Information Security Issues and Regulations on Web Cookies

Xiangwan Li

what are cookies imagewhat are cookies image
What are Cookies?
  • Cookies are text files with small pieces of data — like a username and password — that are used to identify your computer as you use a computer network.
  • With the browser as the bridge, Cookies are stored in RAM while the browser is running (called Session Cookies). Once the user logs out of the site or server, Cookies can be stored on the user's local hard disk (called Persistent Cookies).

How do Cookies generally work?
  1. Data stored in a cookie is created by the server upon your connection. This data is labeled with an ID unique to you and your computer.
  2. When the cookie is exchanged between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.

What are Cookies used for?
  • Session management. For example, cookies let websites recognize users and recall their individual login information and preferences, such as sports news versus politics.
  • Personalization. Customized advertising is the main way cookies are used to personalize your sessions. You may view certain items or parts of a site, and cookies use this data to help build targeted ads that you might enjoy.
  • Tracking. Shopping sites use cookies to track items users previously viewed, allowing the sites to suggest other goods they might like and keep items in shopping carts while they continue shopping.

Technical  CookiesTechnical Cookies

Technical cookies are important to the proper operation and experience of these websites. For example, these cookies allow users to navigate between different parts of a website and use certain functions. If you reject these cookies, some parts of your site may not function properly.

Profiling CookiesProfiling Cookies

Profiling cookies (also known as functional cookies) allow websites to remember users' choices (such as language choices) and behavior trajectory, allowing websites to personalize the user's subsequent experience.

 Third Party Cookies

It comes from a third party other than the site owner, such as Google Analytics, can help the site owner measure the user's interaction with the site's content.

Cookie validity period

Cookie validity period

The cookie validity period refers to the length of time that a cookie data can be retained in the browser or the client, which has nothing to do with closing the browser.

Learn More
Cookie Authorization mode for collecting information: explicit and implied

Cookie Authorization mode for collecting information: explicit and implied

Currently, the authorization method of cookie in the industry is mainly through agreements and statements, which are issued separately or embedded in user agreements or privacy policies. The former is explicit authorization consent, and the latter is implied authorization consent.

"Same-origin Policy" for Cookie transmission message

"Same-origin Policy" for Cookie transmission message

The same-origin policy was introduced to browsers by Netscape in 1995. Originally, it meant that the Cookie set by page A could not be opened on page B unless the two pages were "cognate". The so-called "same origin" refers to the "three same" : the same protocol, the same domain name, and the same port.

Learn More

Cookie theft and session hijacking

Network eavesdropping

Network eavesdropping

Traffic on a network can be intercepted and read by computers on the network other than the sender and receiver (particularly over unencrypted open Wi-Fi).

Learn More
Cross-site scripting(XSS): cookie theft

Cross-site scripting(XSS): cookie theft

Cookies can also be stolen using a technique called cross-site scripting.

Learn More
Session Hijacking: Cookie Poisoning

Session Hijacking: Cookie Poisoning

Cookiejacking is an attack against Internet Explorer which allows the attacker to steal session cookies of a user by tricking a user into dragging an object across the screen.(the attacker attempts to steal the ID of a victim's session after the user logs in.)

Learn More
Cross-site request forgery(XSRF)

Cross-site request forgery(XSRF)

An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Learn More
ePrivacy Directive ("EU cookie law”)

【Amended in 2009】 The ePrivacy Directive is commonly referred to as the “cookie law.” It is a piece of EU legislation that regulates how your website is allowed to use cookies and process personal data from visitors inside the European Union.

Read More
EU’s General Data Protection Regulation(GDPR)

【May 25, 2018】 Like the cookie law, Under the General Data Protection Regulation (GDPR), a website must obtain explicit consent from users before it can store cookies on user devices. Since GDPR treats cookie identifiers as personal data, the emergence of GDPR cookie consent was inevitable.

Read More
ePrivacy Regulation (EPR)

【may be effective before 2025】 The EPD’s eventual replacement. The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.

Read More
UK's Privacy and Electronic Communications Regulations(PECR)

【Amended on December, 2018】 The PECR covers the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device.

Read More
US’ California Consumer Privacy Act (CCPA)

【January 1, 2020】 The US law requires websites to follow an opt-out approach rather than opt-in for collecting personal information. That is if your business requires you to collect personal information of users (in this case California residents), you must ensure that they have a choice to opt out of it. In short, under the CCPA, a website does not require consent to use cookies.

