1.6k Views inPrivacy

Privacy Issues for Computer Cookies: A Deep Dive

Cookies play a ubiquitous role in our online experience, enabling convenient features on websites. However, as a cybersecurity expert who has researched data privacy issues for over a decade, I have serious concerns about how undisclosed tracking and profiling using cookies can infringe on user privacy. In this comprehensive guide, I‘ll provide an in-depth look at how cookies work, their privacy implications, and ways users can protect their personal data.

The role and prevalence of cookies on websites

Cookies are bits of text stored on the user‘s device by websites to remember stateful information. As per latest reports, the average number of cookies set by popular websites has grown considerably:

  • In 2012, top websites used less than 40 cookies on average. Now the average is over 120 cookies per site.

  • A 2021 study found at least 2500 third-party cookies on the landing page of the top 100 sites. 80% of these cookies were for advertising and tracking.

Cookies set directly by the visited website are called first-party cookies while others set by advertising networks, social media and analytics companies are third-party cookies. These generally have longer lifespans and are more privacy-intrusive.

Cookies can store data like:

  • Usernames, shopping cart items, game scores (session management)

  • User chosen themes/fonts, notification preferences (personalization)

  • Number of site visitors, page visit timestamps (analytics)

  • Pages visited, clickstream data, search queries made by the user (tracking)

When the browser makes a request to the site domain that set a cookie, the matching cookies are automatically attached to the request by the browser‘s cookie jar. The site can then read and update cookie values to remember the user.

How cookie tracking undermines privacy

While functional first-party cookies pose lower privacy risks, third-party tracking cookies raise concerns as they can create detailed user profiles stealthily. Some ways they threaten privacy:

Cross-site tracking

Advertising cookies placed via networks like Google Ads track users across different sites visited. By correlating visited pages to a user profile, detailed interests can be compiled. Such cross-site tracking accounts for 62-73% of cookies found on top sites as per a Princeton study.

Resilient tracking technologies

Flash cookies and fingerprinting enable continued tracking even if regular cookies are cleared. Fingerprinting generates a unique ID based on your device settings, fonts etc. rather than storing a cookie.

Intrusive profiling

Online trackers build an inference map based on your browsing history and clicks. Even sensitive interests related to health, religion etc. can be deduced. Profiles are augmented by real-world data brokers.

Lack of awareness and consent

Only 16% of people realize that Facebook tracks their visits to other websites, according to a survey. Most third-party cookies are dropped without clear notice or choice.

Cookie syncing

This allows different trackers and ad exchanges to link identifiers for the same user by sharing cookies in real-time. This amplifies the scale of data collection.

Security risks

Cookies often store credentials and personal data unencrypted. They can be stolen by hackers through XSS and code injection attacks.

Evolution of privacy regulations for cookies

As concern around cookie tracking increased in the late 90‘s, lawmakers and regulators were forced to act:

  • 2000 – Network Advertising Initiative develops an opt-out icon for behavioral advertising. Limited adoption due to lack of enforcement.

  • 2009 – FTC behavioral advertising principles recommend heightened disclosures and consent requirements. But industry self-regulation proves inadequate.

  • 2011 – Do Not Track browser setting introduced. But not widely adopted by advertisers due to lack of mandate.

  • 2012 – European Union proposes cookie consent guidelines in preparation for GDPR.

  • 2016 – FCC approves broadband privacy rules requiring opt-in consent for sensitive user data sharing. Repealed a year later.

  • 2018 – GDPR takes effect, mandating freely given, specific, informed opt-in consent for EU users. Fines for non-compliance.

  • 2021 – China‘s Personal Information Protection Law also adopts opt-in standard for cookies.

  • 2022 – Biometric Recognition Privacy Act in Illinois bans use of biometric data like fingerprints and face scans without consent. Cookies often store such data.

So while the regulatory landscape is evolving, technical countermeasures are also required to enhance privacy.

Browser-based cookie controls and visibility tools

Modern browsers provide fine-grained control over cookie behavior. I recommend my clients leverage these to limit tracking:

  • Block third-party cookies – Prevents cross-site tracking for ads and analytics. May break some functionality.

  • Delete cookies automatically after each session or at set intervals. Reduces data pooling.

  • Use private browsing modes like Incognito which don‘t persist cookies across windows.

  • View cookie details to identify unwanted tracking and advertising cookies. Chrome groups cookies by site.

  • Filter cookie permissions by domain so only necessary ones are allowed access. I block third-party access by default.

  • Monitor real-time requests via extensions like Firefox Multi-Account Containers which lets you visualize and control cookie sharing across sites.

Filtering third-party cookie access in Firefox to limit tracking

Filtering third-party cookie access in Firefox to limit tracking (Image: Acar et al.)

Make sure to clear cookies manually after browsing sessions where you entered sensitive information like passwords or credit cards.

Going beyond browsers to limit cookie tracking

While browsers provide good visibility into cookies, many tracking techniques circumvent these controls. Additional privacy tools are beneficial:

  • VPN – Masks your IP address and location, preventing geography-based tracking. Also blocks malware.

  • Ad blockers – I recommend uBlock Origin; it blocks trackers and reduces clutter. Use EasyPrivacy list for enhanced tracking prevention.

  • Anti-tracking extensions – Such as EFF‘s Privacy Badger and Ghostery which block invisible trackers based on behavior rather than a static list. Less prone to evasion.

  • Cookie Autodelete – Automatically cleans cookies from cross-site trackers after each browsing session. Reduces tracking across sites.

  • CanvasBlocker – Prevents browser fingerprinting by restricting access to APIs like font enumeration and canvas image data, which leak identifiable device info.

  • Private DNS – Uses DNS-over-HTTPS to prevent DNS based tracking of sites you visit. Enable in your device settings.

I don‘t recommend outright cookie blocking as that can break vital functionality like shopping carts. But the above tools provide more privacy while limiting side-effects.

The road ahead for balancing privacy and functionality

In my assessment, third-party tracking cookies pose the biggest privacy risk due to the invisibility of cross-site profiling and lack of oversight on data usage. But cookies do provide useful website features.

Upcoming regulations like the ePrivacy Directive in the EU will force compliance from the tech industry. Innovations like Apple‘s Intelligent Tracking Prevention and Privacy Sandbox show that privacy can co-exist with functionality.

As cookies continue to evolve, users need to be vigilant about their online privacy. Make use of the tools discussed to monitor cookie behavior and limit tracking. We need equitable technical solutions that don‘t place the entire burden on users but also incentivize businesses to be transparent and accountable when handling user data.

Luis Masters

Written by Luis Masters

Luis Masters is a highly skilled expert in cybersecurity and data security. He possesses extensive experience and profound knowledge of the latest trends and technologies in these rapidly evolving fields. Masters is particularly renowned for his ability to develop robust security strategies and innovative solutions to protect against sophisticated cyber threats.

His expertise extends to areas such as risk management, network security, and the implementation of effective data protection measures. As a sought-after speaker and author, Masters regularly contributes valuable insights into the evolving landscape of digital security. His work plays a crucial role in helping organizations navigate the complex world of online threats and data privacy.