'Bittersweet Cookies': New Types of 'cookies' Raise Online Security & Privacy Concerns in EU Agency Paper

By Enisa - European Network And Information Security Agency, PRNE
Wednesday, February 16, 2011

BRUSSELS and HERAKLION, Greece, February 18, 2011 - The EU's 'cyber security' Agency ENISA has published a paper on the
security and privacy concerns regarding new types of online 'cookies'. The
advertising industry has led the drive for new, persistent and powerful
cookies, with privacy-invasive features for marketing practices and
profiling. The Agency advocates e.g. that both the user browser and the
origin server must assist informed consent, and that users should be able to
easily manage their cookies. The Agency recommends a thorough study of
different interpretations in the Member States, once the Directive
2009/136/EC Directive 2009/136/EC (
:En:PDF) has been implemented, by 25 May 2011.

The new Agency Position Paper identifies and analyzes cookies in terms of
security vulnerabilities and the relevant privacy concerns. Cookies were
originally used to facilitate browser-server interaction. Lately, driven by
the advertising industry, they are used for other purposes; e.g. advertising
management, profiling, tracking, etc. The possibilities to misuse cookies
both exist and are being exploited.

The new type of cookies support user-identification in a persistent
manner and do not have enough transparency of how they are being used.
Therefore, their security and privacy implications are not easily
quantifiable. To mitigate the privacy implications, the Agency recommends,
among other things, that:

    - Informed consent should guide the design of systems using cookies; the
      use of cookies and the data stored in cookies should be transparent for
      the users.
    - Users should be able to easily manage cookies: in particular news
      cookie types. As such all cookies should have removal mechanisms easy
      to understand and use by any user.
    - Storage of cookies outside browsers control should be limited or
    - Users should be provided with another service channel if they do not
      accept cookies.

The Executive Director of ENISA, Prof. Udo Helmbrecht
ctor) underlines;

"Much work is needed to make these next-generation cookies as
transparent and user-controlled as regular HTTP cookies, as to safeguard the
privacy and security aspects of consumers and business alike".

Dr. Jose Fernandes, Director of Department for Development
Support and Academia, Microsoft Portugal, stated "Every year more businesses
come online using the Internet. [...] Security and privacy are key to make
this happen, so end-user and business people can fully trust online services.
ENISA has a great role to play in this space and I congratulate them to put
forward this study."

The EU Member States (MS) must transpose Directive 2009/136/
6:En:PDF)EC Directive 2009/136/ECinto national law by 25 May 2011. It
underlines the need for a valid consent by the user and that users receive
prior and clear information. Thus, the Agency advocates for a study of the
MS' implementation measures after the transposition deadline.

For full paper; www.enisa.europa.eu/act/it/pat, or

(Due to the length of the URLs, it may be necessary to copy and paste
the hyperlinks into your Internet browser's URL address field. Remove the
space if one exists.)

For interviews, or further details: Ulf Bergstrom, Spokesman, ENISA, press at enisa.europa.eu, Mobile: +30-6948-460-143; or Rodica Tirtea, Expert, ENISA, rodica.tirtea at enisa.europa.eu.

will not be displayed