Read More
Italy’s new cookie guidance for cookies

【July 9, 2021】 The updated guidelines addressed cookie categorization, consent through scrolling, cookie walls, privacy by design and policy, and cookie banner and policy recommendations. Websites had six months to comply with the new guidelines, which took effect January 10, 2022.

Read More
China’s Personal Information Protection Law (PIPL)

【November 1, 2021】 China’s newest data protection law, the PIPL, is the latest in a procession of laws meant to protect the personal data of individuals in China.

Read More
 

[USA] DoubleClick Inc. Privacy Litigation

Rule: An Internet company does not violate the Electronic Communications Privacy Act’s prohibition on unauthorized access to stored electronic communications if the company stores and accesses cookies placed on an Internet user’s hard drive.

Learn More3/31/2001
 

[USA] Pharmatrak, Inc. Privacy Litigation

Intentionally intercepting website users’ personal information without consent violates the Electronic Communications Privacy Act.

Learn More5/9/2003
 

[China] Illegally obtaining data by Cookie attacks may lead to Crime of Illegally Obtaining Computer Information System Data

Valid cookies during user login and access belong to identity authentication information protected by criminal law, and the behavior obtained by the defendant illegally is suspected of a crime. Crime of illegally obtaining computer information system data According to judicial interpretation, the data to be protected should be identity authentication information.

Learn More5/2/2014
 

[China] Privacy Dispute between Baidu Netcom Technology Co., LTD and Zhu Ye

Nanjing Intermediate People's Court approved the practice that cookie collection policy can be embedded in privacy policy in the case of anonymous information and other non-sensitive information.

Learn More5/6/2015
 

[USA] GOOGLE COOKIE PLACEMENT CONSUMER PRIVACY LITIGATION

Internet users brought actions against internet advertising providers, alleging that providers placed tracking cookies on users' browsers in contravention of browsers' cookie blockers, and asserting claims for violation of the federal Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFFA), and for privacy claims and various statutory violations under California law.

Learn More11/12/2015
 

United States of America v. LAI Systems

The Federal Trade Commission (FTC) brought a complaint against LAI Systems, LLC (LAI) , alleging that LAI violated the Children’s Online Privacy Protection Act of 1998 (COPPA).

Learn More12/17/2015
 

[USA] Facebook Internet Tracking Litigation

Internet users brought putative class action against operator of social networking website, alleging that website embedded “cookies” in users' internet browsers which tracked their personal information and internet activity.

Learn More6/30/2017
 

France fines Amazon $42M for dropping tracking cookies without consent

Amazon’s French site displayed a banner informing arriving visitors that they agreed to its use of cookies. CNIL said this did not comply with transparency or consent requirements — since it was not clear to users that the tech giant was using cookies for ad tracking. Nor were users given the opportunity to consent.

Learn More5/19/2019
 

France Fines Google $120M For Dropping Cookies Without Consent

The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés) (CNIL) carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.

Learn More3/16/2020
 

German Federal Supreme Court Issued Cookie Decision in Planet 49 Case

The decision confirms much-anticipated and relevant principles regarding the use of consent for the processing of personal data and the use of cookies. Notably, it confirms that pre-ticked boxes do not constitute a legally valid consent, in line with the General Data Protection Regulation (GDPR).

Learn More5/28/2020
 

[EUR]NOYB files 422 formal GDPR complaints on nerve-wrecking “Cookie Banners”

As part of a one-year project on "deceptive designs" and "dark patterns", noyb aims to scan, warn and enforce the GDPR on up to 10.000 websites in Europe. After sending a written warning and a “draft complaint” to more than 500 companies on May 31st, 42% of all violations were remedied within 30 days. However, 82% of all companies have not fully stopped violating the GDPR. Accordingly, noyb filed 422 complaints with ten data protection authorities.

Learn More8/10/2020
 

Meta agrees to pay $90 million to settle lawsuit over Facebook tracking users' online activity

Facebook (FB)-parent Meta has agreed to pay $90 million to settle a decade-old class action lawsuit over a practice that allowed the social network to track users' activity across the internet, even if they had logged out of the platform.

Learn More2/15/2022

Thanks for visiting

Information Security Issues and Regulations on Web Cookies

I BUILT MY SITE FOR FREE USING