Cookies are a well-known topic of concern for internet data security. Yet we find ourselves interacting with them every day – mindlessly accepting the cookie banners on websites we visit as we go about browning the internet. Does it matter?
Here’s everything you need to know about the pros and cons of cookies and how to be mindful of them.
What is a Cookie?
Cookies are small snippets of data created by websites when you visit and browse them. They were first invented in the mid-1990s by a developer for the browser Netscape, as a way to inform the browser if a user had previously visited a particular website.
Cookies sometimes provide essential roles for websites, such as by remembering the items saved in your shopping basket on an ecommerce website until you check out.
Other times, cookies are used by advertising companies to retain data about your browsing habits and target ads to you across your browser. Ever wondered how you are targeted over and over with ads for something you once viewed?
The uses of cookies can be categorised into three broad purposes:
Functional, whereby cookies inform the server of past website activity by this specific user. For instance, when you log in to a site, a cookie maintains your shopping basket as you jump between pages.
Personalisation means that cookies help a browser remember the activity or preferences of a user. When the user revisits the website, the experience can be tailored to them (such as by remembering your chosen light/dark colour scheme).
Tracking cookies record user activity to be used for advertising or analytics purposes either to show information customised to you or to present that information back on behalf of the site’s owner.
Types of Cookie
Session cookies
These store user information during one specific site visit, and are deleted either when the browser is closed or after a period of inactivity. Commonly these are used to store confirmation of whether you are logged in or not.
First-party cookies
These come directly from the website you are visiting, and the information contained is restricted to that site. They will remain in your browser between visits, for example when you click “remember me” on a login panel to show your email when you return.
These are generally malign provided the website you are browsing is trustworthy and uncompromised. To aid this, the site owner can indeed mark these to only be accessible over a secure connection by their web server and not by scripts running in your browser.
Third-party cookies
Third-party cookies are those that come from companies external to the website you are browsing, one such example is an image served by an advertiser, these are often used to track your behaviour, providing targeted ads to multiple sites you visit and they can have long lifespans of a year or more. One of the most common third-party cookies on the web is Google Analytics.
Supercookies
Known by several names such as Zombie Cookies or EverCookies. These use combinations including all of the above and more such as browser “local storage” or specially crafted cache entries to recreate user information and tracking profiles even when regular cookies have been cleared from your browser. These are almost always used to track user behaviour such as for advertising purposes and can be extremely difficult to fully remove.
Are cookies safe?
Generally, cookies are safe. They can only store a limited amount of data and unlike programmed information, cookies cannot easily be hacked or used to install viruses on a computer. However, an insecure cookie – one that is communicated unencrypted or intercepted via third-party scripting on a site – can be a potential security risk for visitors or operators of the origin website. With cookies providing simple information, though, the risk is rarely of high concern.
Instead, the concern most associated with cookies is the privacy of personal data and tracking.
Cookies can be used to allow advertisers to store information about your browsing habits to provide targeted ads that follow you around the web.
But, supposedly, this cannot happen without you knowing about it… laws such as the GDPR, the ePrivacy Directive and the Data Protection Act 2018 mean that operators of sites using cookies have to ask for your informed consent to gather data except where that data is needed for the core site functionality. That’s why there are so many banners online now, asking for your agreement. But often we just click “accept all” without thinking twice…
Taking control of your cookies
While cookies are generally safe, it is a good idea to know that it is not difficult to control them.
Your browsers preferences or settings will allow you to :
- Delete, block, or allow all cookies
- Block third-party cookies
Many browsers will also let you browse in private or ‘incognito’ mode, prohibiting your browsing history or cookies to be stored or indeed allow you to clear the cookies on a per-site basis.
There are also browser add-ons you can use to control the use of cookies on your browser, such as the Google Analytics Opt-out Browser Add-on which is available for all the main browsers.
Cookie Partitioning
Some modern privacy centric browsers now offer ‘state partitioning’ – a fancy way of assigning third-party cookies to the site you were viewing when they were set. That way the adverts on a site remain with that site rather than follow you around the web despite the tracking companies best efforts to do so.
The Future of Cookies
Browser manufacturers know that third-party cookies have obtained a poor reputation due to the tracking mis-use outlined above. In 2021 Google announced that their market leading Chrome browser will cease support for third-party cookies in 2024. They are however also piloting new technologies to replace it called FLoC and its successor Topics. These are intended to be ways for advertisers to obtain a generic profile of the site viewer which is shared with many other individuals worldwide, allowing relevant adverts to be shown based upon the type of site viewed recently; typically they last 3 weeks, while not allowing the advertisers to identify the viewer individually.
Google’s recently introduced Analytics product GA4 is specifically designed so that it can be event based and work without cookies, unlike previous versions.