Cookies were never intended to invade your privacy. Transient session cookies were invented out of necessity, by Lou Montulli at Netscape in June 1994, purely to make the use of a shopping cart possible on the stateless web. Permanent, or tracking, cookies soon followed, in order to identify users between sessions and so save users the tedium of having to identify themselves for every session. Such cookies should be innocuous because they can only be read by the site contained in the cookie. Nevertheless they were, even then, viewed with suspicion, as a security risk, since if the cookie can be somehow copied it can used to impersonate the user.
The biggest problem with persistent cookies, however, is that they can contain ‘third-party’ domains, rather than just the domain of the site that writes it. A ‘third-party’ domain is easily written to from any site that chooses to do so, allowing an unscrupulous marketing agency to collect information about the browsing and buying habits of internet shoppers, across all the sites where it has its advertisements or web bugs placed, and so target advertising to the individual. Although the US government has strict rules against the use of persistent cookies in this manner, the same isn’t true of commercial sites, which have resisted voluntary regulation of the use of third-party cookies.
Due to widespread concerns about this invasion of privacy, the “European Commission Privacy and Electronic Communications Directive” was issued, and has to be implemented by every member state by May 25th. (So far, only the northern European countries have complied). It changes the requirement that the user has a right to refuse to store cookies, either third-party or not, on a local machine, to an obligation on the part of the website to give explicit “informed consent” on all cookies being used, even the session cookies.
This is all very well-meaning, but also very silly. Cookies are necessary, and very few users will tolerate having to click to opt-in on every site they visit. It’s also unlikely that users will check the details of every advert before opting to allow cookies for a site, and the site containing the advert could be completely unaware of the data being collected. Therefore, it will hardly prevent an unscrupulous marketing organisation from harvesting the users’ internet activities.
As if to prove that the ‘e-privacy’ directive is fatuous and unworkable, tracked traffic to the website of the Information Commissioner’s Office (ICO) fell by 90% when it recently adopted measures to gain cookie consent. A freedom of information (FOI) request by Vicky Brock, a Web Analyst forced them to release the information.
Surely, a much more sensible solution is this: Browsers shouldn’t allow third-party cookies by default, as they serve no honourable purpose; though, for some reason, Microsoft’s Hotmail, MSN, and Windows Live Mail webmail require them! Currently, users have to explicitly opt out, by turning off third-party cookies. This simply needs to change.