The EU’s ‘cyber security’ agency ENISA has published a position paper on the security and privacy concerns regarding new types of online “cookies”.

ENISA said the advertising industry has led the drive for new, persistent and powerful cookies, with privacy-invasive features for marketing practices and profiling. The agency advocates that both the user browser and the origin server must assist informed consent, and that users should be able to easily manage their cookies.

The new agency position paper identifies and analyses cookies in terms of security vulnerabilities and the relevant privacy concerns. Cookies were originally used to facilitate browser-server interaction. Lately, driven by the advertising industry, they are used for other purposes; e.g. advertising management, profiling and tracking. The possibilities to misuse cookies both exist and are being exploited.

The new type of cookies support user-identification in a persistent manner and do not have enough transparency of how they are being used. Therefore, their security and privacy implications are not easily quantifiable.

To mitigate the privacy implications, the Agency recommends, among other things, that:

• Informed consent should guide the design of systems using cookies; the use of cookies and the data stored in cookies should be transparent for users.

• Users should be able to easily manage cookies: in particular new cookie types. As such, all cookies should have user-friendly removal mechanisms which are easy to understand and use by any user.• Storage of cookies outside browser control should be limited or prohibited.

• Users should be provided with another service channel if they do not accept cookies.

“Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies, to safeguard the privacy and security aspects of consumers and business alike,” admitted Udo Helmbrecht, executive director of ENISA. EU member states must transpose an EU directive related to these cookies into national law by May 25 2011.

www.enisa.europa.eu

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.