Geraint Williams

Information Risk Consultant & Trainer

---

Site Navigation Home Page About me Blog RSS feeds News Talks Articles   Cookies Article

Cookies Published 4th April 2012, (c) Geraint Williams This article was generated from a series of blog entries that I wrote on my blog geraintw.blogspot.com in March 2012 in response to the ending of the ICO deadline on the implementation of the UK cookie law (PECR). The aim of the article was to give some background on cookies that was easily understandable, the privacy issues, and what the legal situation was with having cookies on your website. Cookies hit headines as the ICO deadline approaches Why are cookies used on web sites? (Part 2) Privacy and cookies (part 3) Browsers, Cookies and Privacy (part 4) Cookies and the PECR (part 5)

---

Cookies hit the ICO Deadline

Cookies are starting to hit the headlines again as the UK deadline for meeting the EU Cookies directive draws nearer. The UK government had revised the Privacy and Electronic Communications Regulations, which came into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers, the ICO gave a year’s grace period starting the 26 May 2011 for companies to become compliant with new guidelines provided by the Information Commissioner Office.

Why are cookies used on web sites?

Web pages use the Hyper Text Transfer Protocol (HTTP) to transfer the page from the web server to the client’s browser, it uses Hyper Text Markup Language (HTML) to code the page and the browsers render the HTML to create the web page on the screen. When Sir Tim Berners-Lee developed HTTP at CERN the particle physics laboratory on the French-Swiss border it was a stateless protocol, each transaction of transferring a single web page was a single session within the protocol and independent of the any other session, it was not possible to transfer information between web pages. It was not long before information was being exchanged between web pages by using Uniform Resource locator (URL) encoding in a GET request or in the body of a POST request. GET and POST are two types of HTTP request methods used by the client to request a resource from the web server. The URL of the request object is contained in the header of a request method.

Sample GET Request showing URL encoding

Sample GET Request showing data in the body of the method

When using GET request the transferred data is visible in the address box of the browser, in a POST request the data is not so visible. However these methods of transferring data are transient and don’t provide for persistence of data which is required for a more complex web application and for a personalised experience. As web pages are rendered on the client machines, a technique of using variables that will be stored in the client’s browser where developed, these variables are known as cookies.

The document Request for Change (RFC) 2019, Feb 1997 deals with HTTP State Management Mechanism and describes the two new headers introduced to the HTTP protocol, Cookie and Set-Cookie. The header Cookie is used in the Request object to send a cookie to the server, the Set-Cookie header is used in the response method to set a cookie on the client browser. In the RFC 2109, 3rd party cookies where not allowed, however this was ignored by some companies and RFC 2965, Oct 200 and RFC 6265, April 2011 have redefined HTTP State Management Mechanism.

There are a number of controls built into session management by the use of cookies to try and protect the user, such as that a cookie should only be read by the domain that created it, however these controls can be by passed and the newer attributes introduced into cookie header in later RFC’s are meant to control exploiting cookies, however the browser’s themselves can be exploited to give up cookie information.

Types of cookies

There are a number of classifications of cookies that are dependent on the duration the cookies last for and which web sites can read the cookie

Classification of cookies

Session cookie

Only lasts whilst using the website that created it, a session cookies is created when no expires attribute is provided during its creating, a browser should delete session cookies as it quits

Persistent cookie

A persistent cookie outlasts its session retaining information until the expiry or max-age is reached, allowing information to be exchanged across multiple sessions with the same domain.

Third party cookie

A third party cookie is one set with a domain not the same as the domain of the web site visited

Attributes of cookies

Domain & Path

These set the scope of the cookie; it can be a single host, all the hosts in a domain, or a folder and sub folders within a host if the part is set to a folder other than root of the domain. Setting a domain to a top level domain (TLD) is not allowed i.e. .com, or .co.uk

Expires & Max-Age

Sets the persistence of a cookie, if an age is not set the cookie expires at the end of the session, however it is possible to set an exact date for the expiry of the cookie or how long in seconds it will last.

