Let's talk Cookies

Types of Cookies

There are two main types of Cookies:

Session Cookies:

These are cookies that last for a session (from launch to the end of your time on a website). They are usually stored in a temporary memory location until your session ends. They store information such as the items in your shopping cart until you checkout.

Persistent Cookies:

Unlike session cookies, these cookies remain even after the session ends. They store information such as your login details & language preferences.

We also have:

First party Cookies:

These cookies are created and controlled by the website itself. It is usually considered less privacy invasive because they are only used to track activity on the website they are associated with.

Third party Cookies:

Ever wonder why you searched for a pair of shoes online and now you’ve logged into your Instagram and see the same pair of shoes being advertised to you? I know I certainly have, and this is usually the work of third party cookies. As the name implies, they are cookies generated by websites other than the one you’re visiting. They let advertisers or analytics companies track an individual's browsing history across the web.

Essential (Strictly Necessary) Cookies:

These are cookies that are essential for the website to function properly. Without them, the website wouldn’t work.

Why are Cookie Pop-ups so Popular?

To cut the story really short, the introduction of two laws - the General Data Protection Regulation (GDPR) & e-Privacy Directive made companies scramble to introduce Cookie pop-ups to avoid non-compliance with the laws. The GDPR reads in Recital 30 -

‘‘Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.’’

This simply means that if Cookies can be used to identify a person, they qualify as personal data and, are subject to the GDPR. As such, all websites must ensure that users have the right to manage their cookie settings and make informed decisions about their online privacy preferences. Users can also review website privacy policies to understand how their data is collected, used, and shared, and make informed decisions about accepting cookies based on their privacy preferences and concerns.

Cookies & Cybercrimes

Cookies are an important tool that can give businesses a great deal of insight into their users’ online activities. They also play a crucial role in website analytics, marketing, and monetization strategies as they allow websites to track user interactions, measure website performance, and deliver targeted advertising based on user interests.

However, they can pose dangers to user privacy and security. They can also be a target for malicious actors seeking to hijack user accounts or perform unauthorized actions.

Cybercriminals can use them to impersonate you online and thereby gain access to your accounts. By hiding code in stolen cookies, cybercriminals can also spread malware and manipulate you into visiting malicious websites.

Lets take a look at some of the ways cookies can be misused:

Session Hijacking: Attackers may steal session cookies while an authorized user is logged in in order to gain access to their accounts. By stealing session cookies, attackers can bypass authentication mechanisms and perform actions on behalf of the victim, such as sending messages, making purchases, or accessing sensitive information.

Cross-Site Scripting (XSS): XSS attacks can install dangerous codes into websites, which may then set or misuse cookies on the user’s browser. These malicious cookies can be used to steal private data, such as login information when the user interacts with the compromised website.

Cross-Site Request Forgery: CSRF also known as one-click attack or session riding. It is a malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. Attackers may use cookies to forge HTTP requests that appear to originate from the user’s browser, allowing them to perform actions such as transferring funds, changing account settings, or submitting forms without the user’s consent.

Tracking and Profiling: Cookies can be used by advertisers and data brokers to track users online behavior and build profiles of their interests, preferences, and habits. This information can then be used for advertisement targeting, identity fraud, and private data theft. In some cases, companies may share this data with third parties, which can further extend the reach of tracking activities beyond what the user intended.

Phishing: While not directly related to cookies, phishing attacks often exploit user trust and deception to trick individuals into providing their login credentials voluntarily. Attackers may use cookies to personalize phishing emails or fake websites to appear trustworthy and successfully make users fall for the scam.

Protecting Yourself

To reduce these risks, there are various security measures you can take to manage your cookie settings:

Clearing Cookies: Cookies can be cleared from your web browser by accessing the settings menu. By doing this frequently, any installed tracking cookies that may have been stored on your device will be removed. This can help mitigate risks of privacy breaches.

Reviewing Privacy Policies: Research shows that the vast majority of internet users do not read terms of service or privacy policies and to be honest, I am guilty of this too but taking the time to review the privacy policies of websites you visit to understand how they collect, use, and share your data, including information about cookies and tracking technologies is a great security measure.

Opt Out of Tracking: Don’t just automatically ‘‘Accept all’’. You have the option to opt out of non-essential cookies so look out for privacy banners and and follow the instructions to opt out of data collection and tracking.

Be Vigilant: Avoid clicking on suspicious links or downloading files from untrusted sources.

Lastly, stay informed about emerging threats to online privacy and adhere to best practices for protecting your personal information online and as a general rule of thumb, be cautious when sharing sensitive information online.

While cookies themselves are not inherently malicious, they can be used in ways that raise privacy concerns, particularly when combined with other tracking technologies or data collection methods.

IYANUOLUWA ALARAPE

AI | DIGITAL TRANSFORMATION | CYBERSECURITY

Iyanuoluwa is a Nigerian-qualified lawyer with a strong interest in digital privacy, data protection, and regulatory compliance. She currently works as a Senior Generative AI Business Analyst, where she leverages her expertise to drive digital transformation initiatives across diverse regions including the UK, Ireland, Bulgaria, and India. Her work centers on the strategic integration of AI technologies within complex, large-scale organizations.

Passionate about the intersection of law, technology, and ethics, Iyanuoluwa actively explores topics such as artificial intelligence, data privacy, and cybersecurity. In her spare time, she writes thought pieces aimed at simplifying digital rights and promoting responsible tech adoption.