The European Union’s cybersecurity agency has published a report on the security and privacy concerns regarding new types of online cookies, advocating for more transparency of how they are used and calling for a user-friendly mechanism to remove them whenever needed.
The policy report Bittersweet cookies: Some security and privacy considerations from the European Network and Information Security Agency identifies and examines cookies in terms of security vulnerabilities and the relevant privacy concerns. Originally developed to aid browser-server interaction, cookies have developed into persistent and powerful privacy-invasive tools to help advertisers track and profile web consumers, the agency said.
Additionally, users should be able to easily manage cookies, especially new ones, and have the option to remove them. However, web users do not currently have many options: either they do not accept cookies and therefore cannot access the service, or they accept cookies, with all the consequences related to privacy and security, the report noted.
But privacy concerns are not the only worries consumers should consider, ENISA pointed out. Cookies come with various vulnerabilities, and the agency identified three threats to them: network threats, end-system threats and cookie-harvesting threats.
Network threats result from the fact that cookies are transmitted in clear-text and can be spoofed or altered during the transfer. End-system threats relate to exploits, such as cookie information forgery and impersonation of other users. An attacker can also perform a cookie-harvesting attack by impersonating a legitimate site and collecting cookies from users, the report said.
“Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies to safeguard the privacy and security aspects of consumers and business alike,” said Dr. Udo Helmbrecht, ENISA executive director.