Cookie warnings: Useless and bad for security?
Cookies are the official and standard and preferred way of keeping state in the (otherwise) stateless HTTP protocol. They are sometimes used for keeping track of a user beyond a single website visit, for hours, days, or years. This kind of tracking can become privacy invasive and this has earned cookies a dubious reputation.
Most browsers offer the user cookie-control features out-of-the-box (ask never, ask always, delete upon exit, rules, etc). Besides that most web browsers also offer so-called ‘private web browsing windows’ which always start without any cookies – a clean sheet.
There are exceptions – and tricks to evade some of these web browser controls. There are so-called evercookies: See for example the ENISA paper on privacy and information security risks of cookies. Browsers are continuously improving to give control to the end-user. It is an arms race. The good news is that the entire web stack is converging to HTML5 and that therefore methods for local storage and caching (i.e. cookies, etc) are standardizing and better controllable by the developers of browser engines.
In 2009, driven partly by an EU directive, EU countries adopted a range of different cookie laws and rules. Some countries became very restrictive. For example, the Dutch legislation, apparently went too far for Dutch EU commissioner of the Digital Agenda, Miss Kroes. Some countries tried to leave websites the choice to implement cookies in a privacy-friendly way – not always with good results. Here is an interesting article about the UK cookie rules. The practical outcome (across the EU) of this policy initiative was a flood of pop-up boxes and warning boxes, and warning messages asking website visitors every time to click “Yes, accept?” or “No, I don’t”. The second choice usually meaning “Bye bye”.
Our daily clicking away of these warnings is a time-consuming, costly and inefficient approach to giving the user control, because this kind of consent should be handled by the browser.
Cookie warnings just increase the risk that users, when caught in a drive-by-download attack, mindlessly click “Yes, accept”, when prompted to run an applet, or install code, or give the page access to location-data. The same case can be made for a host of other ‘click here to continue’ consent and warning boxes.
Do you agree? And where do we draw a line? Click to agree with our terms and conditions? Or just show small print at the bottom? Just a ban on re-using the visual language of pop-ups and warning signs?
How do you solve the issue of cookies without popups? Not at the individual websites. The focus should be at W3C’s HTML specs. See for example ENISA’s work commenting and flagging security issues in the HTML 5 specs, when open opened for comments by W3C in 2011.
By improving the HTML5 standard, we can give better control to the user over a host of issues around offline storage, cookies, third-party content, cross-domain access, and so on. And if you don’t like tracking, make sure the practice is banned, don’t ask people if they like cookies. There are other ways of tracking users, via IP address (IPv6 is coming, so more unique addresses), via browser profiling, via variables in the URL or hidden fields in the page, via third-party content (1×1 pixel images), and so on.