Cookies are little web-texts that are stored on a user’s systems when they visit a website. These texts allow the websites to track the user's preferences online and tailor their site to meet their liking (Rainer et al. 2013). The data stored could be the user's login information, sites visited, credit card numbers and so forth. As per Bhargavan et al. (2014), Cookies are applications that store users’ information for later access by the website. Most cookies are installed without the user knowledge, and web servers just access whatever information they require to serve the user better. Cookie tracking is implemented in two stages. The first stage is when the cookie is saved on the user's device, like Yahoo! Where users select their interests, a cookie is made specifically with the user's information and stored on the user's device. Now the next stage is when any browser that the user enables allows websites access to this cookie and tailors the users experience online to that preference.
Cookie tracking is complicated because while it has many advantages such as being used to identify and authenticate a user, store number of times a user visits a website, their preferences and their preferred settings, there are several issues that cannot be ignored. A few of these problems are the uncertainty of how the data gotten is stored and who has access to them. In addition, where the line is drawn for the tracking, in this essay, Facebook is used as a case study on repeated cookie exploitation cases (Marcella Jr 2003).
According to the Consequentiality ethical theory, these cookie tracking applications are being used to help make the lives of internet users better and it enable them to be able to see specific advertisements that would vastly benefit them which is a good thing. Even though some may worry about the security of such applications and how far they are being investigated, the advantages cannot be overlooked. The Kantianism theory, however, would refute it by saying that the possibility of a privacy breach or security breach is enough for the application to be discontinued if it brings harm to even one individual then how advantageous is it really (Santa 2017). Take, for example, the case of Facebook tracking their user's online movements outside of the site, now while this has been a controversial issue, a Facebook engineer by the name of Arturo Bejar, has stated that it is being done for a good cause. MrBejar stated that Facebook uses the information gathered to prevent spammers, fraudsters and minors from accessing the website thereby putting their users in harm's way (Data Protection 2017). While this is a good cause, many have expressed their opinion that it does not justify the constant “surveillance” being carried out by the website using cookies. The hackers can use the cookie tracking tools for stealing the confidential information of a user such as the search history, user ids and passwords for the online accounts, financial transactions made over the internet, credit or debit card credentials. This is not only unethical, it is also illegal.
Many laws are available for the protection of a user's data online such as the Data Protection Act of 1998 that protects the user's data from being used for any malicious purpose, being stolen, used for the stated reasons and used lawfully (Data Protection 2017). Under the Data Protection Act section 2, users sensitive information that are being gathered cannot be used without their express permission, most websites put these clause in their privacy policies, telling the users to sign away their rights to the information for marketing purposes thereby abiding by this law. Facebook, however, has been accused of not following this rule by informing their users that their data is being given to third parties companies (Clifford 2017). According to the Data Protection Law, section 7 subsection 2a “A data controller is not obliged to supply any information under subsection (1) unless he has received a request in writing”. With this the site gives their users a choice on if to proceed with their operations or not, it is now left to the user to either accept or reject the online terms of usage (Chen and Zhao 2012). Additionally, all information gotten by Facebook, such as likes, shares, via the cookie tracking application is only stored on their systems for 90 days, and then it is automatically deleted, this is in accordance with the Data Protection Act 1998 section 2 which says that information gotten should be saved for a limited amount of time.
The policy framework directive of EU 2002/58/EC addresses the concerns related to the handling and securing of the data gotten from cookie tracking applications (Clifford 2017). The policy states that the use of the cookies tracking applications are legal given that the users are fully informed of the purpose of the application, how they would be used and where they would be stored. Also, stated in the policy is the directive that users are given a choice on deciding the place of storing the cookie information or if they want it to be stored at all, this is especially important in multiple-user devices (Chen and Zhao 2012). This directive gives the users a certain level of trust that their information is safe and secure because the law protects them in the case of any emergency. Google has been accused of storing cookies on their users’ computer without their express permission that is in direct violation of the Privacy and Electronic Communications Regulations (PECR) regulations 6 that expressly states that users must consent to any cookie being stored on their devices that could either damage or slow them down (Santa 2017).
Additionally, the British Computer Society (BCS) code of conduct section two, subsection F shows that an IS professional should “avoid injuring others, their property, reputation, or employment by false or malicious or negligent action or inaction” (BCS 2017). It has been said that due to the data gotten from cookie tracking application’s, users’ personal details, problems and vices have been exposed to their close families or employees. Information system professionals should ensure data gotten from the application is properly secured and is accessed by only authorized persons.
