Cookies. We have all heard of, encountered them and made decisions which they have influenced. These words are true for both the snack and the internet data packet, also known as a cookie. However, if you were to ask random people on the street what a cookie is in terms of the internet, I am sure a large proportion would not give a feasible answer.
Cookies enable the internet user of today to have comfortable and enriched browsing experiences. They are essentially packets of data that are sent and received without any changes being made to the data inside. Cookies are often associated with being tracked online and monitoring the activity of users. While this is very useful for a comfortable browsing experience on websites such as online retailers, internet users often fall into the trap of not managing their cookie preferences.
There are different types of cookies users should generally be aware of when browsing.
Session Cookies:
The purpose of a session cookie is in the name. This packet of data exists only in the current browsing session of the user, therefore, session cookies are typically removed upon closing the browser.
HttpOnly Cookies:
These types of cookies are only accessible by websites addressed via HTTP/HTTPS. This prevents Javascript code from accessing cookies and potentially stealing data via a process called cross site scripting, where malicious scripts of code can be executed without the user even being aware. This can lead to sensitive data from session tokens being accessed.
Persistent Cookies:
Somewhat opposite to session cookies, persistent cookies will remain on a users computer until a specified date. Users are often not aware of this while accepting them upon entry to a web address. This type of cookie allows a website to access it every time a user visits the same web address it came from until it expires. The moral dilemma behind this concept is rather clear, as many websites do not make the presence of their persistent cookies immediately obvious. Users often simply click "accept all" to advance to their optimal browsing experience as fast as possible, without any prompt to somewhat inform them of the presence of persistent cookies.
Secure Cookies:
Secure cookies ensure that the data carried in the packet is encrypted to reduce the possibility of theft.
Third-party Cookies:
To understand why third-party cookies can be dangerous, one must first understand that they are set to domains that are different from the one that may appear in the address bar. Third party tracking cookies can be rather aggressive and are often the cause of internet user's activity and movement being explicitly tracked.
When a user visits a website, the first obstruction to their browsing experience is often a notification prompting them to accept all cookies. Then, somewhere typically less obvious a link to choose your own cookie preferences is displayed. This is where you will find the different types of cookies utilised by the website. Internet user's privacy should be taken seriously.
According to the UK GDPR, cookies are classed as a form of 'online identifier', essentially implying that personal data is contained in the data packet. The key to understanding the urgency behind this lies in the UK GDPR, as Article 4 of Chapter 1 (General Provisions) states: " ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
To interpret this in a simplified way, even if a cookie is not directly classed as personal data, the online identifiers collected by the cookies such as social media account handles, MAC addresses or pixel tags can leave traces. These traces of online identifiers can be used in partnership with a unique identifier by those processing the data, which in turn allows users to be distinguished in a way that can expose their identity relatively easily.
I believe the general public should be made aware that when navigating digital society, seemingly harmless and non-personal data being collected could easily lead to a digital version of any given individual being identified by data processors without explicit consent. In the UK GDPR, consent to process a subject's personal data must be made clear. As stated in Article 7 of Chapter 2 (Principles): "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data". This implies that the processing of 'personal data' would be based crucially on the consent of the subject. However, the concept of consent in terms of personal data can easily be misconstrued, as highlighted earlier, personal data can be formed from multiple online or unique identifiers without the need for direct personal data from the subject. This can pose a moral threat in the way that different types of third party cookies could be presented in a skewed perspective, allowing personal data to be collated without the data subject being aware that they gave their consent for this type of data processing without understanding the potential repercussions.
We are in an age where we are losing our digital rights and freedom of movement across the internet to centralised systems that encourage the heavy use of unnecessary cookies, damaging chances of anonymity for the internet user. Let us all educate ourselves and spread awareness of the dangers of poor and/or unexpected malicious data practices.