What are internet cookies, how should you feel about them? Are they helpful, harmless, dangerous?
Usually, we must let go of one thing to gain another. Cookies are key to our modern online experience with targeted website ads and predictive search text that seems to read our minds. Cookies help us gain a customized online experience, but what do we lose? Are we being manipulated by our own data?
There has been great debate over the ethics of cookies and where to draw the line. This has resulted in laws like the ePrivacy Directive, GDPR, PDPA and CCPA requiring consent for using cookies. The following basics will give us an understanding of how something as adorable sounding as the internet cookie, could have such powerful implications across the internet.
WHO
Who invented the first internet cookie?
Lou Montulli created the first cookie in 1994. He was tasked with helping a website remember the contents of a user’s shopping cart when they did not want to purchase the items within the same browsing session. He called his invention the ‘magic cookie’. The public was not made aware of the existence of cookies until two years later in 1996.
Image Source: worldwide.espacenet.com
WHAT
What are internet cookies?
Cookies are files that get created when you visit a website. The website creates and puts a cookie on your web browser so it can recognize you in the future. The cookie is encoded with a unique ID and includes data about you or your browsing session.
What is inside an internet cookie?
It depends. It could include your name or address, what pages you browsed, the contents of your shopping cart or information about which pages on the site you visited.
There are different cookies that look for different information. Cookies help websites perform some of the functions we expect from our online experience like authenticating a user, remembering a login or credit card number. The information stored in cookies can help third parties profit off user preferences.
What are the different types of internet cookies?
Just like there are dozens of flavors at the bakery, there are also different types of internet cookies.
First-party cookies
First-party cookies have the same domain as the website you are on. These cookies cannot track you across multiple sites and are intended to improve your user experience for the site you are on. These cookies are broken into two flavors, Session Cookies and Persistent Cookies.
Session Cookies
These cookies expire when you close out of a browsing session. Session cookies are the reason when you hit the back button, your computer still remembers what article you were reading on a specific webpage.
Persistent Cookies
The cookies that stay around are called persistent cookies. These cookies are the reason you don’t have to remember your username and password when you return to certain websites or reset the default language on a website each time you visit it. These cookies have an expiration set when they are created. Legally it should be deleted after 12 months, but practically it can be set hundreds of years into the future, unless a user clears their cache prior.
Third-party Tracking Cookies
These cookies are subject to much debate. They create a profile on the user based on their interests, search history, purchase choices and browsing behaviors – and reapply this data to advertising. These cookies enable companies and advertisers to use cross-site tracking to follow and research a user’s behavior and retarget them with adware on different sites.
These cookies are responsible for why you see that pair of shoes you thought about buying appear on ads everywhere you go.
Note: Google announced in January 2020 their plan to phase out all third-party cookies. We talk more about this in our When section: When is Google ending support of third-party cookies in Chrome.
Zombie Cookies
A technology called Quantcast brings cookies back from the dead after they’ve been deleted. These cookies are difficult to find and usually located outside of the browser storage your other cookies are stored in. This allows the cookies to track the user across all browsers on the computer. Although created to prevent online gamers from cheating, it has had the unintended consequence of enabling bad actors to install malware onto user’s devices, not to mention they are almost impossible to kill.
WHEN
When is Google ending support of third-party cookies in Chrome?
Google announced in January 2020 their plan to phase out all third-party cookies used on chromium browsers by the end of 2023.. Along with browsers Tor and Brave, Firefox stopped allowing third-party cookie tracking two years ago and Safari 1 and a half years ago.
Cookies are not the only tracking technology, so while banning third-party cookies is helpful, there are workarounds that are already being exploited on browsers that already ban third-party cookies. A few are ultrasound beacons, Silverlight Isolated Storage, IndexedDB, pixel tags, and HTML5 Local Storage.
When are cookie laws a bad thing?
Cookie hysteria is real. Some business owners argue that the burden of cookie-laws is too high. Businesses that operate websites in other states and countries not subject to cookie-laws are still having to make changes. If you collect information on more than 50,000 California residents a year, you are bound to comply with CCPA through the extraterritorial scope. If you accept euro as a currency in your ecommerce platform, or use cookies to monitor any European individuals, then you are subject to GDPR. These laws are forcing many businesses to take the time to educate themselves and their leadership. What it requires of businesses operating a website or mobile app must include:
- A Privacy Policy
- A Cookie Policy
- Create an Explicit Consent Banner
When you don’t allow cookies, what will happen?
Most website might still allow you in, although you may not have access to the entire site’s functionality. You may occasionally be blocked from site access if you do not provide consent. This is called a cookie wall and is in place for websites that are not designed to work without cookies.
WHERE
Where can I find the consent banner about a website using cookies?
If you don’t see a cookie policy or consent banner on a webpage it could be that the website is not subject to data privacy laws. More websites have started including this regardless of their consumer base to reduce possible liability.
The banner usually shows up immediately on a webpage as a fixed footer called a browserwrap, or as a popup. It may provide options to customize your experience, a statement with an accept button, or an option to leave.
Here are a couple examples of consent banners that give different options.
Images Source: Google Image Search
WHY
Why is it called a cookie?
There are two theories out there on why Lou Montulli called his invention a cookie.
- It is like a fortune cookie, that contains a message inside which says something about the user.
- Inspired by the Grimm’s Hansel and Gretel, the cookie represents the trail of gingerbread crumbs Hansel left which created a path from the outside of the forest to him. Cookie (crumbs) lead you to the user.
HOW
How do I delete my cookies?
Each browser has small differences in how to go about deleting cookies. Sometimes they are stored in a .txt file, other times in a .sqlite file. We’ve included each browser’s guide:
How can Cyber Criminals use your cookies?
Hackers can steal your cookies, determine your browsing history, and use a hacking method called Cross-site scripting (XSS) to break into your accounts. We take a closer look at cookie stealing in our Fake WordPrssAPI Stealing Cookies and Hijacking Sessions blog post.
Another risk is that cookies could lead a hacker to unauthorized access to a website’s back door. We discuss mitigation strategies in our post on evaluating cookies to hide backdoors.
Conclusion
It would be hard to get around today’s internet without any use of cookies. First-party cookies are a part of what we have come to expect in our online experience. However, third-party cookies and invasive tracking technologies should not get a free pass to our information (at least not without our consent). Having controls in place to protect user privacy also protects users from unnecessary vulnerabilities. Keep a good cookie hygiene by clearing your browsing data daily and follow or sign up for security alert notifications that can keep you on your toes to new threats.