09 April 2014


Posts relating to the category tag "cookies" are listed below.

09 April 2014

Third-Party Tracking Cookie Revelations

A new draft paper describes how the capture of tracking cookies can be used for mass surveillance, and where other personal information is leaked by web sites, build up a wider picture of a person's real-world identity.

Title page from 'Cookies that give you away: Evaluating the surveillance implications of web tracking'

Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan at Princeton University's Department of Computer Science investigated how someone with passive access to a network could glean information from observing HTTP cookies in transit. The authors explain how pseudo-anonymous third-party cookies can be tied together without having to rely on IP addresses.

Then, given personal data leaking over non-SSL content, this can be combined into a larger picture of the person. The paper assessed what personal information is leaked from Alexa Top 50 sites with login support.

This work is likely to attract the attention of privacy advocates and regulators, leading to increased interest in cookies and other tracking mechanisms.

The research work was motivated by two leaked NSA documents.

Posted on: 09 April 2014 at 10:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 November 2013

It's Not Just Cookies!

Shock horror! It is possible to track users without using cookies!

Cookie-replacement tracking technology would be subject to same 'cookie law' rules

It is news to some people apparently. There is a good write-up on Out-Law.com. Unsurprisingly the people who insisted on calling it a "cookie law" feel threatened; the concern is tracking of course, not what method is used.

Hopefully this is not news to readers of the posts here about the relevant legislation, guidance and issues.

Posted on: 09 November 2013 at 08:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 May 2012

Cookies Etc Law v3

The Information Commissioner's Office (ICO) has updated its guidance relating to the use of tracking technologies under changes to the UK's Privacy and Electronic Communications Regulations (PECR) which came into force last year, but which began to be enforced last saturday, 26th May 2012.

Implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for "doing nothing"

Version 3 is an update to the version issued last December, and provides further information on "implied consent". The guidance is accompanied by a blog posting and video presentation.

Posted on: 29 May 2012 at 20:09 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 May 2012

Client-Side Storage in HTML5

Client-side, or local, storage is an area of concern for privacy and security. Therefore I was keen to attend the latest meeting of the London Web Performance Group titled HTML5 and Localstorage - Storage in the Browser at the Lamb Tavern (building c1780, but on the same site since 1309) in Leadenhall Market on Wednesday evening.

Photograph of many drawers in a filing cabinet labelled with journal dates

I almost changed my mind as I was also tempted to attend another local event on the same evening about NoSQL for Java Developers. Anyway I was very pleased I went to the client-side storage event, but it was so well-attended I almost did not have a seat. As usual, Stephen Thair (@TheOpsMgr) had done a great job organising the event.

Andrew Betts (@triblondon) described his experiences developing HTML5 applications for mobile devices, avoiding native code whenever possible, so that content could be available when the device is offline or in poor signal areas by using client-side storage. He described the pros and cons of using HTTP cookies, Indexed Database API (IndexedDB), Web SQL Database (WebSQL), local storage (key/value store) and Application Cache (or AppCache). Well the answer of which to use is "all of them". Andrew described how the FT.com application makes use of each type's advantages, to combine together into a responsive and network-robust application suitable for the most frequent and demanding of users. Therefore cookies are used for session management, AppCache for a default fallback page, local storage for static content such as HTML scaffolding, JavaScript and style sheets, and IndexedDB/WebSQL for the HTML content of pages. Thus they manage to fit the application into the HTML5 constraints imposed by different operating systems.

He explained many of the techniques used to circumvent mobile network and device-specific issues, but also explained how they managed to squeeze extra storage by compressing content as ASCII or base64 encoded data into JavaScript's UTF-16 double-byte encoding. It is a very clever piece of optimisation, which could also be used for code obfuscation. Details in the presentation slides.

I think users of client storage will have to be careful if it might be determined to be tracking technology. In the FT.com application case, this client storage is not offered to casual web site users, but only to those who have installed the app, are registered and log in. Thus there are opportunities to obtain consent, over and above any warning the device may offer. We are expecting to hear more about the ICO's plans for enforcement of the new regulations at a press conference this morning. Other HTML5 security issues are of course still a concern here. I was slightly troubled by one feature mentioned.

The presenter's slides are now available.

Posted on: 18 May 2012 at 09:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

12 March 2012

Cookie Spring Madness

It's not just lambs that are bouncing around madly this March.

Photograph of several young lambs enjoying the sun in Northumberland

The UK's Information Commissioner's Office (ICO) kindly gave a period of grace to allow organisations to align their operations with the guidance concerning updates to the UK Privacy and Electronic Communications Regulations (PECR). The 26th May 2012 is not far away now.

Although guidance has been available since May 2011, with an update issued in December, it seems many organisations have not done anything, or are unsure what to do, or do not know what is required. In a blog post last week on E-Consultancy.com, the replies to EU Cookie Law: Three Approaches to Compliance give an air of desperation and a feeling that no-one wants to jump first.

Some of the comments are reasoned and practical, but there seems to have been much denial, and a need to place the blame somewhere else (Europe?), instead of proactively complying with the law, and helping individuals to protect their privacy. The comments from Lord Manly, Mike O'Neill, Carlton Jefferis and Russ add some welcome sanity to the hysteria.

Of the three suggestions made in the blog post for gaining compliance, none suggest avoiding the use of tracking technologies. And of course, it isn't just cookies, despite the headlines. As mentioned previously, technologies include:

  • HTTP cookies
  • Local Shared Objects (LSO) i.e. Flash cookies
  • userData in DHTML Behaviors
  • data in a Google Gears database
  • data in an Indexed Database API
  • local data storage in mobile applications
  • HTML5 storage

...and anything similar that exists now or in the future.

I think the time to lobby is well past, and the time for action is about to run out. There are services/products that address some of the issues, but to do this properly in a way that covers all similar technologies probably requires building greater consideration of the issues into your own development and change control processes. Post-implementation sticky tape won't really do.

From May 2012, the ICO will be "accepting complaints" from users, and will then contact web site owners to ask them to respond to the complaint and explain what steps they have taken to comply with the regulations.

Posted on: 12 March 2012 at 08:36 hrs

Comments Comments (1) | Permalink | Send Send | Post to Twitter

27 December 2011

Guide to HTML5 Web Security

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

An extract from a page in Michael Schmidt's document HTML5 Web Security showing how HTML5 vulnerabilities and attacks are described and illustrated in diagrammatic form

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

  • 2.2 Cross-origin resource sharing
  • 2.3 Web storage
  • 2.4 Offline web application
  • 2.5 Web messaging
  • 2.6 Custom scheme and content handlers
  • 2.7 Web sockets API
  • 2.8 Geolocation API
  • 2.9 Implicit relevant features of HTML5
    Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?

Posted on: 27 December 2011 at 09:07 hrs

Comments Comments (4) | Permalink | Send Send | Post to Twitter

13 December 2011

Updated and Improved Guidance on Use of Cookies, Etc.

The UK's data protection agency Information Commissioner's Office (ICO) has updated the previous guidance on the use of cookies and similar tracking technologies, under the revised Privacy and Electronic Communications Regulations which came into force on 26th May this year.

Cover from the ICO's updated 'Guidance on the Rules on use of Cookies and Similar Technologies'

In a press release today, organisations were warned they are not doing enough during the lead-in period to formal enforcement.

The updated Guidance on the Rules on use of Cookies and Similar Technologies provides concrete advice and practical guidance on the legal requirements, their interpretation and what are considered acceptable practices. The guidance was issued as a result of a review of progress to date which shows a lack of knowledge and action from web site owners. Of most concern are likely to be persistent cookies, cookies issued by third parties, cookies issued immediately a user visits a web site, are used for any sort of profiling or which span multiple website hostnames or multiple domains.

If you have any analytics, advertising, tracking or content provision by third party web sites, beware — you may just find the terms and conditions of service state you are responsible for obtaining and managing consent.

If you are a web site owner, take note and act now, if you have not already done so. From May 2012, the ICO will be accepting complaints from users, and will then contact web site owners to ask them to respond to the complaint and explain what steps they have taken to comply with the regulations. Therefore, document what you are doing and the decisions taken.

Posted on: 13 December 2011 at 15:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 July 2011

Opinion 15/2011 on the Definition of Consent

In May, the UK's Information Commissioner's Office (ICO) published its initial guidance on how cookies and similar technologies that store information on user's devices should be deployed (see my previous posts here, here and here). The European Union's Article 29 Working Party has now published its own views concerning obtaining consent.

If it is correctly used, consent is a tool giving the data subject control over the processing of his data. If incorrectly used, the data subject's control becomes illusory and consent constitutes an inappropriate basis for processing.

The working party's Opinion 15/2011 (WP 187) suggests that prior consent will always be required and this may mean that the ICO will need to update its own current guidance and enforcement guidelines.

Although the working party's opinion is quite a long document, if you are considering how to build consent for cookies, etc into your future web product development plans (e.g. web sites, mobile apps, social networking activities, e-commerce and f-commerce), it is worth the read.

They emphasize the need to obtain unambiguous explicit consent before any personal data processing can occur, and to be able to subsequently prove this was given. This does not affect mechanisms "strictly necessary" for the provision of the service as discussed before about session cookies. The examples included in the text add some realism to the intent of the opinion, and it is likely the recommendations will form part of future updates to EU legislation.

And remember not to lose sight of the other data protection principles. Obtaining consent does not negate the controller's obligations for fairness, necessity, proportionality, security and data quality.

Posted on: 27 July 2011 at 08:36 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 May 2011

Session Management Cookies and New UK Cookie Regulations

Further to the recent guidance and announcement of enforcement plans, the first demonstration of what this might entail for web sites which undertake user-tracking or store user data, has been revealed.

On 26 May 2011, the rules about cookies on websites changed... I accept cookies from this site.

The UK Information Commissioner's Office (ICO) utilises up to six cookies on the ICO web site (four relating to Google Analytics). Alexis Fitzgerald discusses the implementation in his Web Application Security - From The Start blog. There is no cookie to say you have opted out of accepting cookies — which is good — but for now the site does leave that rather annoying message at the top of every page which persists in the print version too. Giving consent also sets a cookie "ICOCookiesAccepted".

I see the ICO has stated the session identifier "ASP.NET_SessionId" is an "essential site cookie". It is set by default as soon as you visit the site, and thus presumably is exempt from the regulations for consent due to being "strictly necessary for the provision of an information society service". Take note.

Well, many web sites manage not to use session identifiers except in a subset of the site, such as for authentication and authorisation checks in areas limited to certain users. I wonder whether there really is any functionality on the ICO web site which really requires this session cookie to work?

Putting that aside, the cookie is "session-only" and should be destroyed when the browser is closed. But some web browsers are not routinely closed, and this would leave evidence that the site had been visited. In the case of the ICO web site, it would almost always be an insignificant matter, but there could be situations when even accessing the this might be deemed unacceptable or suspicious, leading to some sort of potential harm to an individual. Other web sites are likely to copy the ICO approach, so it is interesting the ICO has not removed the need for a session identifier cookie for general site browsing.

My baseline tips for cookies used for session management would be:

  • Have only one session management cookie if possible
  • Ensure session management cookie(s) expire automatically
  • Destroy sessions server-side once they have expired, or when their use is no longer required, and after a fixed time period
  • Do not store any personal data or business data in the cookie value — just store a long highly-random, difficult to predict identifier which has some meaning server-side
  • Restrict session cookie scope to the site's particular domain and URL path
  • Set the HTTPOnly, and if SSL is used SSLOnly, cookie attribute
  • And preferably, limit where session identifiers are required (i.e. not the whole site)

These are just a starting point. If the session management cookie is part of authentication processes, there are further recommendations for implementation.

No doubt, additional advice on the new cookie regulations and standard practices will be forthcoming in due course. Of course, the ICO could have removed client-side web analytics completely, reducing the number of cookies to one (and this may not really be required either).

Posted on: 31 May 2011 at 12:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

26 May 2011

Cookies, Etc - Enforcement Guidelines

As mentioned previously, the new UK regulations on cookies, etc came into force today, 26th May 2011.

Photograph of a sign on a garden wall with the words 'Strictly Private' in white letters on a bright blue background - there is a convex mirror mounted on the wall above

The Information Commissioners Office (ICO) announced yesterday that web site owners will have up to a year to comply with the law. The ICO also published guidance on its approach to enforcing the new rules and other powers as part of the revised the Privacy and Electronic Communications Regulations (PECR), which are subject to its own Data Protection Regulatory Action Policy.

Posted on: 26 May 2011 at 14:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Cookies : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/cookies
Requested by on Thursday, 26 November 2015 at 03:14 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk