Privacy And Security Issues In Cookie Tracking Essay

Question:

Discuss about the Privacy and Security Issues in Cookie Tracking

Answer:

Introduction

Cookies are little web-texts that are stored on a user’s systems when they visit a website. These texts allow the websites to track the user's preferences online and tailor their site to meet their liking (Rainer et al. 2013). The data stored could be the user's login information, sites visited, credit card numbers and so forth. As per Bhargavan et al. (2014), Cookies are applications that store users’ information for later access by the website. Most cookies are installed without the user knowledge, and web servers just access whatever information they require to serve the user better. Cookie tracking is implemented in two stages. The first stage is when the cookie is saved on the user's device, like Yahoo! Where users select their interests, a cookie is made specifically with the user's information and stored on the user's device. Now the next stage is when any browser that the user enables allows websites access to this cookie and tailors the users experience online to that preference.

In order to carry information between different sessions or website, cookies are the most convenient way. Therefore, use of cookies makes it easier to retrieve information. Cookies also help in storing large amount of data for the users. Security and privacy issues arise when the developers of the information system, websites and the service providers involve tracking of user’s information (Bo?hme and Okamoto 2015). If a user visits a website and provides information such as user name and password, the cookie stores the information thereby, making it convenient for the user while using the website next time. In addition to, the user movement needs to be tracked by the web environment and cookies help in achieving it. There is a high risk involved with the cookies, if these are sent over the internet without any encryption. Anything personal can be sent over the internet with the cookies, for example, credit card details, email addresses and more. Therefore, this information is readable by the people connected to the network. This is associated with the high risk of unauthorized access of the personal and confidential data with the cookie tracking tools (Pearson 2013). This may be the reason of high level of financial loss also. Some of the networks are unsecured, in which the cookies are readable from the other people connected to the network. In this context, again the cookie tracking can be used for accessing the confidential and private information of the users. The IP addresses of the network visited or the WebPages accessed through the system can be tracked through the cookie tracking.

Cookie tracking is complicated because while it has many advantages such as being used to identify and authenticate a user, store number of times a user visits a website, their preferences and their preferred settings, there are several issues that cannot be ignored. A few of these problems are the uncertainty of how the data gotten is stored and who has access to them. In addition, where the line is drawn for the tracking, in this essay, Facebook is used as a case study on repeated cookie exploitation cases (Marcella Jr 2003).

Ethical Concerns

Many websites employ the use of these cookies in order to better serve their users, cookie tracking, however, has a host of ethical concerns attached to it which needs to be addressed (Santa 2017). One ethical concern that has been raised is the issue of the privacy of the users being infringed upon. Many argue that implementing the use of cookies is deliberating spying and collecting data to boost sales for a company. This agreement is, however, null because most websites inform the users of the fact that they are being tracked and so they have fulfilled their ethical obligations. Another ethical issue related to the cookie is that online advertising companies pay cookie-tracking developers for their advertisements more than they pay the competitors for their advertisements. This addresses how the data derived from the utilization of these cookies are being used. Majority of the cookie tracking developers are ethically bound to ensure the security of their user's information; this is, however, not always the case (Whitman and Mattord 2011). Many websites such as Amazon and Facebook that track their user’s online movements have been known to sell the information collected, albeit legally to advertising companies, broker companies or any other company that requests for them. A reporter who said, “It peers deeper into American life than the F.B.I. or the I.R.S. or those prying digital eyes at Facebook and Google, had described a company in Arkansas called Acxiom as the largest purchaser of such information (Santa 2017). As per Sharma, Johari and Sarma (2012), if you are an adult who makes use of the internet regularly, the odds are that it knows things like your age, race, sex, weight, height, marital status, education level, politics, buying habits, household health worries, vacation dreams – and on and on." This violates the ethical principle of integrity, these websites not only track one's movements on their own sites but goes ahead to check on their whole internet browsing habits which are not ethically sound to some people.

