Poisonous Batch of Cookies?

DataReports
Written By Dan Qutaishat

Work belongs to Dan Qutaishat, this work can be referenced by using any of the established referencing methods such as Harvard.

“Web cookies revolutionised the web because they gave it a memory. Cookies gave your actions on the web a ‘past’, which you have no idea about or access to” (Carmi, 2017)

 

Introduction:

Lou Montulli invented cookies in 1994  for Netscape to use on online shopping baskets (Harding, Reed and Gray 2001). However, the contents, purpose and security implications of cookies are often too ambiguous for the average web users to take precautions against unscrupulous individuals who might violate the user's information and thus leave them vulnerable to attack. Therefore, it is a necessity that the web user obtains adequate knowledge to make educated decisions regarding cookies. Though cookies are only text files, they can store information about the user until their expiration date. This report aims to help bridge the gap in the web user's knowledge by providing the essential information on cookies and highlighting their justified advantages and drawbacks.

 

The Cookie's Ingredients:

           Sit and Fu (2001) confirm that cookies are text files composed of key/value pairs that are delivered to the browser by the server to confirm the state of the web session by searching the user's hard drive for an existing cookie file. Sipoir, Ward and Mendoza (2011) agree that this occurs by the set-cookie HTTP response as the server recalls previous interactions on the site through the user's unique visitor ID which makes the HTTP stateful. A cookie includes a set of parameters, these are: name, value, expiration date, valid path, valid domain and requirement for a secure network. However, Schindler (2003) argues that cookies only require the name and value to function. Additionally, Harding, Reed and Gray (2001) believe that it is possible to alter cookies’ contents using JavaScript as they are text files and thus parameters such as the expiration date can be amended, and header details can be altered. This information is indecipherable and thus, in theory, protects the user’s information from unwanted third-parties.

 

Cookies is a general umbrella term that covers many types such as: tracking cookie, preference cookie and the shopping cart cookie. This is validated by Harding, Reed and Gray’s (2001) research. Alternatively, Pinto, Lages and Oliveira (2020) argue this idea, believing that cookies can generally be split into two categories: session cookies, which store files temporarily until closing the browser, and persistent cookies, which are stored until they are deleted. While their purposes might be different, their types fall into those two categories. They also reinforce that the use of cookies is predominant on e-commerce websites to fuel online behavioural advertising and thus establish and document trends about user engagement . This allows web developers to adapt the website to be more personalised towards the user, thus increasing user convenience whilst being economically beneficial to the website as it gains more revenue and interaction.

 

Health benefits of cookies:

           The significance of cookies is often attributed to the role they play in marketing as sites are personalised per the user’s preferences. Marketers often track consumer behaviour to continually alter their site to suit consumer needs and achieve target marketing whilst aiding website functionality. Carmi (2017) supports this by referencing the European Union’s e-privacy directive “So-called “cookies” can be a legitimate and useful tool. For example, in analyzing the effectiveness of website design and advertising” (2002/58/EC, recital 25). Furthermore, cookies can store data such as passwords and user IDs, which are often tedious for the user to input many times, thus saving their time and easing web usage (Harding, Reed and Gray, 2001). Besides, Pinto, Lages and Oliveira (2020) reiterate that without permitting cookie usage on e-commerce websites, websites would fail to function properly, and businesses would be harmed.

Schindler (2003) reassures that though it might be frightening to think the marketer has access to the user’s personal details, cookies are used by marketers to only obtain general trends- for example, to know the ratio of new users to returning users.

 

Health detriments of cookies:

           Although many view cookies as safe, they have multiple drawbacks; most importantly is the amount of personal information they save about the user such as IP address which could easily be abused on public networks e.g. in internet cafés if the user was using a computer- the next user could easily see recorded information about the prior user (Harding, Reed and Gray, 2001). Sit and Fu (2001) corroborate this idea and agree that is further compounded by the lack of security elements in a cookie i.e. there is “no standard mechanism to establish integrity and thus each server runs a different method in which some are weaker than others”. This provides the cookie with flexibility in its usage at the expense of security; due to the lack of SSL when dealing with cookies in HTTP exchanges there is no protection against third-party spies which pry on the network and hear ongoing traffic between two computers. In this modern age, data collected about users is viewed as a valuable currency amongst the digital marketing world – referred to as “privacy as a commodity” by Pinto, Lages and Oliveira (2020). Therefore it is not surprising that users are slowly becoming more cautious regarding how cookies work and who has access to them- especially as this information is usually sold to third-parties for advertising purposes. This is reinforced by a study conducted by Pinto, Lages and Oliveira (2020) which illustrated that only 2.9% of respondents felt completely safe about cookies and that 49.4% of respondents deleted all cookies monthly. 

 

It is suggested to delete cookies after usage, blocking them or activating a Do Not Track mechanism (DNT) but this reduces the website’s functionality between 6%-27% whilst still allowing the tracking scripts to function between 37%-78% and so not only does DNT fail to accomplish its goal, it also harms the user’s engagement. Therefore, users face a privacy paradox in which they sacrifice their security for ease of site navigation (Pinto, Lages and Oliveira 2020). Fortunately, Carmi (2017) believes that the user’s power could be increased if browsers followed IETF cookie standards which would mean cookie communication is visible, the user would become more knowledgeable and thus reduces the power that online businesses have on the user. 

 

Cookies’ add-ons and alternatives:

           Web designers often accompany cookies with web bugs or beacons which are transparent 1-pixel GIF image tags which are introduced into emails and websites to monitor behaviour. They are often imperceptible and can track user navigation and input. Sipior, Ward and Mendoza (2011) warn that “Personally identifiable information” is recorded by these web bugs and delivered via cookies to third party companies for online profiling purposes – the addition of web bugs into HTML code enable cookies to be much more invasive.

 

As web users are becoming more aware of cookies, cookie deletion rates have increased. As a result,  to combat this issue, United Virtualities produced the ‘persistent identification element (PIE)’ which is a unique identifier similar to HTTP cookies. It uses the “local shared objects” LSO of Adobe’s Flash Player plug-in which is available in 98% of computers. These LSO/ Flash cookies are 100KB and thus are much larger than HTTP cookies (4KB). These Flash cookies are stored by default when a user accesses a website with a Flash application, it does not ask for permission by default hence their existence would be unknown to users – so would not be deleted. Though HTTP cookies can be deleted, the use of the Flash cookies means that the Flash cookie might recreate the deleted HTTP cookies in a process known as “respawning”; which is a very stealthy process and thus might make the user feel ‘violated’ but it is beneficial for marketing and trends (Sipior, Ward and Mendoza 2011).

Furthermore, to tackle the invasiveness of cookies, Keith Johnson (2014) suggests that one of the best upcoming technological advancements is Statistical IDs which combine numerous data points from any computer that is online-this ID helps add some anonymity to the user as the ID appears indistinguishable across multiple devices since it depends on components used in comparison to cookies which single out the user based on a unique ID.

 

Conclusion:

           Though cookies are a technological breakthrough for web developers and marketers as they record important user trends and personalise web use while easing access, many are still unaware of their properties and thus are unable to take action against them if needed. Cookies are often non-malicious and are often undetected by the average user. However, they can be easily misused because of their lack of security elements. With how the technological world is evolving, new technologies are emerging to tackle cookie deletion etc. which many might view as reducing the power balance between web-user and web developers. New advancements are hoping to bridge the gap in power such as the growth of Statistical IDs. Thus is it crucial that the user reads upon any new tech advances and checks their cookies and their usages regularly to spot any irregularities.

References:

1.     Harding, W., Reed, A. and Gray, R. (2001). Cookies and Web Bugs: What They Are and How They Work Together. Information Systems Management, Vol. 18(No. 3), pp.17-24 . <http://web.b.ebscohost.com.ntu.idm.oclc.org/ehost/detail/detail?vid=0&sid=ccd71c3a-de3d-4c65-bc93-19432e49eb03%40pdc-v-sessmgr03&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#AN=4549415&db=bth> (Accessed 8/10/2020).

2.     Sit, E. and Fu, K. (2001). Web Cookies: Not Just a Privacy Risk. Communications of the ACM, Vol. 44(No. 9), p.120. <https://www.researchgate.net/publication/220426921_Web_Cookies_Not_Just_a_Privacy_Risk> (Accessed 8/10/2020).

3.     Schindler, E. (2003). Half-baked ideas: Why Web cookies aren’t bad for you. Element k journals. pp. 5-6. <https://search.proquest.com/docview/191093164?accountid=14693&rfr_id=info%3Axri%2Fsid%3Aprimo>  (Accessed 8/10/2020).

4.     Sipoir, J., Ward, B. and Mendoza, R. (2011). Online Privacy Concerns Associated with Cookies, Flash Cookies and Web Beacons. Journal of Internet Commerce, Vol. 10 (No. 1-16). pp. 1-4. <https://www.tandfonline.com/doi/full/10.1080/15332861.2011.558454> (Accessed 8/10/2020)

5.     Pinto, P., Lages, R. and Oliveira, M. (2020). Web Cookies: Is there a Trade-off Between Website Efficiency and User Privacy?. pp.713-722. <https://www.researchgate.net/publication/341995185_Web_Cookies_Is_There_a_Trade-off_Between_Website_Efficiency_and_User_Privacy> (Accessed 8/10/2020)

6.     Carmi, E. (2017).  Review: Cookies-More than Meets the Eye. Theory, Culture and Society, Vol. 34 (No. 7-8). pp. 277-281. <https://www.researchgate.net/publication/320571303_Review_Cookies_-_More_than_Meets_the_Eye > (Accessed 8/10/2020).

7.     Johnson, K. (2014). When the Cookies Crumble. pp. 25-26. <https://search.proquest.com/docview/1550817603/fulltextPDF/57B42C2CBE384068PQ/1?accountid=14693> (Accessed 8/10/2020).

 

 

Dan Qutaishat https://www.danqutaishat.com
Previous

Networking Analysis