Reaching for the (virtual) cookie jar
What are computer cookies, how do they work, and are they necessary?
Internet or computer cookies, much like their edible counterparts, come in all different shapes and sizes, each with distinct characteristics and functions. In this post, we’ll explore the different types of computer cookies, what they’re used for, and whether they’re necessary.
What are cookies?
Cookies are small text files stored in your internet browser containing information intended to track user activity, generally aimed at improving your browsing experience. They can be created by the site you’re visiting (first-party cookies) or by other sites that own some of the content, like ads or images, you see on the webpage you’re visiting (third-party cookies).
These cookies are designed to track various things, thus, there are many different types of cookies. Some of these are listed below. Note, this is a basic classification, and it doesn’t necessarily adhere to a “standard.” Different websites may use different terms for these cookies, so it’s crucial to understand what you’re accepting.
Authentication Cookies
These cookies are used to track a user’s login session. This way, whenever a new page loads or the site refreshes, the user is still logged in - usually for a set maximum period of time. If you’ve ever logged into your email on the browser, logged off your computer, logged back into your computer several hours later, opened the browser and you’re still logged into your email - this is because there are authentication cookies being used to keep your login session.
For example, when you log into a school, work, or personal Microsoft account, you might be prompted with the option to “Stay logged in”. What this does is it saves the cookies in your browser to keep you from having to log into each new platform every time.
Session Cookies
Differing from authentication cookies, these are designed to track what you do and what is saved in your session. Rather than having the sole purpose of verifying you are who you say you are, like authentication cookies, session cookies track what you’ve saved or updated in your session to keep those changes for the duration of your session. These are erased when you close your browser.
Persistent Cookies
Unlike session cookies, persistent cookies remain in your browser until they are manually deleted or until they reach their set expiration date. These cookies often store preferences to enhance your browsing experience over time.
Tracking Cookies
Marketing teams employ tracking cookies to monitor which pages or products you browse, enabling them to produce targeted ads. However, this aspect of cookies can raise ethical questions. While it’s understandable for a company like Google to want to learn more about their customers to optimize advertising, this approach can sometimes blur ethical boundaries. It can feel akin to someone monitoring CCTV footage across all stores you visit to deduce your preferences.
Physical customer tracking has posed challenges for retailers in the past. Recent solutions include WiFi Analytics, which measures a customer’s phone’s WiFi signal strength to track their movements within the store.
Understanding the Role of Cookies in Privacy and Cybersecurity
Cookies can be exploited in several types of cyberattacks, such as cross-site scripting (XSS) or cross-site request forgery (CSRF). Therefore, understanding how to manage them is essential for safe browsing.
The use of cookies, particularly third-party cookies, can have a large impact on user privacy. Cookies can help companies build a profile of users’ internet behaviour, which can then be used for targeted advertising.
Legal Regulations Around Cookies
Various regulations worldwide, such as the General Data Protection Regulation (GDPR) in Europe, mandate companies to get users’ consent before using certain types of cookies. You’ve likely seen cookie banners on websites asking for your consent in compliance with these laws.
Are cookies necessary?
Certain cookies, like authentication cookies, are essential. However, while cookies generally aim to enhance your browsing experience, they also enable companies to track your activity to streamline their advertising strategies.
Do I have to allow cookies?
No. In security, we use the term of zero trust, or the principle of least privilege when deciding how to delegate access to certain files. For example, if you’re in the sales department, you’re not going to need access to the files in the operations department for your normal work, so we won’t give you access to it. This same principle should apply when companies ask for data or permission to track you (cookies).
How do I block cookies?
Websites typically prompt you to either “accept all” cookies, “reject all” cookies, or selectively accept/reject cookies. However, complying with these preferences depends on the website itself, so it does not always guarantee that cookies won’t be used.
Fortunately, privacy-focused browsers such as Brave, Firefox and Opera (to name a few) that either contain plugins that allow cookies to be blocked automatically, or have a built in option (like Brave).
TL;DR
Cookies are text files containing user information used for various purposes, ranging from authentication to tracking user activity. Cookies have significant implications for both user privacy and cybersecurity. Remember, you don’t always have to ‘accept all’ cookies when you visit a website and, as good privacy practice, it might be better to ‘reject all’ that you can.