ENISA Concern over ‘Bittersweet cookies’

February 25, 2011

ENISA has involved itself in what it describes as an advertising industry led drive for new, persistent and powerful cookies, with privacy-invasive features for marketing practices and profiling. ENISA suggests that both the user browser and the origin server must assist informed consent, and that users should be able to easily manage their cookies. The Agency recommends a thorough study of different interpretations in the Member States, once the Directive 2009/136/EC has been implemented, by 25 May 2011.

The new Agency Position Paper identifies and analyses cookies in terms of security vulnerabilities and the relevant privacy concerns. ENISA consider that where once cookies were used to facilitate browser-server interaction, they are now used for other purposes (eg advertising management, profiling, tracking, etc) and that the potential to misuse cookies exists and is being exploited.

The focus of ENISA concern is cookies which support user-identification in a persistent manner and which lack transparency as to how they are being used. The security and privacy implications of such cookies are thus not easily quantifiable. To mitigate the privacy implications, the Agency recommends, among other things, that:

•Informed consent should guide the design of systems using cookies; the use of cookies and that the data stored in cookies should be transparent for users.

•Users should be able to easily manage cookies: in particular new cookie types. As such, all cookies should have user-friendly removal mechanisms which are easy to understand and use by any user.

•Storage of cookies outside browser control should be limited or prohibited.

•Users should be provided with another service channel if they do not accept cookies.

The Executive Director of ENISA, Professor Udo Helmbrecht, said ‘Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies, to safeguard the privacy and security aspects of consumers and business alike’.