Ritwik Tyagi is a fifth year law student at MNLU, Nagpur.
Introduction
In cyberspace as it exists today, there is hardly any website which does not depend upon the usage of cookie functionality. From an e-mail client and streaming platform to blogs and gaming portals, almost all of them incorporate the use of cookies for very basic operations that users can carry out on these websites. In fact, over the last couple of years, we have all observed that a pop-up outlining the cookie statement comes up whenever we open a website. In order to proceed with browsing, we have to agree to the use of certain necessary cookies, whereas other additional ones can be refused. It often gets confusing for web users to decide whether they should allow cookies from the website or not, since the policy clearly mandates that the cookie will effectively track the data that is generated by users. Further, a doubt also arises in a user’s mind as to which cookies are really necessary and which ones are not useful to their browsing experience.
Cookies: A Primer
Basically, a web cookie is a text file that contains pieces of data. For example, the first time you visit a news site, a cookie is created that stores a set of keys that will be used to identify your computer on the next visit. Moreover, if you select certain preferences for the sort of news you wish to read and in what language, then this data will also be collected and stored. The next time you visit this news site, data stored in this cookie will be processed by the server to identify the computer network and use previously collected data of your preference to model further interactions in a manner which is specifically suited to you. This is an example of a very basic Hyper-Text Transfer Protocol (HTTP), which is used in transferring files over the internet) cookie that is helpful in making browsing easier for users. Without the use of this cookie, e-commerce portals like Amazon or Flipkart would not be able to save items that users add to their shopping carts once the page is closed.
There are several other benefits to web cookies for both users and developers. For the latter, one of the most crucial advantages is that the cookies are all stored locally on the user’s device and do not require space to be cleared on the server. Thus, cookies are an extremely effective and cost-efficient way of storing user information and personalising their experience without actually investing in server space. Cookies also let websites recognise users and personalise various elements, such as advertising. In consideration of all these benefits, cookies seem to be a very favourable tool for users and developers alike. However, there is a flip side to the use of cookies, which becomes apparent on further analysis.
Risk Factors
A cyber attack can potentially target the cookies stored on a computer and gain access to all sorts of data which is stored in them, such as passwords, codes, and other sensitive information. This will also allow a hacker to keep track of a user’s browsing sessions and histories, thus leading to a breach of privacy at the very least. The level of threat posed by a cookie depends largely upon its source. First-party cookies are made by the website being used, while third-party cookies are made by websites other than the one being used.
In the case of a first-party cookie, the data will generally remain safe unless the host website itself has not been compromised, leading to a user data breach. On the other hand, it is difficult to even keep track of how many cookies have been granted access to a user’s data because of the numerous advertisements that any website has on its pages, and these types of cookies are then utilised by the advertisers to assess the user’s browsing history by matching and identifying their data with cookies derived from other websites. Let us take an example that user A visited an e-commerce website X which contained advertisements for a company M. The cookie placed by M will record a unique identification for A’s device. Subsequently, when A visits another portal Y, which also has advertisements for M, the cookie which records A’s identification will be able to match this data and interpret that A is the same person visiting both websites. Thus, it becomes very easy for an advertising company to track a user’s movements in cyberspace through the use of third-party cookies.
In this section, the author will attempt to analyse the cookie policies of certain popular websites. To begin with, let us take the portion of Google’s Privacy and Terms which talks about their use of cookies. In the most basic sense, Google uses cookies to store user preferences such as language and advertisement relevancy, as well as to analyse visitor counts for a particular page. It is provided that “most people who use Google services have a cookie called “NID” in their browsers. This cookie contains a unique ID that is used to remember your preferences and other information such as your preferred language, how many search results you prefer to have shown on a results page (for example, 10 or 20), and whether you want to have Google’s Safe Search filter turned on. Each NID cookie expires 6 months from a user’s last use.”
YouTube also employs cookies to store user preferences regarding page configuration, autoplay, etc., as well as for security purposes to help “authenticate users, prevent fraud, and protect users as they interact with a service.” In addition to these, there are personalisation and advertising cookies as well, which Google uses for displaying ads and measuring their effectiveness so that more relevant advertisements can be shown. Twitter’s Cookie Policy provides an upfront list of services for which cookies are used, such as to “keep you logged in to Twitter; deliver features and functionality of Twitter services; save and honour your preferences; personalize the content you see; protect you against spam and abuse; show you more relevant ads; provide subscription features and distribute certain content; understand how you interact with our services and where we can improve.”
It is stipulated that Twitter also allows third-parties, such as those who incorporate Twitter’s advertising services, to make use of these cookies and related data. However, there is no option for a user to reject the use of any cookie being used by Twitter, and the use of their services is taken to imply the acceptance of being subjected to these cookies. When a person is signing up for a new account on Twitter, a small message is displayed below the ‘Sign Up’ button which reads, “By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.” The Wikipedia cookie statement, on the other hand, states that no cookie is actually required for reading or editing any of the content on their websites. In the event that a user wishes to sign up with the website for the purpose of making edits, then the use of cookies would be required in order to associate account data with the user and the edits that they perform.