According to the Consequentiality ethical theory, these cookie tracking applications are being used to help make the lives of internet users better and it enable them to be able to see specific advertisements that would vastly benefit them which is a good thing. Even though some may worry about the security of such applications and how far they are being investigated, the advantages cannot be overlooked. The Kantianism theory, however, would refute it by saying that the possibility of a privacy breach or security breach is enough for the application to be discontinued if it brings harm to even one individual then how advantageous is it really (Santa 2017). Take, for example, the case of Facebook tracking their user's online movements outside of the site, now while this has been a controversial issue, a Facebook engineer by the name of Arturo Bejar, has stated that it is being done for a good cause. MrBejar stated that Facebook uses the information gathered to prevent spammers, fraudsters and minors from accessing the website thereby putting their users in harm's way (Data Protection 2017). While this is a good cause, many have expressed their opinion that it does not justify the constant “surveillance” being carried out by the website using cookies. The hackers can use the cookie tracking tools for stealing the confidential information of a user such as the search history, user ids and passwords for the online accounts, financial transactions made over the internet, credit or debit card credentials. This is not only unethical, it is also illegal.

Legal Concerns

Many laws are available for the protection of a user's data online such as the Data Protection Act of 1998 that protects the user's data from being used for any malicious purpose, being stolen, used for the stated reasons and used lawfully (Data Protection 2017). Under the Data Protection Act section 2, users sensitive information that are being gathered cannot be used without their express permission, most websites put these clause in their privacy policies, telling the users to sign away their rights to the information for marketing purposes thereby abiding by this law. Facebook, however, has been accused of not following this rule by informing their users that their data is being given to third parties companies (Clifford 2017). According to the Data Protection Law, section 7 subsection 2a “A data controller is not obliged to supply any information under subsection (1) unless he has received a request in writing”. With this the site gives their users a choice on if to proceed with their operations or not, it is now left to the user to either accept or reject the online terms of usage (Chen and Zhao 2012). Additionally, all information gotten by Facebook, such as likes, shares, via the cookie tracking application is only stored on their systems for 90 days, and then it is automatically deleted, this is in accordance with the Data Protection Act 1998 section 2 which says that information gotten should be saved for a limited amount of time.

The policy framework directive of EU 2002/58/EC addresses the concerns related to the handling and securing of the data gotten from cookie tracking applications (Clifford 2017). The policy states that the use of the cookies tracking applications are legal given that the users are fully informed of the purpose of the application, how they would be used and where they would be stored. Also, stated in the policy is the directive that users are given a choice on deciding the place of storing the cookie information or if they want it to be stored at all, this is especially important in multiple-user devices (Chen and Zhao 2012). This directive gives the users a certain level of trust that their information is safe and secure because the law protects them in the case of any emergency. Google has been accused of storing cookies on their users’ computer without their express permission that is in direct violation of the Privacy and Electronic Communications Regulations (PECR) regulations 6 that expressly states that users must consent to any cookie being stored on their devices that could either damage or slow them down (Santa 2017).

Professional Concerns

Cookie tracking is an undoubtedly a brilliant invention. Information systems professionals that handle both the developing and securing of the applications are meant to abide by certain codes of conducts which govern the implementation of the cookie. According to the ACM code of conduct section, one subsection three that states “Honesty is an essential component of trust. Without trust, an organization cannot function effectively. The honest computing professional will not make deliberately false or deceptive claims about a system or system design, but will instead provide full disclosure of all pertinent system limitations and problems” (ACM 2017). When integrating the cookie tracking application in websites, full disclosure should be made on the process of gathering data ensuring complete safety. About 44% of websites currently have privacy policy pages whereas 52% do not state the process of utilizing and securing the cookie information. However, only 39.5% advice their users to discontinue cookie tracking while using the website. Furthermore, only about 25% of the said sites give their users options on what information they actually want to be tracked (CDT 2017). While many websites are trying to keep with this code of conduct, others are disregarding it that is not to be done as an Information Systems professional. In addition, the same code of conducts section two subsection six says that IS professionals ought to honor contracts and agreements. While many sites as mentioned before boldly stating how these cookies are being used most do not go on to state that the tracking does not end on the website alone but continues to other sites, tracking the users every movement as could be seen in the Facebook case previously mentioned.

