News on the cookie law after it all going quiet after the deadline passed for cookies implementing the cookie directive, it was implemented this May a year after it was passed into law by the government in May 2011.
The BBC are reporting http://www.bbc.co.uk/news/technology-19505835 a company is tauting the ICO over the directive.
What has been happening in the UK since May, it appears in May the Information Commissioner’s Office wrote to 50 top UK websites to find out what actions have been taken towards compliance with the new EU e-Privacy Directive, in June the Information Commissioner’s Office (ICO) confirmed that some of the 75 companies that it sent a warning letter to regarding the new cookies legislation have not replied within the imposed 28-day response period.
In August it was being reported that no action had been taken against any specific site although 320 sites had been reported to the ICO
How are the rest of Europe doing, well in the May the situation was eight member states – Belgium, Cyprus, Germany, Italy, Malta, Poland,
Romania and Slovenia – have yet to even transpose the directive into
their national laws, let alone start enforcing it. However in the other 19 countries, there’s a pretty big variation in how national laws interpret the directive. It should also be pointed
out that the UK is something of a special case here, in that its data
protection authority gave businesses an extra 12 months to comply, which ended in the May. The rest had already enforcing their updated laws for the 12 months prior to May.
Showing posts with label cookies. Show all posts
Showing posts with label cookies. Show all posts
Thursday, 6 September 2012
Thursday, 31 May 2012
Cookies: 3rd party, tracking and contextual marketing
Cookies have some important implications for Web users. While cookies
are sent only to the server setting them or the server in the same Internet
domain, a Web page may contain images or other components stored on servers in
other domains. Cookies that are set during retrieval of these components are
called third-party cookies. The standards for cookies, RFC 2109 and RFC 2965,
specify that browsers should protect user privacy and not allow third-party
cookies by default. But most browsers do allow third-party cookies by default.
These cookies may be used to track internet users' web browsing habits.
This can also be done in part by using the IP address of the computer
requesting the page or the referrer field of the HTTP request header, but
cookies allow for greater precision.
If the user requests a page of the site, but the request contains no
cookie, the server presumes that this is the first page visited by the user;
the server creates a random string and sends it as a cookie back to the browser
together with the requested page;
From this point on, the cookie will be automatically sent by the browser
to the server every time a new page from the site is requested; the server
sends the page as usual, but also stores the URL of the requested page, the
date/time of the request, and the cookie in a log file.
By analyzing the log file collected in the process, it is then possible
to find out which pages the user has visited, and in what sequence.
Marketing companies can use cookies through affiliate programs to send
adverts to web browsers that are dependent on the users browsing history as
recorded by the marketing company’s database.
Sunday, 27 May 2012
implied consent (cookies)
Just been reading the http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent about the latest information about cookies from the ISO. In the article it says "In an updated version of its advice for websites on how to use cookies – small text files that are stored on the user's computer and can identify them – the Information Commissioner's Office (ICO) has said that websites can assume that users have consented to their use of them." This is not true the advice from the Information Commissioner’s guidance made it clear that although an explicit opt-in mechanism might provide regulatory certainty it was not the only means of gaining consent.
The latest version v3 of the adice from the ICO says the following
To explain further it might be useful to unpack what we actually mean by the term "implied consent" remembering throughout that consent (whether it is implied or express) has to be a freely given, specific and informed indication of the individual’s wishes. For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.
The still requires the user to be informed and some form of interaction is required, at the basic level a note saying that "using this site implies permission for us to use cookies" should be given with info on the cookie usage available.
The latest version v3 of the adice from the ICO says the following
Implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for "doing nothing". In many cases, to create a situation in which implied consent is acceptable to subscribers, users and the regulator it would still be necessary to follow the steps set out in the Information Commissioner’s existing guidance.
To explain further it might be useful to unpack what we actually mean by the term "implied consent" remembering throughout that consent (whether it is implied or express) has to be a freely given, specific and informed indication of the individual’s wishes. For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.
The still requires the user to be informed and some form of interaction is required, at the basic level a note saying that "using this site implies permission for us to use cookies" should be given with info on the cookie usage available.
Thursday, 17 May 2012
Cookies (again)
Returning to an area I have previously done a number of blogs on which is Cookies and the Privacy and Electronic Communications Regulations (PECR) which although it came into force on May 25th 2011, the enforcement was postponed for 1 year and the Information Commissioners Office (ICO) will start to enforce it from the 25th of this month. Any website found guilty of using technologies to track a user's browsing behaviour without their consent or sending unwanted marketing emails to consumers could face a fine of up to £500,000.
The law involves a proactive approach to cookies with sites having to ask for permission for cookies to be used before any cookie is sent to the browser. The ICO's own site has a consent mechanism in place which has affected the site see the article "Cookie acceptances plummet when ICO requests permission, figures show" http://www.out-law.com/page-12042 on the out-law website.
An article on the BBC today "Cookies: Majority of government sites to miss deadline" http://www.bbc.co.uk/news/technology-18090118 shows that even through the government is responsible for passing and implementing the law which is based on an EU directive Directive 2002/58 on Privacy and Electronic Communications and the amendment's introduced by Directive 2009/136 which means that the requirements have been know about for 3 years, the government own sites are going to fail to meet the deadline this month despite the 1 year period of grace given between the law coming in to force and actually been enforced.
The law involves a proactive approach to cookies with sites having to ask for permission for cookies to be used before any cookie is sent to the browser. The ICO's own site has a consent mechanism in place which has affected the site see the article "Cookie acceptances plummet when ICO requests permission, figures show" http://www.out-law.com/page-12042 on the out-law website.
An article on the BBC today "Cookies: Majority of government sites to miss deadline" http://www.bbc.co.uk/news/technology-18090118 shows that even through the government is responsible for passing and implementing the law which is based on an EU directive Directive 2002/58 on Privacy and Electronic Communications and the amendment's introduced by Directive 2009/136 which means that the requirements have been know about for 3 years, the government own sites are going to fail to meet the deadline this month despite the 1 year period of grace given between the law coming in to force and actually been enforced.
Wednesday, 18 April 2012
The cookie directive
Econsultancy has surveyed more than 700 marketers for their opinions on the EU cookie laws, and to find out what preparations have been made for the May 26 deadline. http://econsultancy.com/uk/blog/9298-82-of-digital-marketers-see-the-eu-cookie-law-as-bad-for-the-web-survey
Do you know what cookies are on your site?
One of the questions that needs answering is do you know about all the cookies are on your site and what they are doing. Hopefully as it is your site you do, but what about 3rd party cookies attached to included widgets from other suppliers.?
Before you can create the right cookie compliance and privacy policy for your domain, you need to understand your compliance risks, firstly you must audit the types of cookies your website uses and decide on whether they require compliance
If your site uses display adverts (banners, MPU panels or text ads) it's probably using cookies that require compliance measures. If it is using analytics cookies, then they probably require compliance too. If the cookies are just session cookies to make sure the website works (like log-in cookies) they may not need compliance. It's a complicated situation and there's no quick fix, out of the box solution that's right for every business.
Early adopter results
The ICO's own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.
However, BT's experience points to a possible solution. Since March a pop-up message on its home page has told first-time visitors that unless they take up an offer to change its settings, then they have consented to its "allow all cookies" default rule.
The ICO
The ICO says it has not been prescriptive about the wording that firms use.
However, organisations need to be careful about relying too heavily on opt-out schemes.
"At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent," the regulator warns.
It adds that those who fail to implement its rules properly could be fined up to £500,000.
Conclusion
For a UK company you must comply with the directive or face the ICO over the issue, in order to meet the directive you need to know what cookies are on your site including 3rd party and inform your users about cookie usage. You must have a proactive means of collecting acceptance. Get this stage wrong and your users may have a bad experience of your website and this could have a negative affect on your company or organisation.
For more information on cookies see my article on cookies http://bit.ly/HfJ0vm, I will be at InfoSec on the 24th, 25th & 26th this month to talk about cookies on the IT Governance stand, see their web page about consultancy workshops http://bit.ly/HRVque
Do you know what cookies are on your site?
One of the questions that needs answering is do you know about all the cookies are on your site and what they are doing. Hopefully as it is your site you do, but what about 3rd party cookies attached to included widgets from other suppliers.?
- Shopping cart functionality
- Google Analytics or similar analytics, tracking or website optimisation tools
- Any form of "remember my settings" style functionality
- A content management system
- Third-party plugins - such as Facebook Like buttons, Twitter feeds
- YouTube Videos - Even with privacy-enhanced mode
Before you can create the right cookie compliance and privacy policy for your domain, you need to understand your compliance risks, firstly you must audit the types of cookies your website uses and decide on whether they require compliance
If your site uses display adverts (banners, MPU panels or text ads) it's probably using cookies that require compliance measures. If it is using analytics cookies, then they probably require compliance too. If the cookies are just session cookies to make sure the website works (like log-in cookies) they may not need compliance. It's a complicated situation and there's no quick fix, out of the box solution that's right for every business.
Early adopter results
The ICO's own research suggests this could be an issue. Since asking users to click a box if they agree to accept cookies from its site, the organisation says just 10% of visitors have complied.
However, BT's experience points to a possible solution. Since March a pop-up message on its home page has told first-time visitors that unless they take up an offer to change its settings, then they have consented to its "allow all cookies" default rule.
The ICO
The ICO says it has not been prescriptive about the wording that firms use.
However, organisations need to be careful about relying too heavily on opt-out schemes.
"At present evidence demonstrates that general awareness of the functions and uses of cookies is simply not high enough for websites to look to rely entirely in the first instance on implied consent," the regulator warns.
It adds that those who fail to implement its rules properly could be fined up to £500,000.
Conclusion
For a UK company you must comply with the directive or face the ICO over the issue, in order to meet the directive you need to know what cookies are on your site including 3rd party and inform your users about cookie usage. You must have a proactive means of collecting acceptance. Get this stage wrong and your users may have a bad experience of your website and this could have a negative affect on your company or organisation.
For more information on cookies see my article on cookies http://bit.ly/HfJ0vm, I will be at InfoSec on the 24th, 25th & 26th this month to talk about cookies on the IT Governance stand, see their web page about consultancy workshops http://bit.ly/HRVque
Wednesday, 4 April 2012
Cookie Article
An update on the series of entries that I wrote about cookies, I have published an article on my website about cookies based on the series of entries that I wrote on this blog in March 2012 in response to the ending of the ICO deadline on the implementation of the UK cookie law (PECR). The aim of the blog entries and this article is to give some background on cookies that was easily understandable, the privacy issues, and what the legal situation was with having cookies on your website and want was needed to be done to ensure the site complied with the new regulations.
The article can be found at http://www.geraintw.co.uk/cookies.html I am in the process of building the website, which is a very slow process as I'm fitting the development around other activities.
The article can be found at http://www.geraintw.co.uk/cookies.html I am in the process of building the website, which is a very slow process as I'm fitting the development around other activities.
Friday, 16 March 2012
Cookies and the PECR (part 5)
Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR)
As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies.
From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.
Regulation 6 of the PECR
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Notes:
The regulation 6(3) implies the the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is nor necessary to repeat the request for consent. However it is hard to see if equipment is shared between users how the website will know if it is the same user or not.
Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.
Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.
Cookies and the PECR
Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted, now it is an "opt in" requirements.
In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.
The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner.
In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as we have previously as part of the range of options available to us to make sure organisations comply with the law.
The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent
The process of cookie consent handling is showing in this flowchart
At the moment essential cookies don't need consent, if your site only uses essential cookies than no consent is required, however if you have a mix and most sites will especially if they are using Google Analytics then you will need to get consent for the strictly not necessary cookies and this is where the problems start.
What is the ICO doing?
The ICO website has a banner for requesting consent for using cookies, with a check box for accepting cookies, a continue button and a link to a privacy notice, this is all good until you click on the continue button without accepting cookies from the site, the warning changes by the addition of a line saying "You must tick the "I accept cookies from this site" box to accept, and the banner stays on all pages until you tick the box. This shows the problems of getting consent and how it affects user experience if at the top of all web pages is banner about cookies.
What is the solution for the future?
The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers.
The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site
.
Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie. Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.
As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies.
From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.
Regulation 6 of the PECR
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the Internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Notes:
The regulation 6(3) implies the the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is nor necessary to repeat the request for consent. However it is hard to see if equipment is shared between users how the website will know if it is the same user or not.
Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.
Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.
Cookies and the PECR
Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted, now it is an "opt in" requirements.
In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.
The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner.
In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as we have previously as part of the range of options available to us to make sure organisations comply with the law.
The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent
The process of cookie consent handling is showing in this flowchart
What is the ICO doing?
The ICO website has a banner for requesting consent for using cookies, with a check box for accepting cookies, a continue button and a link to a privacy notice, this is all good until you click on the continue button without accepting cookies from the site, the warning changes by the addition of a line saying "You must tick the "I accept cookies from this site" box to accept, and the banner stays on all pages until you tick the box. This shows the problems of getting consent and how it affects user experience if at the top of all web pages is banner about cookies.
What is the solution for the future?
The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers.
The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site
.
Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie. Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.
Tuesday, 13 March 2012
Browsers, Cookies and Privacy (part 4)
Below I
have screen grabs of three of the most used browsers on a PC, showing the
options available to control how the browsers interact with cookies.
Internet
Explorer 9.05
Firefox
10.0.2
Chrome
17.0.963
The
common features amongst the latest versions of browsers are
- Block all cookies
- Block third party cookies
- Allow exceptions
However
the different ways of implementing the controls will make it difficult for a
web site owner to give instructions on how to handle consent for cookies.
Ideally a
web user needs a more flexible approach to controlling cookies than the blanket
controls based on options of either ignoring all cookies, ignoring 3rd party
cookies or accept all cookies. The browsers above do offer some additional
features of which, the exceptions option is probably the most important in
where a blanket ban on cookies can be overridden on selected web sites. A good
feature that a lot of browsers are now implementing is allowing session
variables which are typically associated with the management of web
applications but only exists for the duration of the visit. An additional handy
feature is the ability of some browsers to delete all cookies as it exits, thus
turning all the cookies into session cookies.
The ability to accept only
session cookies or turn all cookies into session cookies by forcing the
deletion of them is of fundamentally important with a modern dynamic web
application where session management cookies allow the web site to function as
the user expects it to. With the new regulation a lot of web sites are being
forced to offer two alternatives, consent to cookies or block all cookies as
they can't rely on user’s configuring the browser settings. In fact assuming
consent has been given as the browser accepts cookies has been specially ruled
out and it is written a site must get consent before writing a cookie to the
client browser.
A user of a web site is now being
forced into either accepting all cookies as they want the functionality of the
web application, or block the functionality of the web site as they don't want
the functionality of some of the cookies. Although the regulations say consent
for strictly necessary cookies is not required, the cookie specification and
browser support are insufficient to allow acceptance of strictly necessary
cookies and block all other cookies, unless the web site uses session only
cookies for the strictly necessary functionality and uses non-session cookies
for all uses and even then the browsers will need to be correctly set.
This series of blogs will end
with a look at the possible options on meeting the regulations and suggestions
on a way forward.
Monday, 12 March 2012
Privacy and cookies (part 3)
So far, it seems that
cookies are useful and help by making the browsing of websites a better
experience for the user, so why are the EU and privacy organisations concerned
about cookies? Well, hopefully you picked up some points I mentioned the
previous blog entries about cookies that are the cause of the concern about
privacy. For those who didn’t, it is because cookies can be used for tracking,
they can be created for third parties and browsers frequently ignore
recommendations in the RFCs about session management
Tracking
A company may want to track a person using their website, they do this by setting a first-party cookie, they then log the pages requested that have the cookie sent in the request header enabling them to track page views and the order in which they were viewed, they do this to obtain data to improve navigation, calculate popular pages and personalise pages offered to a user when they visit, depending on what was viewed last time.
3rd Party Tracking
Third- party companies can create a cookie on a domain other than their own if the web page includes objects, such as images requested from the third party domain embedded in the web page; this allows the creation of third party cookies with a domain different to the domain of the requested webpage.
If the third party has a series of these objects across a large number of domains, it allows what a first party cookie on its own website can do in tracks pages viewed, but now the third party can track page usage across all domains on which it has an object embedded. This can allow targeted advertising based on web sites visited, i.e. adverts for trainers if the user has visited a number of sports footwear website, but it can be used to profile a user for alternate purposes.
Reselling Internet usage
Generally with a web site to which you subscribe there is often the option to decide on how the owner of the web site can use your information and whether they can pass it on to external parties. However when it comes to third party tracking of Internet usage it is a lot harder to prevent them from reselling the derived data about your web usage, they can use the information themselves and additional sell it on to other interested parties, either for marketing purposes or for other profiling purposes.
Profiling
If a user is tracked across the Internet through 3rd party cookies, for example an advertising company that places it is adverts onto websites so the owners can generate revenue by per click advertising. It allows the advertising company to record what sites a user has visited, if for example they track a unique cookie value as having visited several horticultural sites and sites about growing cannabis etc. this level of profiling and tracking would be useful for law enforcement agencies.
Leakage of information
Additionally vulnerabilities have allowed data to be retrieved from cookies that could allow an unauthorised person to steal information about the user and/or impersonate them on web sites allowing identity theft, fraud and other crimes to be committed.
Privacy and the real world
The real danger comes when it becomes possible to link an online identity created by a unique cookie value with personal identifiable Information, allowing the online identity to be linked to an real world identity allowing a name, address to be added to data collected about their viewing habits, this could be useful for direct mail marketing companies but also could be abused by companies, criminals and other agencies.
Tracking
A company may want to track a person using their website, they do this by setting a first-party cookie, they then log the pages requested that have the cookie sent in the request header enabling them to track page views and the order in which they were viewed, they do this to obtain data to improve navigation, calculate popular pages and personalise pages offered to a user when they visit, depending on what was viewed last time.
3rd Party Tracking
Third- party companies can create a cookie on a domain other than their own if the web page includes objects, such as images requested from the third party domain embedded in the web page; this allows the creation of third party cookies with a domain different to the domain of the requested webpage.
If the third party has a series of these objects across a large number of domains, it allows what a first party cookie on its own website can do in tracks pages viewed, but now the third party can track page usage across all domains on which it has an object embedded. This can allow targeted advertising based on web sites visited, i.e. adverts for trainers if the user has visited a number of sports footwear website, but it can be used to profile a user for alternate purposes.
Reselling Internet usage
Generally with a web site to which you subscribe there is often the option to decide on how the owner of the web site can use your information and whether they can pass it on to external parties. However when it comes to third party tracking of Internet usage it is a lot harder to prevent them from reselling the derived data about your web usage, they can use the information themselves and additional sell it on to other interested parties, either for marketing purposes or for other profiling purposes.
Profiling
If a user is tracked across the Internet through 3rd party cookies, for example an advertising company that places it is adverts onto websites so the owners can generate revenue by per click advertising. It allows the advertising company to record what sites a user has visited, if for example they track a unique cookie value as having visited several horticultural sites and sites about growing cannabis etc. this level of profiling and tracking would be useful for law enforcement agencies.
Leakage of information
Additionally vulnerabilities have allowed data to be retrieved from cookies that could allow an unauthorised person to steal information about the user and/or impersonate them on web sites allowing identity theft, fraud and other crimes to be committed.
Privacy and the real world
The real danger comes when it becomes possible to link an online identity created by a unique cookie value with personal identifiable Information, allowing the online identity to be linked to an real world identity allowing a name, address to be added to data collected about their viewing habits, this could be useful for direct mail marketing companies but also could be abused by companies, criminals and other agencies.
Saturday, 10 March 2012
Why are cookies used on web sites? (Part 2)
Web pages use the Hyper Text Transfer Protocol (HTTP) to
transfer the page from the web server to the client’s browser, it uses Hyper
Text Markup Language (HTML) to code the page and the browsers render the HTML
to create the web page on the screen. When Sir Tim Berners-Lee developed HTTP
at CERN the particle physics laboratory on the French-Swiss border it was a stateless
protocol, each transaction of transferring a single web page was a single
session within the protocol and independent of the any other session, it was
not possible to transfer information between web pages.
It was not long before information was being exchanged
between web pages by using Uniform Resource locator (URL) encoding in a GET
request or in the body of a POST request. GET and POST are two types of HTTP
request methods used by the client to request a resource from the web server.
The URL of the request object is contained in the header of a request method.
Sample GET Request showing URL encoding
GET
/path/script.cgi?field1=value1&field2=value2 HTTP/1.0
From: someuser@internetuserl.com
User-Agent: HTTPTool/1.0
[blank line here]
Sample GET Request showing data in
the body of the method
POST /path/script.cgi HTTP/1.0
From: someuser@internetuserl.com
User-Agent: HTTPTool/1.0
Content-Type:
application/x-www-form-urlencoded
Content-Length: 32
[blank line here]
home=Cosby&favorite+flavor=flies
When using GET request the
transferred data is visible in the address box of the browser, in a POST
request the data is not so visible.
However these methods of transferring data are transient and
don’t provide for persistence of data which is required for a more complex web
application and for a personalised experience. As web pages are rendered on the
client machines, a technique of using variables that will be stored in the
client’s browser where developed, these variables are known as cookies.
The document Request for Change (RFC) 2019, Feb 1997 deals
with HTTP State Management Mechanism and describes the two new headers
introduced to the HTTP protocol, Cookie and Set-Cookie. The header Cookie is
used in the Request object to send a cookie to the server, the Set-Cookie
header is used in the response method to set a cookie on the client browser.
In the RFC 2109, 3rd party cookies where not
allowed, however this was ignored by some companies and RFC 2965, Oct 200 and
RFC 6265, April 2011 have redefined HTTP State Management Mechanism.
There are a number of controls built into session management
by the use of cookies to try and protect the user, such as that a cookie should
only be read by the domain that created it, however these controls can be by
passed and the newer attributes introduced into cookie header in later RFC’s are
meant to control exploiting cookies, however the browser’s themselves can be exploited
to give up cookie information.
There are a number of types of cookies
Session cookie
Only lasts whilst using the website
that created it, a session cookies is created when no expires attribute is
provided during its creating, a browser should delete session cookies as it
quits
Persistent cookie
A persistent cookie outlasts its
session retaining information until the expiry or max-age is reached, allowing
information to be exchanged across multiple sessions with the same domain.
Third party cookie
A third party
cookie is one set with a domain not the same as the domain of the web site visited
Attributes of cookies
Domain & Path
These set the
scope of the cookie; it can be a single host, all the hosts in a domain, or a
folder and sub folders within a host if the part is set to a folder other than
root of the domain.
Setting a domain
to a top level domain (TLD) is not allowed i.e. .com, or .co.uk
Expires & Max-Age
Sets the persistence
of a cookie, if an age is not set the cookie expires at the end of the session,
however it is possible to set an exact date for the expiry of the cookie or how
long in seconds it will last.
Secure cookie
When set
limits the cookie to being transmitted by secure connections only i.e. https, it
goes without saying the cookie should only be created within a secure
connection
HttpOnly cookie
Only allows
access to the cookie via the HTTP protocol and prevents access from within
scripts by using the document object model (DOM) i.e. document.cookie
Cookies are used on web sites to allow session management,
personalisation and tracking, session management allows interaction between web
pages to create a web application; typically session cookies that expire at the
end of the session are used. Personalisation allows data to be retained by the
client about settings used on a web site, allowing for personalisation without
having to get a user to authenticate to the web site every time; persistent
cookie are used with a suitable expiry limit. The final use and the one that
causes problems with privacy is the use of cookies for tracking a user and
which pages and the sequence of visiting them is logged on every visit to the
site; again persistent cookie are used.
Cookies are created by a web server sending the set-cookie
header to the browser, from then onwards every time the browser requests a page
from that domain the cookie header is sent as part of the request, this
continues until the cookie expires. However cookies can also be set by a script
on a web page manipulating the DOM if supported and enabled on the clients
browser.
