Cookies have become slightly more controversial, especially with changes to the legislation on the matter. These changes are another example of recent bad law which is made with no understanding of how the internet actually works, and no understanding of the implications of the law. Either the law is widely ignored, which means another law we are all breaking and could be used against us at any time, or it is used as written and just breaks the whole internet. Either way it is bad. This web page should explain what cookies are and what they do and how they can be mis-used by some people.
Basics on web pages
When you access a web page you are using a web browser to get information from one or more servers via the Internet. Your browser collects various bits of information (web pages, images, and so on) and displays it to you in a nice formatted way. That is the simple bit.
Quite often the web pages you get are created specially for you as part of some on-line process, such as on-line ordering from a shop, or on-line management of some application.
When the browser requests information from the web server, it says what it wants and the server sends the response (a file for want of a better word). The server also sends meta-data in various headers. This is just information about the data (the file). You will be familiar with files on your computer and that they have extra information that is not in the file itself but about the file, such as filename, last modified date/time, access permissions and so on. The same is true for the file sent by the server - there is a whole set of extra information about the file which your browser stores and uses in various ways.
A cookie is simply part of the extra information sent back with the response from a web server. It is a bit different to the other data sent back as it typically relates to the whole web site and not just the file in question. It usually contains a small name and value. The value is often some random string of letters or numbers that are a unique identifier. Sometimes the string might include your login name or some reference you recognise and is part of some login process on the web server.
The key thing about the cookie is that when the web browser asks for another file from the same web site, the cookie information (as well as some of the other meta data) is sent in the request to the server.
Having some of the information that was sent to the browser then sent back at a later date is not new. Cookies are not new. Every time you follow a link on a web page, the link itself is information that was sent to the browser and is now being sent back. That link could contain information allowing the server to identify that you are the same person that requested the previous page, and so establish a session. A session is just series of web page requests from the same person that are all linked together, usually starting with some sort of login process.
Cookies are often used to allow the server to identify that it is the same browser (and so probably the same person) accessing the site at a later date. This could be for may reasons.
- It could be simply to allow the number of distinct users to be tracked in web site statistics rather than just number of pages requested.
- It could be used to allow a session to be established, allowing the user to manage some virtual resource on the server such as a shopping basket.
- It could be used to allow a user to log in to something, and continue to access it in future without logging in again - perhaps even permanently.
- It could be used to hold some simple preferences the user has for use of the web site such as font size or languages, or even information for managing disabled access to a web site without having to repeat those preferences on every visit.
What is the issue?
There are two main issues. One is simple paranoia. People look at the list of cookies on their browser and are shocked. If they looked at the cache list they would be more shocked I am sure. The shock is that they simply did not know that this is how web sites work. It does not itself mean anything sinister is going on or any problem. You have control. You can set the browser to store no cookies, or only some. You can delete the cookies. Try browsing without cookies enabled at all and see how much hassle it is!
However, there is another issue. Some companies are in the business of providing advertising on web sites. The sites link to them to have them serve the advertising images that are then included by the browser in the web page as shown. The web page showing the advert gets revenue from this, and many web sites only run because of this revenue (much like advertising TV is paid for by the adverts). Just like TV people do not like the adverts, but they are the price you pay for having the web site there for free.
The advertising companies are quite clever in what they do, and this is what is causing concern. For some reason people (including me) do not like the idea of some third party profiling what I like to visit on the internet and using that to target adverts. To be honest I cannot see a good reason why I do not like this. It is a basic privacy concern, but at the end of the day they don't know who you are, they are just making adverts more targeted. They do this based on your location as well (based on your IP address, and often getting it wrong). Some people would argue that better targetted adverts are less annoying as they are more the things you would want to buy. Others just see it as an invasion of privacy.
Whatever you think, it is clear that some people really hate this and so it is necessary to give people information that it is happening an choice about it happening. The fact it is happening is not really hidden. The choice about it happening? Well, on Firefox here I can go in to the privacy settings and say "Accept third party cookies: No". Job done. I no longer send cookies to third parties. Indeed, browsers could easily have this as the default, and I suspect some do.
How do cookies come in? Well, basically, when your browser gets the image from the advertising site the site sends back a cookie. This is only ever sent back to the advertising company and not anyone else. What it means is the advertising company know it is your browser every time. They also know the site from which the image was included. So they can see that you (or rather some unknown web browser) likes certain web sites. They can build up a pattern. If you go to a lot of web sites about fishing, they might start serving adverts for fishing equipment to you even when you go to a totally different web site. They can target the adverts. This sort of cookie is called a third party cookies because it is sent from and sent back to a web server that is not the main web page you were accessing.
What is wrong with the legislation?
The legislation did allow things like cookies as long as people could say no. The settings in the browser provided that option. The change is that people now have to give specific consent, not just have the option to turn off cookies in their web site! The exception is where strictly necessary for the service that was requested (e.g. shopping baskets).
This is a problem. There are several problems in fact:-
- Cookies are a normal part of the web. They are used to session track simply to get better web site statistics. They are used to hold preferences for sites - even if the end user has not requested any specific service. They are normal, and making that use illegal is just silly. That usage is not something anyone is upset about. It is the targeted adverts people do not like.
- Cookies are just one of the bits of information stored, but the legislation covers it all, and lots of information is stored (caches of every page and image, modification dates, etc). Most of that storage is not strictly necessary and for most web pages no service has been requested by the end user. So all web sites break the law anyway, so how is using cookies any more breaking the law?
- There is also the point that a web server does not actually store anything anyway - it is all done by the web browser. If anyone is breaking the law it is the end user themselves as they are the one that installed the browser and configured it. If stuff is stored by their browser without their informed specific consent (!) then have they broken the law themselves. That seems crazy, but the server clear does not actually store anything. It just sends information in response to a request.
- There are ways that the advertisers could do this without cookies. One simple thing that springs to mind is the Last-Modified date on a file which is normally sent back in any later request for the same file as an If-Modified-Since. This could be used to give each distinct user a specific date/time as the last modification date/time for an image served as part of many web sites. This would work in the same way as a cookie but not be a cookie. It shows that the legislation has to cover all of the data stored to have effect. It does cover all data stored. The problem is that some data is stored regardless on every web page every time, so to work for the advertising case, the law has to make every web site illegal. That is bad law.
- The law only applies to EU, so web sites simply have to be operated outside the EU and problem solved - lets drive business away from the UK as well as ensuring the problem is not fixed.
Should I be worried?
If you run any web server, or are responsible for one, i.e. almost any company and a lot of individuals in the UK (and your facebook page might count!), you are probably breaking the new law. Does that worry you?
If you are concerned about people profiling your web access, change the settings on your browser to stop it. You can even use in-cognito mode that some browsers have to deliberately make access to some web sites leave no trace.
If you think the legislation will have any impact on people profiling your web site access, please re-read this web page. It will not. It only applies to EU anyway, and is clearly going to be a totally ineffective bit of legislation.