Cybersecurity Agency Warns Next-Gen Cookies Pose Privacy Threat

The European Union’s cybersecurity agency has published a report on the security and privacy concerns regarding new types of online cookies, advocating for more transparency of how they are used and calling for a user-friendly mechanism to remove them whenever needed.

The policy report Bittersweet cookies: Some security and privacy considerations from the European Network and Information Security Agency identifies and examines cookies in terms of security vulnerabilities and the relevant privacy concerns. Originally developed to aid browser-server interaction, cookies have developed into persistent and powerful privacy-invasive tools to help advertisers track and profile web consumers, the agency said.

The new type of cookies support user-identification in a persistent manner and do not have enough transparency of how they are being used, making it hard to quantify their security and privacy implications, ENISA said in a press release. To mitigate the privacy implications, the agency recommends that informed consent should guide the design of systems using cookies; the use of cookies and the data stored in cookies should be transparent for users.

Additionally, users should be able to easily manage cookies, especially new ones, and have the option to remove them. However, web users do not currently have many options: either they do not accept cookies and therefore cannot access the service, or they accept cookies, with all the consequences related to privacy and security, the report noted.

But privacy concerns are not the only worries consumers should consider, ENISA pointed out. Cookies come with various vulnerabilities, and the agency identified three threats to them: network threats, end-system threats and cookie-harvesting threats.

Network threats result from the fact that cookies are transmitted in clear-text and can be spoofed or altered during the transfer. End-system threats relate to exploits, such as cookie information forgery and impersonation of other users. An attacker can also perform a cookie-harvesting attack by impersonating a legitimate site and collecting cookies from users, the report said.

“Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies to safeguard the privacy and security aspects of consumers and business alike,” said Dr. Udo Helmbrecht, ENISA executive director.

email
Filed in: Cyber Tags: , , , , , ,

You might like:

Serco Introduces UK-Based Cyber Training Program; Richard Preece Comments Serco Introduces UK-Based Cyber Training Program; Richard Preece Comments
NSA Adds NYU School of Engineering to Exclusive Cyber Security List NSA Adds NYU School of Engineering to Exclusive Cyber Security List
HP Looks to Extend Data Protection with Cloud, Encryption Solutions HP Looks to Extend Data Protection with Cloud, Encryption Solutions
Deloitte’s Harry Greenspun: Wearable Tech Can Help Drive Health Sector Growth Deloitte’s Harry Greenspun: Wearable Tech Can Help Drive Health Sector Growth

Leave a Reply

Submit Comment

© 2014 ExecutiveBiz. All rights reserved.