May 4, 2021

Cybersecurity and integrity, pt 6

Part 6 – Cookies in your browser

Whenever you visit a website through the web browser on your computer or on your mobile device you usually get a notification where you as a user are asked to approve the website’s use of cookies. Cookies are a type of program that exists in order to save certain kinds of information about the things you do while interacting with the website in question.

If you approve of the use of cookies on that website, a file will be created in your browser. This file will be paired with another file that is created in the database of the website you are accessing. This second file, that exists within that website’s database, contains a user ID. Whenever you access that website in the future, your browser communicates the data that exists within the first file, and pairs itself with the file in the website’s database. Everything you do on that website will be stored in the file in the browser, and is also communicated to the service you are using. A profile of sorts is created. Your IP address, along with device information is paired with the user profile you have on that website, and everything you do there is stored for future reference.

This cookie is what enables you to save your username and password, so that you don’t have to fill it in every time you access that website. When you are shopping online, and close down that tab, the items you selected usually reappear in your shopping cart automatically when you revisit that webshop. That is also cookies at work. When you get suggestions on other products that might be interesting, that also comes from the information in your cookies. Any targeted ads that you see will also be based on that information. Let’s say that you spend an afternoon Googling for football shoes. Most likely, you will find ads about football shoes on most websites that you visit during the following week.

Cookies have a pretty simple origin. In the dawn of the internet, cookies were created to lighten the workload of websites and the servers that they were on. Since most of the information is stored in files in your own web browser, they don’t have to store it themselves. Instead that information exists on your own computer, and is communicated to the server every time you connect with it.

Different types of cookies

HTTP cookies, which this article is about, come in two different forms. Session cookies and persistent cookies. Session cookies exist only for the duration of your visit to the website. When you close that browser window, the cookies are automatically deleted. Persistent cookies are stored for later. The duration that they are stored varies, and is always defined by the service itself. Sometimes the time limit is defined, sometimes not. If not, the cookies will remain until you delete them manually (or not). The latter kind of cookie is the one which stores information such as usernames, passwords and shopping carts.

There are two additional subtypes of cookies. First party cookies and third party cookies. First party cookies belong to the website which you are visiting. Third party cookies belong to a third party.

For instance, whenever you visit a website with ads, those ads sometimes install their own cookies in your browser. This, in turn, means that the owner of the ad stores information about everything that you do while accessing the websites where they have bought ad space. The same company can have ads on a number of different websites, and whenever you access those websites, everything you do is stored into the same file. This is possible since they get access to device ID:s and IP:addresses that are unique to you. 

The different uses of cookies

That information can then be used by the owner of the ads. It could be used to provide targeted ads that are similar to your previous interests. It could also be sold to other third parties. It stands to reason that the user profiles that are compiled through third party cookies are much more extensive than those compiled by one single website. Let’s say that one single ad provider has ads on not only Facebook, but PornHub, your favourite blog and maybe even the store that you order your groceries from. Suddenly it’s not just a list of food that you like. It becomes something more. A psychological profile if you will. Your location and device, paired with sexual preferences (due to PornHub search activity), paired with information about your friends, what content you share, what events you attend, where you work, where you studied and so forth.

If I wanted to manipulate certain groups of people in certain ways, or study how they react to my actions in the public space (as a political party or a international company, for instance) this kind of information would be incredibly valuable. And the implications are immense. Imagine what you could do with that information, if you had enough resources at your disposal.

There is one additional form of cookies, known as Zombie Cookies. They are installed by a third party and are the ones that are most worrying from an integrity point of view. They are designed to track as much as possible about your online activity. They are not created in order to ease your online experience, as in the case of first person cookies, passwords and usernames. Instead they exist solely in order to create extensive profiles on the habits of as many people as possible.

Zombie cookies are usually used by “web analytics companies”, companies whose business plans are built on compiling and selling information about vast amounts of individuals to third parties. This is an area which is largely unregulated. This means that the information is sold to whoever is buying, and the information can be put to any number of sinister uses. Law enforcement agencies, companies that only interest themselves in making as much money as possible however they can and organizations that want to manipulate people for different reasons can all be numbered here.

Risks and solutions

There are additional risks that come with HTTP cookies. For instance, they can be hacked. This means that anyone with the technical know-how can gain access to all the information that has been stored in the different cookies stored in your browser. Credit card information, usernames and passwords can all be used for a number of different criminal purposes.

Some people don’t care about any of this. Either they don’t do anything online that could constitute a risk for themselves, or that they don’t consider the risks high enough to merit concern, or that they simply don’t know about the different risks involved in all of this.

Cookies also have a positive aspect to them. Originally, they were created in order to simplify the online experience. And god knows that most of us have too many accounts, with different usernames and passwords, for anyone to keep in their heads. Thankfully, there are a few solutions that enable you to have a smooth online experience without submitting yourself to the risks that can come with the cookies.

One option is not using cookies at all. Whenever you visit a website, that website has to ask for your permission before installing any cookies in your browser. You can also regulate the use and extent of the cookies and the information you allow them to store in the privacy settings of your browser. Punching in the password every single time you visit a website is time consuming but it also allows for control and security. Another option is to store all your usernames and passwords in the browser itself. Not as a cookie, but as a separate file that exists in your browser. A file that only you can access from your own computer, or your Google account if that is what you like to use.

Here is a link to Kapersky (a well known and trusted anti-virus company), where they explain how to adjust the privacy settings of the most common web browsers.

https://support.kaspersky.com/common/windows/2843#block2

Most browsers also have add-ons that allow for storage and generation of safe passwords that are more or less impossible to crack. The passwords are generated through certain algorithms, and can be stored in the browser so that you don’t have to remember them yourself.

https://support.mozilla.org/en-US/kb/password-manager-remember-delete-edit-logins

https://passwords.google.com/?pli=1

If you want to use cookies and limit their ability to create any extensive profiles on you, then you should make sure to remove cookies regularly. This is done differently in different web browsers, but the option always exists, and can be done through the settings and preferences of the web browser itself.

Sources:

https://www.kaspersky.com/resource-center/definitions/cookies

https://en.wikipedia.org/wiki/HTTP_cookie

Hannes Jääaro

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar