Law against cookies

Law Against Cookies

In May  2011 the European Union changed the law that covers the use of electronic communications networks to store information, e.g. using cookies, or gain access to information stored in the terminal equipment of a subscriber or user. One year later, in May 2012 the law was updated in the sense that implied consent was not enough. “You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.”

The Netherlands, as a member of the European Union, had to come up with their own version. And they had to do it in a hurry to avoid being fined. As a result, for a few months now, a law regulating the use and awareness of internet cookies (officially Artikel 11.7a of the Telecommunicatiewet) has been forcing websites in the Netherlands to inform their users about what cookies are being used on their web site, what purpose they serve and asking for authorization from the user to enable them. Where the European guidelines only insisted that the user had to give permission for cookies to be placed on his computer, the Dutch law states that explicit permission is needed and an explanation of what and to which purpose the information is being stored.

CK1

One of the results of the Dutch law is sites presenting visitors with pop-ups like this one, asking the visitor to accept the cookies and continue, while offering information about cookies and how they use them. This is mandatory for all sites aiming at a Dutch audience. I chose this one because their text says it all. “Sorry to bother you, but the government wants us to tell you that we use cookies.”

What was the reasoning behind this law?

First of all we need to understand what cookies are. Basically they are simple text files storing information on your computer. Looking at the origin we have first party and third party cookies. First party cookies are put on your computer by the site you are visiting, third party cookies are put on your computer by other parties that have content on that site, for example advertisers.

Then there is a distinction in how much information a cookie stores. Basically each cookie has information about who you are (on that site) and usually some information about what you have done on that site. Consider for example a forum where the cookie on the server remembers for a set period of time who you are, so you do not have to login every time you visit. Or an online shop where a cookie can be used to keep track of what is in your shopping cart. Taking it one step further the forum cookies usually stores which threads you have already read, your settings etc., although nowadays this is usually stored on the server.

Already briefly mentioned, but the expiry date of a cookie is an important property of such a cookie. Their life-span ranges from session-id’s, that are forgotten as soon as you end your visit to the site, to many years. If the cookie does not specify a certain amount of time, the cookie expires as soon as you close your browser.

CK3

Showing the specifics of one cookie

 

CK2

A list of cookies and their expiry date

That is all very useful to both sides, the visitor and the site. The objections to cookies are usually about the so-called “tracking cookies”. Tracking cookies are third party cookies that save and exchange information about the sites you have visited and the advertisements you have seen.

So, while cookies pose absolutely no danger to you or your computer, because they are not executable, there are privacy issues to consider. And the government decided they wanted to protect us. Let us demonstrate how you can do that yourself.

How do I delete and control cookies?

At some point you may want to remove the cookies from your browser. Below you will see how to do that for a couple of popular browsers. But before you do get rid of all of them, let me warn you that you may regret doing so. Your favorite sites will forget who you are and you will have to login where you normally were automatically accepted.

Internet Explorer: Tools > Internet Options > General tab > under Browsing history > hit Delete and put a checkmark in the “Cookies” box and think once more, because this is an all or nothing method, before you hit “Delete”. For a more detailed description: How to delete cookie files in Internet Explorer

Chrome : Menu > Settings > Show advanced Settings > under Privacy > click Content Settings > under Cookies > click All cookies and site data to get an overview. Here you do have a choice on what to delete, separately or all of them in one sweep. For a more detailed description: Manage your cookies and site data

Firefox: click on the Firefox button > Options > Privacy > Show Cookies. Here you will see options to Delete all cookies or search for specific ones you want to delete. For a more detailed description: Delete cookies to remove the information websites have stored on your computer

Opera: click the Opera button > Settings > Delete Private Data > Detailed options > Manage cookies. Here you will see an overview of the stored cookies and an option to delete them separately. For more information: Cookie tips

At the links I have provided for Chrome, Firefox and Opera you will also find information on how to have some more control over which cookies get stored on your computer. Internet Explorer has the controls on the Privacy tab under Tools > Internet options.

As you can see it offers several modes of selecting what you will allow.

CK4

How does Malwarebytes Anti-Malware help me with my cookies?

Malwarebytes Anti-Malware does not detect tracking cookies. As explained earlier tracking cookies are not malware or harmful to a user. Tracking cookies can be removed at any time from within your browser as shown above.

Can cookies be read by third parties?

No, cookies are designed to be read by the server that placed them. But here is the catch. If the same server displays advertisements, or other content, on more than one website, and in the case of the big advertisers, the number can be huge, they can read the cookies you got from them on another site. This allows advertisers that are present on a lot of sites you visit, to build some knowledge about where you have surfed and where your interests lie. Ever noticed after searching for example for a car, that you will see more advertisements about cars (and loans) for a while, after doing so?  This shows you that you are being tracked. This is often without the advertisers actually knowing who you are, because you didn’t provide that information to them. Or did you? Not likely. They can’t read the information you provided to the site you were visiting, after all.

So what is all the fuss about?

Where the Dutch law has certainly raised awareness, it is being doubted if it was worth all the trouble. For websites that have had to install routines for all visitors and offer explanations about which cookies they use and what for, it was only time and money with no return income. For the visitors that are confronted time and time again with this, even on sites where they have been customers for years, it is starting to get mighty annoying. For the OPTA, which is supposed to uphold the law, it is hard enough to check up on, and reprimand the sites based in the Netherlands. How are they going to enforce the law regarding the many online stores from abroad that happen to have a Dutch version of the site? Fortunately the law has been adapted so that cookies that are absolutely necessary for the proper function of the site are allowed. By that exception online stores that use only cookies to keep track of what is in the shopping cart, should be good to go on doing as they did.

Summary

Cookies are a useful tool for sites in their interaction with users. Although there are possible privacy issues, these are relatively easy to control by the user, so the Dutch law is argued to be a bit overboard.

 

The European guidelines: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

The exact text of the law: http://wetten.overheid.nl/BWBR0009950/Hoofdstuk11/111/Artikel117a/geldigheidsdatum_14-02-2013

A guide on cookie legislation compliance – http://comparitech.net/cookie-legislation

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.