Additionally, the British Computer Society (BCS) code of conduct section two, subsection F shows that an IS professional should “avoid injuring others, their property, reputation, or employment by false or malicious or negligent action or inaction” (BCS 2017). It has been said that due to the data gotten from cookie tracking application’s, users’ personal details, problems and vices have been exposed to their close families or employees. Information system professionals should ensure data gotten from the application is properly secured and is accessed by only authorized persons.

Social Concerns

Cookies have made using the internet a whole lot easier for many people with applications such as shopping, booking a ticket or just normal browsing thereby, making internet browsing much easier and convenient. However, websites such as Yahoo! and Google that makes use of the cookie tracking application collect bits and pieces of a person’s online movements that can be detrimental to the person’s offline life. One of the major advantages of the cookie tracking application is that it makes browsing easier for users, that is, adverts being shown are relatable to the users (Boohme and Okamoto 2015). However, there is the distinct possibility that someone else could have access to the user's computers and access other websites; thus the advertisements for the user automatically changes thereby taking away the major advantage that the cookie tracking application possesses. There should be an option, as previously states, for the nonprofessional to be able to switch off the tracking while they are not making use of their devices.

Another social concern is the incessant tracking most sites do on their users; tailor their adverts to match the new data that could cause some embarrassments for the user. For example a user stumbles on a strange genre of Pornographic materials online, if they are logged on to a site like Facebook then that site has been added to their cookie data and Facebook (Marcella Jr 2003). This is also not very good for Facebook as a company that relies heavily on advertisement income, if their adverts are not useful to the users then there would be no reason for them to click on the advertisement thereby, reducing the income of the website. This leads to the issue of online profiling, when websites collect data of their users they form a profile of their habits, personal issues, likes and so forth. This profiling is an infringement on the privacy of the users because they are usually unaware of it and if the data is ever accessed by an unauthorized person could cause physical, mental and social issues for the user.

Limitations

Several websites use cookie-tracking devices in order to gather information about the users. The most prevalent issue raised in the recent years is the inability for most users to reject. Therefore, this issue needs to be tracked. As mentioned by Mayer and Mitchell (2012), the risks associated with cookies make them vulnerable thereby, imposing limitations on the use. According to Acar et al. (2014), the different types of risks associated with cookies are cross site request forgery attack, cross site scripting, cookie tossing attack, session fixation and cookie overflow attack. The risks related to cookies make the information of the users vulnerable to be used for unsuitable purposes. As a result, for illegal or forgery purpose others can use significant information of the users such as bank detail, personal details.

As asserted by Pearson (2013), in response to a request, a cookie is sent by the browser irrespective of the place of origin. This is considered a major concern related to cookies. The website is unable to recognize whether the request generated is by the user of not. Therefore, once the request is generated, if availability of cookie is found, it casually performs the required action without knowing the initiator of the request. For example, a user named Alec is a frequent user of a website thereby, having a cookie in this system. Meanwhile, if an attacker performs a delete action, the cookie supposes the request to be initiated by Alec. Therefore, the cookie lacks the potentiality of recognizing the original initiator of the request.

As mentioned by Bugliesi et al. (2014), the risk concept of session fixation depends on the application level. In this case, of risk, the attackers force the user to use the attacker’s different session id. However, this can be implemented by using the directive path of the browser. Due to this, the users are considered a different one. By using this method, the attacker can compel the user to use different levels of application as the attacker.

Another type of vulnerability that cookie’s possess is cross-site scripting. As commented by Sharma, Johari and Sarma (2012), an exploit is placed within the cookie by the attacker. Following this, the exploit conveys the payload from that particular cookie thereby, conducting the exploitation. However, the difficulty level rises for the attacker if the cookie has been set from beforehand. In order to conduct the attack, the attackers have to firstly control the cookie and then carry out the attack within the cookie string.

Cookie tossing attack is considered as another limitation in terms of using cookie. As commented by Bhargavan et al. (2014), cookie-tossing attack is one of the most dangerous attacks on cookies. For example, a user receives a domain cookie while visiting website. Therefore, the cookie is sent to the website or server when the user visits the same browser the next time. In this case, the cookie lacks a particular path or domain. As a result, the attacker develops a sub domain cookie that is sent along with the original cookie. The website accepts both the cookies. The server lacks the option of sending the original cookie at first thereby, can select and send the duplicate cookie at first. In case, the server receives the sub domain cookie at first, it accepts the sub domain one as the valid or original cookie. Due to this, the information of the users can be vulnerable to risks, as the information is no more secured enough.

According to Shar and Tar (2012), a sub domain cookie replaces the use of Jscript, the domain of the parent cookie. In terms of the number of cookies sent by the web browser, there is a limitation. However, web browsers such as Google Chrome lack the ability to verify whether the stored cookie is from a sub domain or domain thereby, just stores the cookies provided to them. Therefore, it can be possible that the sub domain is not completely secured. Attackers can use the non-secure cookie supposedly by altering the expiry dates of the cookie thereby, making it useless. This enables the attacker to develop a malicious cookie and sending the sub domain cookie to the web browser. As mentioned before, the web lacks the ability to determine the authenticity of the cookie thereby, imposing threat on the information of the users.

Privacy, secrecy and security are the main vulnerabilities and limitation of using cookies. Privacy id considered as one of the major concern as this deals with storing of information of the users. The web browsers has the cookie option activated tracks the websites visited by the users. As mentioned by Chen and Zhao (2012), this provides an opportunity for the third party to access the information of the users without their consent. Government, advertisers and other users can be considered as the third parties. Therefore, there prevails high probability of misusing the information of the users. According to Hennnebert and Dos Santos (2014), the browsers willfully make it hard for the users to find the option for disabling the cookie option as this means less money for them. At certain instances, the users lack technical expertise to disable the cookie option of the web browser. Cookie security is a major issue as several loopholes has been recognized in various web browsers. This provides a huge advantage for the attackers, as they are able to access information of the users such as their emails, information related to banks, credit card information and passwords.

Conclusion

This essay shows some of the privacy and security issues which come up with the use of cookies. Cookies are harmless if used by trusted websites, but when accessing a new and strange website, some users might not appreciate being tracked and all their information out there for the site to access. This is why cookie tracking as said at the start of this essay is a complicated issue.

In this assignment, it can be concluded that cookies are small web-texts that helps in storing information in the system of the user. Information stored can be in terms of of the interest, log in information, personal information and bank details. Therefore, as this deal with the information of the users, security and privacy in terms of cookies are of utmost significance. As a result, ethical, legal, professional and social concerns are taken under consideration. Cookies are enabled by the web browsers in order to store information of the users thereby, providing better service. However, there are ethical concerns attached with accessing the information of the users. Many people considers use of cookies as unethical as they think the information of the users are been spied on deliberately in order to maximize their sales. Therefore, the privacy of the users’ information is accessible thereby, vulnerable to misuse. It has been seen that advertising organization pay the cookie developers more compared to their competitors. This provides an opportunity for the advertizing agencies to enhance their sales. Therefore, the cookie developers have to ensure security and privacy though it is breached at times. According to the Consequentiality theory, use of cookies makes the lives of the internet users easier. On the contrary, Kantianism theory highlights the security and privacy issues while using cookie thereby, suggesting discontinuing the use.

In order to keep the information and the data of the users secure, Data Protection Act, 1998 is used for providing security of the information. Websites put the clause of using sensitive information of the users for marketing purposes with their consent only under the data Protection Act section 2. However, social media such as Facebook has failed in implementing the law thereby, the information of the users are fully accessible by third parties. This is due to the fact that under the Data protection Act section 7 sub section 2a, until and unless data controllers receives a written application, they are not bound to reveal the third parties. However, the information of the users for Facebook is deleted after 90 days thereby, reducing risk of misuse.