Cookies have made using the internet a whole lot easier for many people with applications such as shopping, booking a ticket or just normal browsing thereby, making internet browsing much easier and convenient. However, websites such as Yahoo! and Google that makes use of the cookie tracking application collect bits and pieces of a person’s online movements that can be detrimental to the person’s offline life. One of the major advantages of the cookie tracking application is that it makes browsing easier for users, that is, adverts being shown are relatable to the users (Boohme and Okamoto 2015). However, there is the distinct possibility that someone else could have access to the user's computers and access other websites; thus the advertisements for the user automatically changes thereby taking away the major advantage that the cookie tracking application possesses. There should be an option, as previously states, for the nonprofessional to be able to switch off the tracking while they are not making use of their devices.
Another social concern is the incessant tracking most sites do on their users; tailor their adverts to match the new data that could cause some embarrassments for the user. For example a user stumbles on a strange genre of Pornographic materials online, if they are logged on to a site like Facebook then that site has been added to their cookie data and Facebook (Marcella Jr 2003). This is also not very good for Facebook as a company that relies heavily on advertisement income, if their adverts are not useful to the users then there would be no reason for them to click on the advertisement thereby, reducing the income of the website. This leads to the issue of online profiling, when websites collect data of their users they form a profile of their habits, personal issues, likes and so forth. This profiling is an infringement on the privacy of the users because they are usually unaware of it and if the data is ever accessed by an unauthorized person could cause physical, mental and social issues for the user.
Several websites use cookie-tracking devices in order to gather information about the users. The most prevalent issue raised in the recent years is the inability for most users to reject. Therefore, this issue needs to be tracked. As mentioned by Mayer and Mitchell (2012), the risks associated with cookies make them vulnerable thereby, imposing limitations on the use. According to Acar et al. (2014), the different types of risks associated with cookies are cross site request forgery attack, cross site scripting, cookie tossing attack, session fixation and cookie overflow attack. The risks related to cookies make the information of the users vulnerable to be used for unsuitable purposes. As a result, for illegal or forgery purpose others can use significant information of the users such as bank detail, personal details.
As asserted by Pearson (2013), in response to a request, a cookie is sent by the browser irrespective of the place of origin. This is considered a major concern related to cookies. The website is unable to recognize whether the request generated is by the user of not. Therefore, once the request is generated, if availability of cookie is found, it casually performs the required action without knowing the initiator of the request. For example, a user named Alec is a frequent user of a website thereby, having a cookie in this system. Meanwhile, if an attacker performs a delete action, the cookie supposes the request to be initiated by Alec. Therefore, the cookie lacks the potentiality of recognizing the original initiator of the request.
As mentioned by Bugliesi et al. (2014), the risk concept of session fixation depends on the application level. In this case, of risk, the attackers force the user to use the attacker’s different session id. However, this can be implemented by using the directive path of the browser. Due to this, the users are considered a different one. By using this method, the attacker can compel the user to use different levels of application as the attacker.
Another type of vulnerability that cookie’s possess is cross-site scripting. As commented by Sharma, Johari and Sarma (2012), an exploit is placed within the cookie by the attacker. Following this, the exploit conveys the payload from that particular cookie thereby, conducting the exploitation. However, the difficulty level rises for the attacker if the cookie has been set from beforehand. In order to conduct the attack, the attackers have to firstly control the cookie and then carry out the attack within the cookie string.
Cookie tossing attack is considered as another limitation in terms of using cookie. As commented by Bhargavan et al. (2014), cookie-tossing attack is one of the most dangerous attacks on cookies. For example, a user receives a domain cookie while visiting website. Therefore, the cookie is sent to the website or server when the user visits the same browser the next time. In this case, the cookie lacks a particular path or domain. As a result, the attacker develops a sub domain cookie that is sent along with the original cookie. The website accepts both the cookies. The server lacks the option of sending the original cookie at first thereby, can select and send the duplicate cookie at first. In case, the server receives the sub domain cookie at first, it accepts the sub domain one as the valid or original cookie. Due to this, the information of the users can be vulnerable to risks, as the information is no more secured enough.
According to Shar and Tar (2012), a sub domain cookie replaces the use of Jscript, the domain of the parent cookie. In terms of the number of cookies sent by the web browser, there is a limitation. However, web browsers such as Google Chrome lack the ability to verify whether the stored cookie is from a sub domain or domain thereby, just stores the cookies provided to them. Therefore, it can be possible that the sub domain is not completely secured. Attackers can use the non-secure cookie supposedly by altering the expiry dates of the cookie thereby, making it useless. This enables the attacker to develop a malicious cookie and sending the sub domain cookie to the web browser. As mentioned before, the web lacks the ability to determine the authenticity of the cookie thereby, imposing threat on the information of the users.
Privacy, secrecy and security are the main vulnerabilities and limitation of using cookies. Privacy id considered as one of the major concern as this deals with storing of information of the users. The web browsers has the cookie option activated tracks the websites visited by the users. As mentioned by Chen and Zhao (2012), this provides an opportunity for the third party to access the information of the users without their consent. Government, advertisers and other users can be considered as the third parties. Therefore, there prevails high probability of misusing the information of the users. According to Hennnebert and Dos Santos (2014), the browsers willfully make it hard for the users to find the option for disabling the cookie option as this means less money for them. At certain instances, the users lack technical expertise to disable the cookie option of the web browser. Cookie security is a major issue as several loopholes has been recognized in various web browsers. This provides a huge advantage for the attackers, as they are able to access information of the users such as their emails, information related to banks, credit card information and passwords.
In order to keep the information and the data of the users secure, Data Protection Act, 1998 is used for providing security of the information. Websites put the clause of using sensitive information of the users for marketing purposes with their consent only under the data Protection Act section 2. However, social media such as Facebook has failed in implementing the law thereby, the information of the users are fully accessible by third parties. This is due to the fact that under the Data protection Act section 7 sub section 2a, until and unless data controllers receives a written application, they are not bound to reveal the third parties. However, the information of the users for Facebook is deleted after 90 days thereby, reducing risk of misuse.
Moreover, according to the EU frameworks, accessing the information of the users are legal if they are informed about the purpose and method of accessing their information.
According to ACM code of conduct, the information technology professionals’ needs to consider both developing and security related to the use of cookie with sheer honesty. According to the statistics stated, it can be said certain websites state the some websites follows or implements the laws related to security of cookies whereas some websites fail to state the method and the purpose of utilization of information. Moreover, certain percentage of website deactivates cookie-tracking facilities while some states specifically the information that wants to be stored. The information collected by Google or Yahoo about the interests of the users can have adversely affected the life of the users thereby, raising a social concern.
However, there are limitations and vulnerabilities associated with the security and privacy in cookie tracking. The web browser lacks the ability to determine between the original and sub domain cookie thereby making it easier for the attackers to invade and access the information of the users.
Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A. and Diaz, C., 2014, November. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 674-689). ACM.
Acm.org. 2017. ACM Code of Ethics and Professional Conduct. [online] Available at: [Accessed 26 Apr. 2017].
Albanese, J. and Sonnenreich, W., 2004. Network security illustrated. 1st ed. New York: McGraw-Hill, p.160.
Ashton, A., 2012. Issues in Networks Research and Application. 1st ed. Atlanta: ScholarlyEditions, p.28.
BCS, 2017. [online] BCS.org. Available at: [Accessed 6 Mar. 2017].
Bhargavan, K., Lavaud, A.D., Fournet, C., Pironti, A. and Strub, P.Y., 2014, May. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In Security and Privacy (SP), 2014 IEEE Symposium on (pp. 98-113). IEEE.
Bo?hme, R. and Okamoto, T., 2015. Financial Cryptography and Data Security. 1st ed. Berlin, p.218.
Bugliesi, M., Calzavara, S., Focardi, R., Khan, W. and Tempesta, M., 2014, July. Provably sound browser-based enforcement of web session integrity. In Computer Security Foundations Symposium (CSF), 2014 IEEE 27th (pp. 366-380). IEEE.
Chen, D. and Zhao, H., 2012, March. Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on (Vol. 1, pp. 647-651). IEEE.
Clifford, D. 2017. EU Data Protection Law and Targeted Advertising: Consent and the Cookie Monster - Tracking the crumbs of online user behaviour — jipitec. [online] Jipitec.eu. Available at: [Accessed 6 Mar. 2017].
Data Protection, 2017. Data Protection Act 1998. [online] Legislation.gov.uk. Available at: [Accessed 6 Mar. 2017].
Dixon, P. 2016. Surveillance in America. 1st ed. Santa Barbara, California: ABC-CLIO, p.261.
Marcella Jr, A., 2003. Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues. 1st ed. John Wiley & Sons.
Mayer, J.R. and Mitchell, J.C., 2012, May. Third-party web tracking: Policy and technology. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 413-427). IEEE.
Pearson, S., 2013. Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing (pp. 3-42). Springer London.
Rainer, K., Cegielski, C., Splettstoesser-Hogeterp, I. and Sanchez-Rodriguez, C., 2013. Introduction to Information Systems. 3rd ed. John Wiley & Sons, p.161.
Santa, U., 2017. Ethical Implications of Data Aggregation. [online] Scu.edu. Available at: [Accessed 6 Mar. 2017].
Shar, L.K. and Tan, H.B.K., 2012. Automated removal of cross site scripting vulnerabilities in web applications. Information and Application Technology, 54(5), pp.467-478.
Sharma, P., Johari, R. and Sarma, S.S., 2012. Integrated approach to prevent SQL injection attack and reflected cross site scripting attack. International Journal of System Assurance Engineering and Management, 3(4), pp.343-351.
Whitman, M. and Mattord, H., 2011. Principles of information security. 4th ed. Cengage Learning.