all the ways used by their antiquated cousins, and they can be stored or retrieved whenever a user accesses a page containing a Flash application.That’s a lot of pages — Flash cookies are extensively used by popular sites, according to the report, which suggests that the reason they are used is precisely because they circumvent users’ standard cookie privacy preferences. Flash cookies’ genesis beyond the browser means that they are stored outside its control, with the result that users do not have the chance to control them directly.

In particular, the report found, Flash Player itself does not prompt users for permission to store a Flash cookie on the hard drive, the cookies are able to hold over 20 times as much information as their traditional predecessors and they never expire. Most worryingly for the authors of the report, this online immortality means websites can automatically re-generate standard cookies from Flash cookies if the standard ones have been deleted.

‘Evercookies’

Further along the evolutionary scale, the ‘‘evercookie’’ is more resilient still. The cookie material that it stores is not just kept in one place. It spirits information away to a variety of places on the local browser and can be used to identify a client even when standard cookies, Flash cookies and others have been removed.

Evolving EU Law

 The EU e-Privacy Directive (2002/58/EC) provides that cookies are allowed only on the condition that users are given clear and precise information about their purpose, in accordance with the EU Data Protection World Data Protection Report BNA International X.

Monthly news and analysis of data protection and privacy issues from around the world

BNA International Inc., a subsidiary of The Bureau of National Affairs, Inc., U.S.A. Volume 11, Number 3 March 2011Directive (95/46/EC), and that users are made aware of information being placed on the equipment they are using. Users should, it says, have the opportunity to refuse to have a cookie on their equipment. The so-called ‘‘Cookie Directive’’ (2009/136/EC), however, which is supposed to be implemented into national law by EU member states by May 25, 2011, amends the e-Privacy Directive by removing the ‘‘right to refuse’’ concept and replacing it with the concept of ‘‘informed consent’’. Subject to limited exceptions, under the new law, the user must give his or her informed consent prior to the cookie being stored or accessed on his orher computer.

‘Informed Consent’ Concept Not Being Respected

As things stand, the report says, the ‘‘informed consent’’ concept is not being respected, and it points towards the difficulty users have in managing and controlling the new ‘‘supercookies’’. Research shows that 80 percent of online service providers use cookies, and 80 percent of those use supercookies that evade normal attempts at deletion, according to the report.

Recommendations

The report recommends that:
s the use of cookies must be transparent for all users;
s users should be able to manage cookies easily and remove them easily if they choose;
s storage of cookies outside browser control should be
limited or prohibited; and
s if users do not accept cookies, they should be provided with another cookie-free means of accessing the service they want.

Outlook

Perhaps the most interesting point to come from the report is that no one really knows how much and to what extent these supercookies are being used. The authors accept that much needs to be done before conclusions can be reached on the basis of structured studies. The ‘‘Cookie Directive’’ will, it seems, be in force before we have that luxury.

The ENISA report can be accessed at http://www.enisa.europa.eu/act/it/library/pp/cookies.

Phil Gorski is an Associate with Wiggin LLP, Cheltenham. He may be contacted at phil.gorski@wiggin.co.uk.