Breaking News

Follow the Cookie Crumbs: The Privacy Concerns Behind Data Tracking

To accept cookies or to not accept cookies, that is the question. Find yourself ignoring that relentless cookie consent banner? We all do it, even security pros. The key is to understand the potential privacy infringements or security risks associated with tracking cookies.

Cookies are convenient in some ways because they can retain the authentication information and preferences for a website, and you don’t have to login every time you access that site from your device. Tracking cookies can be valid for some amount of time – perhaps days, weeks or months, or even years (do we really know?). Convenient – Yes. But there’s a trade-off with every convenience. You give some to get some. So, what are we giving away here? Keep in mind that a lot of Personally Identifiable Information (PII) could be saved by cookies, for example, your SSN, credit card details, e-mail address, and more. This means that if the cookies aren’t sent over HTTPS, they may be accessible to an eavesdropping attacker.

Then there are ‘supercookies’. Unlike normal HTTP cookies, supercookies are much harder to detect and are advertisers’ favorite tool to infiltrate your privacy. Supercookies can extract data from your cache files and regular cookies even after being deleted. Supercookies are stored on your network, by your internet service provider, as a “Unique Identifier Header” or UIDH and cannot be easily deleted.

Now, are they getting hold of our personal information or sensitive data? The risk is when these cookies are sent across the web without encryption. Lookup for the lock icon next to the URL (or HTTPS at the beginning of the web address) when entering any PII on forms on the website to help you decide whether or not a site is secured. If in doubt, do not assume that the data is encrypted, and your data cannot be accessed by threat actors.

Types of personal information most at risk include the following:

  • Healthcare – medical records, patient information, etc.
  • Financial – bank account info, SSNs, credit card numbers
  • E-commerce – addresses, credit card numbers, shopping behavior to better target phishing scams
  • Education – research, records

Privacy Regulations

There are a number of data privacy and government regulatory organizations that are helping bolster security and secure data practices. GDPR and CCPA regulations are a positive step forward in protecting users’ personal information and data protection and are imposing stricter requirements on companies that collect our personal data. These regulations also give us rights over our data, including the right to view, move, right to share, and even erase stored information. In years to come, we might see more clarity and better explanations regarding these privacy policies.

Under CCPA laws, if some consumers opt out, businesses will be required to honor their request and not “sell” their data for a period of 12 months.

Thanks to these privacy laws introduced around the globe, we are seeing better measures being introduced by digital businesses. Nowadays, the pop-up that appears at the bottom of your browser window as you visit a new website is all too familiar.

For example, here’s one I recently came across:

“California residents have certain rights with regard to the sale of personal information to third parties. This website and our partners use information collected through cookies or in other forms to improve the experience on our site and pages, analyze how it is used and show personalized advertising.

At any point, you can opt-out of the sale of all of your personal information by pressing Do not sell my personal information. You can find out more in our privacy policy and cookie policy and manage your choices by going to ‘California resident – Do Not Sell’ at the bottom of any page.”

Much appreciation for showing me this message and asking me not to sell my personal information. My question is: what if I did not click on Do not sell my personal information and exit the message instead by clicking on the cross at the top right? What happens then – does it mean “yes sell my info” or “I don’t care?” And what’s really happening when I click Accept or Decline?

By accepting all cookies on the site, we are allowing the site to track our information such as browsing activity, name, login, and more. But what if this information is being shared by a third-party? How do I know which sites I should accept or decline the cookies?

Zach Jones, Sr Director Application Security Research at WhiteHat Security, clarifies. He says, “Depends on the site. Sites are putting that notice to comply with GPDR and CCPA, but whether or not they respect your intent or just find some way around the letter of the law is going to be dependent on the site. In many cases, not clicking, or clicking decline will cause the site to use some mechanism other than cookies for trying to maintain client/server state, which of course is the reason cookies exist.

Are we really able to know whether our data was really removed from their database? Well, it depends on the site and how much they really respect the user’s wishes. Cookies get all the attention because they are the obvious way that sites can track you, but there are plenty of other ways.”

Here’s another notice that was quite succinct:

YOUR PRIVACY IS IMPORTANT TO US

“As a new visitor we’d like to know your preference regarding cookies. If you ACCEPT, this website will store cookies on your computer. These cookies are used internally to improve your website experience and provide more personalized services to you. We will not sell or share your information with others.

For more information please review our full Cookie Policy and Privacy Notice.  

If you DECLINE, we won’t track your information when you visit our site. But in order to comply with your opt-out preferences, we’ll have to use just one tiny cookie so that you’re not asked to make this choice again.”

The cookies will always be there whether you want to eat them or not. However, kudos to the above message, it’s as clear as it should be! Some websites provide good information on their privacy and cookie policy; and here’s one that impressed me, if you’d like to educate yourself further: https://www.theguardian.com/info/cookies

So, while we cannot claim to have extensive and complete privacy on the web, at least we have regulatory organizations helping us achieve some transparency on how advertisers are using our information. There is the possibility of securing our online footprint through knowing more about privacy settings and using more secure browsers.

The simplest advice for websites and businesses is not to gather more information than you really need. The more you store, the more lucrative you make your database for a potential data breach.

Browser Privacy

Most users access the web through Google Chrome, Apple Safari, Microsoft Edge, Opera, and Mozilla Firefox. However, the advice that I often read advice about using Tor if you want to truly keep your browsing private.

It’s good to see the companies doing their bit in helping improve privacy on their browsers. The introduction of past features, such as Safari Intelligent Tracking Prevention, has shown that advertising can continue to be successful while enhancing users’ privacy protections. Mozilla recently released Firefox 85, which boosts privacy protections by adding more comprehensive defenses against “supercookies” and offering network partitioning. The Network Partitioning feature works by splitting the Firefox browser cache on a per-website basis, a technical solution that prevents websites from tracking users as they move across the web. (Source ZDNET)

Summary

Data privacy is a human right, and it is critical for businesses to be transparent with how they are using our information. The three key takeaways from this article:

  1. Although cookies are not malicious, they can be intrusive to our privacy. Guided by the privacy laws and regulatory organizations, we have full rights to accept or reject this intrusion.
  2. Check twice before entering any Personally Identifiable Information (PII) or financial information on a website. Is the website following secure protocols? Should I be sending any sensitive or personal information over a public network? Just stop and check before clicking on the submit button.
  3. The more we are aware and informed the better we can protect our privacy and sensitive data while online. If you are unsure of the amount and sensitivity of the info you have shared online, clear all cookies and on your browser check if you have an option to block third party cookies or block specific sites.
Tags: accept and decline cookies, data privacy, GDPR CCPA, online privacy, tracking cookies