Moreover, according to the EU frameworks, accessing the information of the users are legal if they are informed about the purpose and method of accessing their information.

According to ACM code of conduct, the information technology professionals’ needs to consider both developing and security related to the use of cookie with sheer honesty. According to the statistics stated, it can be said certain websites state the some websites follows or implements the laws related to security of cookies whereas some websites fail to state the method and the purpose of utilization of information. Moreover, certain percentage of website deactivates cookie-tracking facilities while some states specifically the information that wants to be stored. The information collected by Google or Yahoo about the interests of the users can have adversely affected the life of the users thereby, raising a social concern.

However, there are limitations and vulnerabilities associated with the security and privacy in cookie tracking. The web browser lacks the ability to determine between the original and sub domain cookie thereby making it easier for the attackers to invade and access the information of the users.

References

Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A. and Diaz, C., 2014, November. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 674-689). ACM.

Acm.org. 2017. ACM Code of Ethics and Professional Conduct. [online] Available at: [Accessed 26 Apr. 2017].

Albanese, J. and Sonnenreich, W., 2004. Network security illustrated. 1st ed. New York: McGraw-Hill, p.160.

Ashton, A., 2012. Issues in Networks Research and Application. 1st ed. Atlanta: ScholarlyEditions, p.28.

BCS, 2017. [online] BCS.org. Available at: [Accessed 6 Mar. 2017].

Bhargavan, K., Lavaud, A.D., Fournet, C., Pironti, A. and Strub, P.Y., 2014, May. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In Security and Privacy (SP), 2014 IEEE Symposium on (pp. 98-113). IEEE.

Bo?hme, R. and Okamoto, T., 2015. Financial Cryptography and Data Security. 1st ed. Berlin, p.218.

Bugliesi, M., Calzavara, S., Focardi, R., Khan, W. and Tempesta, M., 2014, July. Provably sound browser-based enforcement of web session integrity. In Computer Security Foundations Symposium (CSF), 2014 IEEE 27th (pp. 366-380). IEEE.

Chen, D. and Zhao, H., 2012, March. Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on (Vol. 1, pp. 647-651). IEEE.

Clifford, D. 2017. EU Data Protection Law and Targeted Advertising: Consent and the Cookie Monster - Tracking the crumbs of online user behaviour — jipitec. [online] Jipitec.eu. Available at: [Accessed 6 Mar. 2017].

Data Protection, 2017. Data Protection Act 1998. [online] Legislation.gov.uk. Available at: [Accessed 6 Mar. 2017].

Dixon, P. 2016. Surveillance in America. 1st ed. Santa Barbara, California: ABC-CLIO, p.261.

Marcella Jr, A., 2003. Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues. 1st ed. John Wiley & Sons.

Mayer, J.R. and Mitchell, J.C., 2012, May. Third-party web tracking: Policy and technology. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 413-427). IEEE.

Pearson, S., 2013. Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing (pp. 3-42). Springer London.

Rainer, K., Cegielski, C., Splettstoesser-Hogeterp, I. and Sanchez-Rodriguez, C., 2013. Introduction to Information Systems. 3rd ed. John Wiley & Sons, p.161.

Santa, U., 2017. Ethical Implications of Data Aggregation. [online] Scu.edu. Available at: [Accessed 6 Mar. 2017].

Shar, L.K. and Tan, H.B.K., 2012. Automated removal of cross site scripting vulnerabilities in web applications. Information and Application Technology, 54(5), pp.467-478.

Sharma, P., Johari, R. and Sarma, S.S., 2012. Integrated approach to prevent SQL injection attack and reflected cross site scripting attack. International Journal of System Assurance Engineering and Management, 3(4), pp.343-351.

Whitman, M. and Mattord, H., 2011. Principles of information security. 4th ed. Cengage Learning.

How to cite this essay: