Is It Time The Cookies Crumbled…?
Firstly, what are browser cookies?
Imagine you're at your favourite coffee shop and you order a delicious cookie to go with your morning coffee.
The waiter brings you the cookie on a plate, but little did you know that they also put a tiny, invisible tracker on the plate.
Now, as you eat your cookie and enjoy every bite, the tracker is keeping an eye on you. It notices which parts of the cookie you like the most - picking out the chocolate chips, how quickly you're eating it, and even if you're sharing it with others.
That's basically what tracking browser cookies do on the Internet. They're little bits of code that websites use to track your browsing habits and behaviour whilst online. This includes collecting information about the websites you visit, the links you click, and the things you buy online.
Just like the sneaky tracker on your choc chip cookie plate, tracking cookies are invisible to the naked eye. But they're constantly collecting data about you and your online habits. And just like how the coffee shop might use that information to improve their menu or marketing strategies, websites use tracking cookies to improve their user experience or target you with ads.
Now, not all tracking cookies are bad. Some websites use them to remember your preferences or keep you logged in to your account. But others can be used by third-party advertisers to collect data about you and target you with personalised ads.
So next time you're browsing the web, remember there might be some sneaky tracking cookies keeping an eye on you!
How do scammers use these cookies?
So, unlike our friendly coffee shop, scammers have a different motivation when using cookies.
One way scammers exploit tracking cookies is by using them to create fake login pages for legitimate websites. For example, they might create a fake login page for a bank or an online shopping website. When you enter your login credentials into the fake page, the scammer can capture your username and password and use them to access your real account.
Tracking cookies can be used to make these fake login pages more convincing. They can track which websites you've visited and use that information to create a fake page that looks like the real website you've logged into before. The scammer can also use tracking cookies to collect information about your browsing history and use that information to make their scam more convincing.
Another way scammers leverage tracking cookies is by using them to create targeted phishing emails. They can use tracking cookies to collect information about you, such as your name and email address, and use that information to create an email that looks like it's from a legitimate company. The email might contain a link that takes you to a fake website where you're asked to enter your personal information or login credentials.
Tracking cookies can also be used to collect information about your online purchases and other activities, which scammers can use to target you with scams related to those activities. For example, if they see that you've recently purchased a new phone, they might send you an email offering a discount on a phone case or other phone accessory. If you click on the link and enter your personal information, they can use that information to steal your identity or access your bank account.
In general, scammers use tracking cookies to collect information about you and use that information to make their scams more convincing.
But surely the big guys - Google, Bing, and others have our backs?
Well, you would hope so… We like Google, but let’s pick on them for a minute.
In 2012, Google was fined $22.5 million by the Federal Trade Commission (FTC) for cookie abuse. The FTC found that Google had placed advertising tracking cookies on the devices of Safari users, even though Safari's default settings were supposed to block such cookies.
As part of the settlement, Google was required to pay the $22.5 million fine and to disable the cookies it had placed on Safari users' devices. Google was also required to provide users with clear and prominent notice about its data collection practices and to obtain their consent before placing cookies on their devices.
In addition to the FTC settlement, Google has faced other fines and investigations related to its data collection practices. In 2019, for example, Google was fined €50 million ($57 million) by the French data protection authority for violating the GDPR's consent requirements for data processing. Google has also faced criticism and scrutiny from privacy advocates and lawmakers over its data collection practices.
More recently, French data protection regulator CNIL dished out a €150 million fine to Google for making it difficult to reject cookies yet easy to accept them. They also slammed Facebook with a €60 million fine for the same behaviours.
So how are we mere mortals protected?
There are several regulations in place to protect users from cookie abuse, including:
General Data Protection Regulation (GDPR)
The GDPR is a regulation by the European Union that gives users control over their personal data. It requires websites to obtain explicit consent from users before placing cookies on their devices and to provide clear information about what data is being collected and how it will be used.
California Consumer Privacy Act (CCPA)
The CCPA is a privacy law in California that gives users the right to know what personal information businesses collect about them and to opt out of the sale of that information. It also requires businesses to obtain opt-in consent from users before collecting data from their devices.
Children's Online Privacy Protection Act (COPPA)
COPPA is a U.S. law that applies to websites that collect data from children under the age of 13. It requires websites to obtain verifiable parental consent before collecting data from children and to provide clear information about what data is being collected and how it will be used.
The Digital Advertising Alliance's (DAA) Self-Regulatory Principles
The DAA is a consortium of advertising industry organisations that has developed a set of self-regulatory principles for online advertising. These principles require companies to provide users with clear information about the data being collected and to give them the option to opt out of receiving targeted ads.
Overall, these regulations are designed to give users more control over their personal data and to ensure that websites and advertisers are transparent about their data collection practices. Users can also take steps to protect themselves, such as:
Ok, so what does the future have in store?
It is unlikely that cookies will be completely phased out anytime soon, but there are ongoing discussions and initiatives to limit their use and improve your privacy.
Cookies are a fundamental part of how the Internet works, and they are used for a wide range of purposes, such as session management, authentication, and personalisation.
According to a blog by DAC Beachcroft, Google Chrome plans to phase out third-party cookies by 2024 and replace them with a new system called Privacy Sandbox, which is designed to enable targeted advertising while protecting user privacy.
In addition, there are other initiatives and technologies being developed to reduce the reliance on cookies and improve user privacy. For example, some websites are experimenting with alternatives such as server-side tracking, which uses server logs to track user behaviour instead of cookies.
Overall, cookies are likely to continue to play a role in how the Internet works, but their use will be more tightly regulated and limited to protect user privacy.
GoldPhish educates end-users on the cyber threat and helps build more secure organisations with awareness training and simulated phishing
Get in touch for more information: firstname.lastname@example.org