Cookies are text files that are sent from a website and uploaded to a user's browser when they enter the website. They enable websites to store user information on the user’s hard disk so that the information is more quickly accessible between sessions on the website, and there is less data storage for the server to process. Cookies identify a user through a name-value pair and are assigned times when they will be discontinued or expired.  A user can be notified when a website is using cookies, or they can have the option to choose the setting that prevent cookies from being implemented. The tracking of cookies poses ethical concerns such as user privacy and the ability for parties using cookies to see what sites the user has previously visited.
- 1 Setup of a Cookie
- 2 Uses
- 3 Types
- 4 Ethical Concerns
- 5 See Also
- 6 References
Setup of a Cookie
Cookies are set using a name-value pair. For example, a sample of a cookie used by goto.com:
In this case, "UserID" is the "name" part of the name-value pair and "A9A3BECE0563982D " is the "value". A cookie also contains a domain, which is the website that issued the cookie. The domain allows the browser to send the right cookies as a user browses a site, and prevents websites from viewing cookies of another domain. A path value is also stored, to specify which pages within a website the cookie should be sent.
Session cookies, also called transient cookies, are temporarily stored on a person's computer while the user is browsing on the website. This allows the user to move from page to page on the site. The session cookie is deleted upon closing the browser and is not saved to a user's hard drive.
Persistent cookies - also called permanent cookies or stored cookies - are not deleted when you leave a website. They allow the site to identify individual users repeatedly. These cookies allow a site to keep track of and maintain a user's settings or preferences when the user logs out of a website and later logs back in. The permanent cookie is given a specified time to live (TTL) before it expires, specified by the website issuing the cookie. The cookie remains on a user's browser until it runs out, allowing the user to authenticate themselves with the cookie instead of using their username and password.
First Party Cookies
First party cookies have the same domain that a user is currently browsing. For example, if a user is on Amazon.com, the cookie will have the same domain name: Amazon.com.
Third Party Cookies
Third party cookies have a different domain than what is in the user's address bar. For example, a user may be on Amazon.com, but the cookie could have a domain name other than Amazon.com. Third Party Cookies are the subject of debate when it comes to cookies and privacy. Browsers such as Firefox, Internet Explorer, and Google Chrome allow the use of third-party cookies by default but give users the option to turn third-party cookies off.
These are cookies that automatically recreate themselves after a user initially destroys them. They are stored outside of allocated cookie storage locations and this allows them to persist after a user deletes their cookies. They can be stored either online or on your computer, and because they do not behave like traditional cookies, they can be attached to your browser even if you have chosen not to allow cookies. This type of cookie was first discovered at UC Berkley when researchers found they could not delete cookies, as they kept returning. These cookies are often installed and used by web traffic tracking companies, most often for marketing and research purposes. Because they stay tracking a user as they move from website to website, the cookie collects continuous data on the users browsing patterns and then can return this to the main tracking server. Commonly these are used to retain a users site ID so that a website appears customized for a user, even for someone who deletes cookies regularly.
Cookies are not viruses, but there have been concerns about privacy on the internet, especially with Third Party Cookies. Cookies of this sort can have the capability to track the data for other sites that a user browses and can allow other sites access to a user's information without the user going to that site, and/or can give a user's information to another site without the knowledge and consent of the user. Zombie cookies can track users across different browsers used by the same computer because the cookies are stored in places that are common between browsers.
This seems unethical because it limits the user's ability to say what they do and don't want collected about them, and because there is no incentive for the user, meanwhile the companies that collect this information are profiting off of this invasion of privacy. This also goes against the principles of anonymity and privacy in online activities. Even for sites that do not require a login, users are being tracked and their "identity", albeit not their traditional name or other bio-physical factors about them, is being surveilled as it moves across sites.
There is a concern that data about a user can be intercepted by a third party as the connection between the browser and the user is not encrypted. This would give the third party actor, possibly an ill-minded actor, access to sensitive cookie data including anything a user has entered themself into a website, for example, filling out a form online.
In regards to privacy, a major ethical concern regarding Third Party Cookies is their ability to track a user's most frequently visited websites as well as having the ability to store data and patterns about that user's activity online on various web pages. These functions are often used by advertisers to watch what other sites and products the user is viewing. It is often advised to turn off cookies or only accept cookies from trusted or frequently visited sites. Within these sites, cookies help a user who visits the webpage often by remembering their specific information for the frequently visited website. Zombie cookies are also considered a privacy breach as they can be stored right on your computer and are not removed when a user explicitly expects to do so. There is also concern that cookies give user data to other companies for advertising purposes. This means keeping data on the number of items you buy, what brand you are buying, price ranges you have purchased within before for a product, etc. This data can be used by advertisers to market another product or brand that they think the user might like, based on their data. Some may consider this a privacy breach because they do not want other companies to know their personal preferences without their consent.
