How Cookies Impact on Cyber Security – Part 1

Cookies are an integral part of how the internet works but there is a huge amount of misinformation about them. Are they dangerous? Are companies tracking your every move? What are the privacy risks?

Your managed security service provider should be able to inform you about how to treat cookies on work computers.

Unfortunately, it’s almost impossible to avoid cookies entirely and the fact is that most websites require you to accept cookies in some form in order to serve you content.

Cookies are tiny text files that a browser places on your computer every time you visit a website.

They are used as a kind of memory for websites and servers, so that users can easily navigate websites without having to constantly enter their details and preferences every time they go online.

One specific type, called tracking cookies which we discuss below, cause more problems than any other.

A typical cookies notice will look something like this.

We use cookies and other tracking technologies to improve your browsing experience on our site, show personalised content and targeted ads, analyse site traffic, and understand where our audience is coming from. To find out more or opt-out, please read our Cookie Policy. By clicking ‘Yes’, or ‘I Accept’, you consent to our use of cookies and other tracking technologies.”

Much like reading a site’s small print, most people will plump for speed and convenience over security and simply click ‘Accept’.

As is often the case, this murky data-scraping part of the internet is hidden from public view. But if you are serious about your cyber security, it’s important to take notice.

 

How do cookies work?

When you use a browser like Google Chrome, Mozilla Firefox or Apple Safari, websites create cookies to store your preferences. These include things like your login information, so you don’t have to input your username and password every time you visit; whether you prefer English, Spanish or any other as your main language; and the items in your shopping cart.

The most basic form of cookies expire and are deleted as soon as you close your browser.

These are called session cookies. The most common use for session cookies is on e-commerce sites like Amazon. They are used to recognise you as you move from page to page and ‘remember’ any information you have entered. If Amazon did not use session cookies, any products you put in your basket would disappear by the time you got to the checkout.

Another type, called first-party persistent cookies expire after a set amount of time. For example, if you use an affiliate page like a price comparison website to search for a better deal for business broadband, that site will place a cookie on your computer for 24 hours. Then when you click through to the provider website to buy the deal, the cookie can tell the provider that you came from the price comparison site, and that site gets a cut of the profits from your sign-up. There’s a reason price comparison websites are big business: the five biggest in the UK revealed that they get up to £30 for every customer.

The most nefarious form of cookies are much more long-lasting and have the greatest effect on your cyber security. These are, called tracking cookies or third-party persistent cookies. We’ll go into more detail on these pieces of code in our next blog. Websites or advertising networks that did not create these kinds of cookies can still access them, tracking you wherever you go on the web.

If you have ever had the feeling your latest Amazon purchase is following you around, this will be down to tracking cookies. Once you’ve seen the 14th advert for a garden hose after buying one online, it can get a little oppressive.

 

What impact does GDPR have on cookies?

Since the introduction of the EU’s GDPR legislation, websites are now required to put their disclaimer notices front and centre when you visit a website for the first time.

The laws came into force on 25 May 2018 and are intended to give consumers more of a say over what data they allow websites to carry or store about them. The policy is intended to disrupt bad behaviour or insecure websites that continue to store personal details on corporate databases.

All websites serving content to customers in Europe, including (for now) the UK, have to be much more up front about the cookies that they are placing on your computer.

In effect, websites must now tell you, before they allow you to read their content, that they use tracking cookies.

In America and other non-EU countries, websites aren’t compelled to tell you if they are placing tracking cookies on your computer. This is why when you visit a website with servers based solely in the US, you may see a disclaimer pop-up saying that it is not possible to serve you the web page because of EU regulations. This refers to GDPR.

Next time we will look at which companies gain the most from tracking cookies, how they work and what you can do to stop your private data being leaked across the web.