Cookies and Online Privacy

Although cookies are in many ways essential to the modern internet, ever since they were created there has been a debate going on about their impact on the privacy of web users.

They are basically a way for a website, and the people who own that site, to store and retrieve data about the user or their interaction with the site. They do this basically to either alter what that person sees, or record their activity (e.g. the pages they visit, how long they spent on a site).

Cookies are central to the modern web experience. So although they are not inherently ‘bad’ there are uses of them where privacy concerns arise.

Storing Personally Identifiable Information

Cookies can be used to store personal data – anything from a name or email address, to a unique user identifier which may just be a random string of letters and numbers. This may be information that you as a user would provide to the site through registration, login pages or order forms. Or it could be information that is uniquely assigned to you by the website. This may be fine as long as that information is both secure and held only temporarily – but often it is not, which means there is a risk it can be intercepted by malicious software – especially when using shared computers.

Tracking User Behaviour

However, the most common privacy concern that people have is the use of third party cookies to track them across different websites, most often used for advertising. This is usually done through the placement of invisible (to the user) tags in the page that set cookies.

When you visit another site with the same tag, it reports to the advertiser the site you were last on when the cookie was set. By aggregating the information across lots of sites this enables the advertiser to build up a profile of your interests through your browsing history. They then use this information to display more targeted adverts to you, based on your perceived interests.

In most cases they are actually targeting your browser rather than you – because they don’t know who you are. But as most people login and use the same browser regularly, it can be highly personalised.

And if you let someone else use your computer without creating a separate profile – they will see ads meant for you – which could reveal something about your browsing history you would not be happy to share!

Free Content

Of course, all this advertising pays for a lot of the free content we get on the web, and a lot of people understand and accept this. But many do not, especially as they feel this has been done without their consent.

The other issue is the companies collecting this data are usually not the companies whose websites you are visiting. And they are not only collecting it, but selling to other companies as well. So all of this data is being gathered and aggregated, without most people even being aware of it – and this is what people find objectionable.

Additionally, a lot of this tracking profiling is getting more sophisticated, and is sometimes linked to ‘real world’ identities – like names and addresses. Which increases both the level of intrusion, and the privacy risk if the information is stolen or lost.

Privacy Regulation

Law makers are increasingly looking at bringing in regulations to place some control on this activity. The EU cookie directive is one recent example. This requires websites to declare what cookies they are using and get consent from users to do so.

Although its implementation is currently patchy, it is beginning to raise consumer awareness, which in turn can create market pressure for even greater transparency and choice.

The EU is also looking to introduce a new harmonised Data Protection Regulation, which may require much of the use of third party cookies to be subjected to explicit user consent.

Do Not Track

One of the latest global initiatives is the attempt to create a ‘Do Not Track’ (DNT) standard for the internet. This would be a way for people to use their browser to signal to websites that they don’t want to have their behaviour recorded, and a requirement for websites to then respond to that request.

However much debate remains about what DNT actually means – with lobby groups on both sides defending their corners.