Session Hijacking is used to gain access to information or services that are not directly provided. Session attackers duplicate data from a user to mislead the communication receiver into believing that the attacker is the original user. The data obtained by the attacker is then replicated and authenticated for future use. Cookies and sessions are not encrypted, and because of this, make it easier for online predators to access unauthorized information and services. There are many different ways to hijack a session. Once the predator obtains the cookie information, they now have the ability to monitor and trace a user's network traffic, which could potentially contain sensitive information.
Cookies that are used to authenticate a user to a website (such as Facebook) can be used to track user behavior on third-party websites. A third party website may contain images that are pulled from Facebook, such as the like button. When the image is downloaded from the browser, Facebook identifies the user's cookie and associates that third party website visit to the user. Facebook is able to identify the user without them clicking or interacting with the page. Simply loading the page allows for data collection. Browser extensions such as Ghostery allow a user to block tracking technologies.
Consumers have since been adapting to practices like these from major online commerce sites. A common solution is to simply delete your cookie history. Another solution is to use Google Chrome Incognito. Chrome Incognito ensures that your browsing history, cookie storage, and other sensitive information will not be kept.
Such behavior arises the debate whether or not agencies and companies have the moral right to use user-specific data. Many situations are viewed on a case-by-case basis. For instance, the NSA has in the past used Google cookies to pinpoint targets to "hack" and surveil. The NSA has found particular use in a Google-specific tracking technology called the "PREF" cookie, which contains numeric code that allows the NSA to specifically track an individual's browsing data.
Laws Regarding Online Privacy
- Wikipedia: HTTP Cookie http://en.wikipedia.org/wiki/HTTP_cookie
- What Are Cookies Website: Computer Cookies Explained http://www.whatarecookies.com/
- How Stuff Works Website: "How Internet Cookies Work" http://computer.howstuffworks.com/cookie.htm
- Facebook Website: Cookies, Pixels, and Similar Technologies: "How Cookies Work" http://www.facebook.com/help/cookies/
- About Cookies Website: Frequently Asked Questions http://www.aboutcookies.org/default.aspx?page=5
- Open Tracker Website: "Third-Party Cookies vs. First-Party Cookies" http://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
- Wikipedia: Zombie Cookies http://en.wikipedia.org/wiki/Zombie_cookie
- Helium Website: "Zombie Cookies: What zombie cookies are and how to delete them" http://www.helium.com/items/1905717-zombie-cookies-what-zombie-cookies-are-and-how-to-delete-them
- Cookie Central Website: Frequently Asked Questions http://www.cookiecentral.com/n_cookie_faq.htm#sens_info
- “Cookie Hijacking: Learning through Replay Attack Examples !” Cookie Hijacking: Learning through Replay Attack Examples ! | TCS Cyber Security Community, securitycommunity.tcs.com/infosecsoapbox/articles/2017/01/05/cookie-hijacking-learning-through-replay-attack-examples.
- Sivakorn, Suphannee, et al. “The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information.” 2016 IEEE Symposium on Security and Privacy (SP), 2016, doi:10.1109/sp.2016.49.
- Jegatheesan, Sowmyan. "Cookies Invading Our Privacy for Marketing Advertising and Security Issues."
- Jegatheesan, Sowmyan. "Cookies Invading Our Privacy for Marketing Advertising and Security Issues."
- Charlotte Rottgen, Like or Dislike - Web Tracking, October 18 2017 [link.springer.com]
- Ghostery home page, faster, safer, and smarter browsing [ghostery.com]
- Airfare Expert: Do cookies really raise airfares?, http://www.usatoday.com/story/travel/columnist/seaney/2013/04/30/airfare-expert-do-cookies-really-raise-airfares/2121981/, Bill McGee, April 30th, 2013
- NSA uses Google cookies to pinpoint targets for hacking, The Washington Post, Ashkan Soltani, December 10, 2013
- Exploiting Browser Cookies to Bypass HTTPS and Steal Private Information, The Hacker News, Swati Khandelwar, September 25th, 2015
- Surajit Sarma, A study on Common Web Based Hacking and Preventive Measure, July 2017 [ijsrcseit.com]
- Open Tracker Website http://www.opentracker.net/
- Dummies Website: "Defining and Dealing with Web Cookies http://www.dummies.com/how-to/content/defining-and-dealing-with-web-cookies.html