Secure cookie

When set limits the cookie to being transmitted by secure connections only i.e. https, it goes without saying the cookie should only be created within a secure connection

HttpOnly cookie

Only allows access to the cookie via the HTTP protocol and prevents access from within scripts by using the document object model (DOM) i.e. document.cookie

Cookies are used on web sites to allow session management, personalisation and tracking, session management allows interaction between web pages to create a web application; typically session cookies that expire at the end of the session are used. Personalisation allows data to be retained by the client about settings used on a web site, allowing for personalisation without having to get a user to authenticate to the web site every time; persistent cookie are used with a suitable expiry limit. The final use and the one that causes problems with privacy is the use of cookies for tracking a user and which pages and the sequence of visiting them is logged on every visit to the site; again persistent cookie are used.

Cookies are created by a web server sending the set-cookie header to the browser, from then onwards every time the browser requests a page from that domain the cookie header is sent as part of the request, this continues until the cookie expires. However cookies can also be set by a script on a web page manipulating the DOM if supported and enabled on the clients browser.

Problems with cookies

So far, it seems that cookies are useful and help by making the browsing of websites a better experience for the user, so why are the EU and privacy organisations concerned about cookies? Well, hopefully you picked up some points I mentioned the previous blog entries about cookies that are the cause of the concern about privacy. For those who didn’t, it is because cookies can be used for tracking, they can be created for third parties and browsers frequently ignore recommendations in the RFCs about session management

Tracking

A company may want to track a person using their website, they do this by setting a first-party cookie, they then log the pages requested that have the cookie sent in the request header enabling them to track page views and the order in which they were viewed, they do this to obtain data to improve navigation, calculate popular pages and personalise pages offered to a user when they visit, depending on what was viewed last time.

3rd Party Tracking

Third- party companies can create a cookie on a domain other than their own if the web page includes objects, such as images requested from the third party domain embedded in the web page; this allows the creation of third party cookies with a domain different to the domain of the requested webpage.

If the third party has a series of these objects across a large number of domains, it allows what a first party cookie on its own website can do in tracks pages viewed, but now the third party can track page usage across all domains on which it has an object embedded. This can allow targeted advertising based on web sites visited, i.e. adverts for trainers if the user has visited a number of sports footwear website, but it can be used to profile a user for alternate purposes.

Reselling Internet usage

Generally with a web site to which you subscribe there is often the option to decide on how the owner of the web site can use your information and whether they can pass it on to external parties. However when it comes to third party tracking of Internet usage it is a lot harder to prevent them from reselling the derived data about your web usage, they can use the information themselves and additional sell it on to other interested parties, either for marketing purposes or for other profiling purposes.

Profiling

If a user is tracked across the Internet through 3rd party cookies, for example an advertising company that places it is adverts onto websites so the owners can generate revenue by per click advertising. It allows the advertising company to record what sites a user has visited, if for example they track a unique cookie value as having visited several horticultural sites and sites about growing cannabis etc. this level of profiling and tracking would be useful for law enforcement agencies.

Leakage of information

Additionally vulnerabilities have allowed data to be retrieved from cookies that could allow an unauthorised person to steal information about the user and/or impersonate them on web sites allowing identity theft, fraud and other crimes to be committed.

Privacy and the real world

The real danger comes when it becomes possible to link an online identity created by a unique cookie value with personal identifiable Information, allowing the online identity to be linked to an real world identity allowing a name, address to be added to data collected about their viewing habits, this could be useful for direct mail marketing companies but also could be abused by companies, criminals and other agencies

Browsers, Cookies and Privacy

Below I have screen grabs of three of the most used browsers on a PC, showing the options available to control how the browsers interact with cookies.

Internet Explorer 9.05

Firefox 10.0.2

Chrome 17.0.963/

The common features amongst the latest versions of browsers are

• Block all cookies
• Block third party cookies
• Allow exceptions

However the different ways of implementing the controls will make it difficult for a web site owner to give instructions on how to handle consent for cookies.

Ideally a web user needs a more flexible approach to controlling cookies than the blanket controls based on options of either ignoring all cookies, ignoring 3rd party cookies or accept all cookies. The browsers above do offer some additional features of which, the exceptions option is probably the most important in where a blanket ban on cookies can be overridden on selected web sites. A good feature that a lot of browsers are now implementing is allowing session variables which are typically associated with the management of web applications but only exists for the duration of the visit. An additional handy feature is the ability of some browsers to delete all cookies as it exits, thus turning all the cookies into session cookies.

The ability to accept only session cookies or turn all cookies into session cookies by forcing the deletion of them is of fundamentally important with a modern dynamic web application where session management cookies allow the web site to function as the user expects it to. With the new regulation a lot of web sites are being forced to offer two alternatives, consent to cookies or block all cookies as they can't rely on user’s configuring the browser settings. In fact assuming consent has been given as the browser accepts cookies has been specially ruled out and it is written a site must get consent before writing a cookie to the client browser.

A user of a web site is now being forced into either accepting all cookies as they want the functionality of the web application, or block the functionality of the web site as they don't want the functionality of some of the cookies. Although the regulations say consent for strictly necessary cookies is not required, the cookie specification and browser support are insufficient to allow acceptance of strictly necessary cookies and block all other cookies, unless the web site uses session only cookies for the strictly necessary functionality and uses non-session cookies for all uses and even then the browsers will need to be correctly set.

Current regulation of cookies

The internet industry has tried to control the sue of cookies and protect privacy, if we look at the RFC’s about session management, they say the browsers should protect user privacy and not allow third party cookies by default, a number of the popular browser ignore the default deny of third party cookies. Some browsers allow the setting of third party cookies if they have a compact privacy policy and use a compact policy field as part of the Platform for Privacy Preferences Project (P3P) that was started by the World Wide Web Consortium (W3C) and officially recommended in 2002 but development ceased a short period afterwards.

A number of countries around the world have produced guidelines and regulations on cookies but these only affect the relevant country. In 2002 the EU developed a telecommunication privacy directive and article 5, paragraph 5 gave directive mandates that storing data on a user’s computer can only be done if certain conditions are meet. These cover giving information on how this data is used and giving the option for the user to opt out of storing the data. Data that is necessary for technical reasons are exempted for the user opting out of storing it.

In the UK the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) implemented a European Directive - 2002/58/EC concerned with the protection of privacy in the electronic communications sector. In 2009 this Directive was amended by Directive 2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive requiring consent for storage or access to information stored on a subscriber or users terminal equipment.

The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The government prior to the introduction of the Regulations expressed the view that there should be a phased approach to the implementation of these changes. The Information Commissioner agreed that businesses would need time to implement solutions. He therefore confirmed that he would exercise his discretion and allow organisations a ‘lead in’ period of 12 months to put in place the measures needed to comply.

This lead-in period will come to an end on the 26th May 2012, there is just two months left of the period. During this period the Information Commissioner made it clear that organisation should be taking steps to comply with the rules, any complaints received about web sites during this period he would expect to see a plan of action on how the rules are going to be compiled with.

Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR)

As previously stated On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) come into force. These amend the Privacy and Electronic Communications (EC Directive) Regulations 2003. The 2011 Regulations enhance these powers and introduce new requirements, most notably in relation to cookies. From the ICO advice on the new cookies regulations, the introduced changes is that cookies can only be placed on machines where the user has explicitly given permission.

Regulation 6 of the PECR

Notes:

The regulation 6(3) implies the first time a terminal equipment of a subscriber or user they must be asked, however on subsequent visits it is not necessary to repeat the request for consent. However it is hard to see if equipment used to browse the internet is shared between users how the website will know if it is the same user or not.

Regulation 6(3A) does allow a website to test to see if cookies are allowed by trying to read and write a cookie which the ICO has indicated is not fully acceptable. I assume that if the site detects cookies are not allowed then it can assume consent is not given, however it can write and read cookies then it has to ask consent at which point it is too late as they have already written a cookie potentially without consent.

Regulation 6(4) exempts strictly necessary cookies from the consent request process, where strictly necessary is for operation of the web application to meet the subscribers or user expectations.

Cookies and the PECR

Previously, companies using cookies only had to inform users about their use and give such users the opportunity to "opt out" if they wanted; now it is an "opt in" requirement. In order to determine whether people had opted out, companies are using the technique of trying to write a cookie to a browser and immediately read to test if the user had disabled the acceptance of cookies, if they could write a cookie it was assumed the user had not opted out of accepting cookies.

The Information Commissioner now advises that these are not currently sophisticated enough to allow companies to assume that the user has given consent and he advises that companies should obtain user consent in some manner. In order to give the rules some bite the ICO has the power to serve a monetary penalty of up to £500,000 on organisations that seriously breach the rules. Along with the use of enforcement notices and undertakings as they have previously as part of the range of options available to them to make sure organisations comply with the law. The Commissioner has said they will be able to impose a monetary penalty notice if an organisation has seriously contravened the Regulations and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

This is going to mean companies will need to look at their web sites and develop a strategy for handling gathering cookie consent. The process of cookie consent handling is showing in this flowchart

At the moment essential cookies don't need consent, if your site only uses essential cookies than no consent is required, however if you have a mix and most sites will especially if they are using Google Analytics then you will need to get consent for the strictly not necessary cookies and this is where the problems start.

What can be done?

No matter what a business view on the law is, it won’t stop the Information Commissioners Office (ICO) from taking action about complaints websites are breaking the law. The new regulations require more than just telling users about cookies and allow them to opt out and they need to be more pro-active in meeting the regulations.

The ICO recommend these three steps

1. Check what type of cookies and similar technologies are being used and how are there are being used.
2. Assess how intrusive the cookie use is
3. If consent if needed then decide upon the method of obtain consent.

Although cookies required for technical reasons are exempt, the actual scope of the exemption has been discussed in various forums and there have been some very inventive technical reasons as to why a cookie should be exempt.

In general the following are not exempt

• Cookies used for analytical purposes to count the number of unique visits to a website for example
• First and third party advertising cookies
• Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored

The international nature of the internet and the use of third party cookies will make the scope for implementing the regulations and the responsibly difficult to establish clear. From the information released by the ICO it is clear and UK organisation is subject to the regulations even if their web site is hosted outside the UK. Organisation from outside European with websites designed for the European market and offering services or products within European should consider that European users will be expecting information on cookies and the ability to opt out. The responsibility for providing information on third party cookies and gathering the opt-in permission will be with the website owner as it will be technically very difficult for the third party to do so.

What is the ICO doing?

The ICO website has a banner for requesting consent for using cookies, with a check box for accepting cookies, a continue button and a link to a privacy notice, this is all good until you click on the continue button without accepting cookies from the site, the warning changes by the addition of a line saying "You must tick the "I accept cookies from this site" box to accept, and the banner stays on all pages until you tick the box. This shows the problems of getting consent and how it affects user experience if at the top of all web pages is banner about cookies.

What is the solution for the future?

The law whilst aimed at protecting users does not reflect the current technology being used in websites and browsers. The EU has said existing cookie controls in browsers are not flexible enough and a majority of users don't understand cookies and won't be able to configure cookies from the web site.

Some extensions to browsers do give the functionality to allow the blocking of some and allowing others, however it takes user awareness and knowledge. Software writers developing browsers could take some of these ideas and implement them in the browser and at the first time of using the browser it could ask for setting to be configured with the default being, strictly necessary cookies are allowed all other are blocked, but how does a browser know a strictly necessary cookie form any other cookie.

Here a development of a new RFC for session management is required with a new attribute of strictly necessary which can be set by the website developer. The ICO and other such agencies could that have strict penalties for incorrect setting of cookie attributes.

---

References

• Google - Cookies & Google Analytics
• ICO - Cookies
• ICO - guidance on the new cookies Regulations
• ICO - Privacy and Electronic Communications Regulations
• Wikipedia - HTTP cookie

---

Contact Details

blog:

geraintw.blogspot.com

email:

geraint@geraintw.co.uk

twitter:

Follow @GeraintW

Linkedin:

Content © 2013 Geraint Williams | Last updated 14th January 2013