Internet: EU issues warnings over cookies
The EU's 'cyber security' Agency ENISA has published a paper on the security and privacy concerns regarding new types of online 'cookies" especially raising concerns over persistent and tracking cookies.
Most Recent - This Section
Internet: South African ISPs issue list of known spammersInternet: Bizarre fraud targets entries on Wikipedia
Internet: USA's FBI warns of dating website scams
Internet: Has Google opened a hole in your company's IT security policy?
Internet: Google makes pro-restrictions point, emasculates Wikipedia protest
Most Recent - Whole Site
The Risk Professional: Green Capital Consulting GroupLegal Professional: Baker Mac lawyer guilty of money laundering and securities fraud
Sales and Marketing: shooting oneself in the foot
Business Crime: Dear Mrs Kate Dave: Yes, please. Send it now.
The Risk Professional: Is your data secure enough for the UK's ICO?
Most Recent - BankingInsuranceSecurities.Com
Sanctions: USA PATRIOT Act designation 20120522Sanctions: OFAC Update 20120515
Sanctions: OFAC update 20120508
Sanctions: OFAC Update 20120517
Sanctions: OFAC Update 20120517 - 2
The advertising industry has led the drive for new, persistent and powerful cookies, with privacy-invasive features for marketing practices and profiling. The Agency advocates e.g. that both the user browser and the origin server must assist informed consent, and that users should be able to easily manage their cookies.
The new Agency Position Paper identifies and analyses cookies in terms of security vulnerabilities and the relevant privacy concerns. Cookies were originally used to facilitate browser-server interaction, says the Agency but, lately, driven by the advertising industry, they are used for other purposes; e.g. advertising management, profiling, tracking, etc. The possibilities to misuse cookies both exist and are being exploited.
The new type of cookies support user-identification in a persistent manner and do not have enough transparency of how they are being used. Therefore, their security and privacy implications are not easily quantifiable. To mitigate the privacy implications, the Agency recommends, among other things, that:
- Informed consent should guide the design of systems using cookies; theuse of cookies and the data stored in cookies should be transparent for the users.
- Users should be able to easily manage cookies: in particular newscookie types. As such all cookies should have removal mechanisms easy to understand and use by any user.
- Storage of cookies outside browsers control should be limited orprohibited.
- Users should be provided with another service channel if they do notaccept cookies.
Mostly, this is a good thing: but some hosted applications depend on cookies to track users' progress through, for example, an on-line training course. The cost, efficiency and value of courses would be undermined if "another service channel" were to be required in that application.
The full paper is atFor full paper; http://www.enisa.europa.eu/act/it/pat, or http://www.enisa.europa.eu/act/it/library/pp/cookies/
Dr. Jose Fernandes, Director of Department for Development Support and Academia, Microsoft Portugal, stated "Every year more businesses come online using the Internet. [...] Security and privacy are key to make this happen, so end-user and business people can fully trust online services. ENISA has a great role to play in this space and I congratulate them to put forward this study."
OK: let's see how Windows Update works without cookies and storing customer data outside the browser, then there might be a bit more credibility in the argument.
Download PDF version of this page
