The Cookie Crumbles

Cookies were never intended to invade your privacy. Transient session cookies were invented out of necessity, by Lou Montulli at Netscape in June 1994, purely to make the use of a shopping cart possible on the stateless web. Permanent, or tracking, cookies soon followed, in order to identify users between sessions and so save users the tedium of having to identify themselves for every session. Such cookies should be innocuous because they can only be read by the site contained in the cookie. Nevertheless they were, even then, viewed with suspicion, as a security risk, since if the cookie can be somehow copied it can used to impersonate the user.

The biggest problem with persistent cookies, however, is that they can contain ‘third-party’ domains, rather than just the domain of the site that writes it. A ‘third-party’ domain is easily written to from any site that chooses to do so, allowing an unscrupulous marketing agency to collect information about the browsing and buying habits of internet shoppers, across all the sites where it has its advertisements or web bugs placed, and so target advertising to the individual. Although the US government has strict rules against the use of persistent cookies in this manner, the same isn’t true of commercial sites, which have resisted voluntary regulation of the use of third-party cookies.

Due to widespread concerns about this invasion of privacy, the “European Commission Privacy and Electronic Communications Directive” was issued, and has to be implemented by every member state by May 25th. (So far, only the northern European countries have complied). It changes the requirement that the user has a right to refuse to store cookies, either third-party or not, on a local machine, to an obligation on the part of the website to give explicit “informed consent” on all cookies being used, even the session cookies.

This is a botched reaction. The legislators seem to have confused simple cookies and third-party cookies. The Directive allows cookies only for activities that are ‘strictly necessary’ for the operation of a website and its delivery of those services that a user has explicitly requested. This is open to varying interpretations, and the UK government has concluded that ‘we consider that it will, for instance, cover (allow) the use of cookies that underpin the use of shopping baskets on websites.’ However, the law was passed together with the ambiguous wording.

The IT industry foolishly concluded that, if the user’s browser settings allowed third-party cookies, then they have given consent to them. Not so, said the EU, and since then the IT industry has been negotiating with the EU and member states on best practices that would be considered compliant. The UK came up with a ‘best practice’ consisting of “…an easily recognisable internet icon, a privacy policy notice, a single consumer control page, with a self-regulatory compliance and enforcement mechanism…”, via which a consumer could access details about each specific internet advert, the advertiser, the server, and so on, and refuse the cookie, if desired.

This is all very well-meaning, but also very silly. Cookies are necessary, and very few users will tolerate having to click to opt-in on every site they visit. It’s also unlikely that users will check the details of every advert before opting to allow cookies for a site, and the site containing the advert could be completely unaware of the data being collected. Therefore, it will hardly prevent an unscrupulous marketing organisation from harvesting the users’ internet activities.

As if to prove that the ‘e-privacy’ directive is fatuous and unworkable, tracked traffic to the website of the Information Commissioner’s Office (ICO) fell by 90% when it recently adopted measures to gain cookie consent. A freedom of information (FOI) request by Vicky Brock, a Web Analyst forced them to release the information.

Surely, a much more sensible solution is this: Browsers shouldn’t allow third-party cookies by default, as they serve no honourable purpose; though, for some reason, Microsoft’s Hotmail, MSN, and Windows Live Mail webmail require them! Currently, users have to explicitly opt out, by turning off third-party cookies. This simply needs to change.

Instead, all browser publishers seem hell-bent on making it more difficult to opt out of third-party cookies; it took me ten minutes to discover how to do it in Firefox. It would seem that the power of the advertising and marketing interests on the Internet are too powerful to ignore, and instead we are likely to see, on every site, tedious opt-in forms and ‘easily recognisable internet icons, privacy policy notices, consumer control pages, and other mandatory gubbins. How much more sensible would have been a voluntary code of practice.