Cookies hit headines as the ICO deadline approaches
Cookies are starting to hit the headlines again as the UK
deadline for meeting the EU Cookies directive draws nearer. The UK government
had revised the Privacy and Electronic Communications Regulations, which came
into force in the UK on 26 May, to address new EU requirements. The Regulations
make clear that UK businesses and organisations running websites in the UK need
to get consent from visitors to their websites in order to store cookies on
users’ computers, the ICO gave a year’s grace period starting the 26 May 2011
for companies to become compliant with new guidelines provided by the Information
Commissioner Office.
Current regulation of
cookies
The internet industry has tried to control the sue of
cookies and protect privacy, if we look at the RFC’s about session management, they
say the browsers should protect user privacy and not allow third party cookies
by default, a number of the popular browser ignore the default deny of third
party cookies. Some browsers allow the setting of third party cookies if they
have a compact privacy policy and use a compact policy field as part of the Platform
for Privacy Preferences Project (P3P) that was started by the World Wide Web Consortium
(W3C) and officially recommended in 2002 but development ceased a short period
afterwards.
A number of countries around the world have produced
guidelines and regulations on cookies but these only affect the relevant
country. In 2002 the EU developed a telecommunication privacy directive and
article 5, paragraph 5 gave directive mandates that storing data on a user’s
computer can only be done if certain conditions are meet. These cover giving
information on how this data is used and giving the option for the user to opt
out of storing the data. Data that is necessary for technical reasons are
exempted for the user opting out of storing it.
In the UK the Privacy and Electronic Communications (EC
Directive) Regulations 2003 (the Regulations) implemented a European Directive
- 2002/58/EC concerned with the protection of privacy in the electronic
communications sector. In 2009 this Directive was amended by Directive
2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive
requiring consent for storage or access to information stored on a subscriber
or users terminal equipment. The UK introduced the amendments on 25 May 2011
through The Privacy and Electronic Communications (EC Directive) (Amendment)
Regulations 2011.
The government prior to the introduction of the Regulations expressed
the view that there should be a phased approach to the implementation of these
changes. The Information Commissioner agreed that businesses would need time to
implement solutions. He therefore confirmed that he would exercise his
discretion and allow organisations a ‘lead in’ period of 12 months to put in
place the measures needed to comply. This lead-in period will come to an end on
the 26th May 2012, there is just two months left of the period.
During this period the Information Commissioner made it
clear that organisation should be taking steps to comply with the rules, any
complaints received about web sites during this period he would expect to see a
plan of action on how the rules are going to be compiled with.
What can be done?
No matter what a business view on the law is, it won’t stop
the Information Commissioners Office (ICO) from taking action about complaints
websites are breaking the law.
The new regulations require more than just telling users
about cookies and allow them to opt out and they need to be more pro-active in
meeting the regulations.
The ICO recommend these three steps
1.
Check what type of cookies and similar technologies
are being used and how are there are being used.
2.
Assess how intrusive the cookie use is
3.
If consent if needed then decide upon the method
of obtain consent.
Although cookies required for technical reasons are exempt,
the actual scope of the exemption has been discussed in various forums and
there have been some very inventive technical reasons as to why a cookie should
be exempt.
In general the following are not exempt
·
Cookies used for analytical purposes to count
the number of unique visits to a website for example
·
First and third party advertising cookies
·
Cookies used to recognise a user when they
return to a website so that the greeting they receive can be tailored
The international nature of the internet and the use of
third party cookies will make the scope for implementing the regulations and
the responsibly difficult to establish clear.
From the information released by the ICO it is clear and UK
organisation is subject to the regulations even if their web site is hosted
outside the UK. Organisation from outside European with websites designed for
the European market and offering services or products within European should
consider that European users will be expecting information on cookies and the
ability to opt out.
The responsibility for providing information on third party
cookies and gathering the opt-in permission will be with the website owner as
it will be technically very difficult for the third party to do so.
Subscribe to:
Posts (Atom)