On 26 May 2012, new European legislation that requires websites to obtain consent from visitors to store and retrieve information on their computers came into effect. This legislation, known colloquially as the "EU Cookie Law" is aimed at protecting user privacy on the web. In this article I shall explain what cookies are, why they are useful, and what privacy problems they can cause.
The Good
Ever since the web started getting more complex, the need for identifying a user on a website became greater. Any website that allows you to create a user account with a username and password needs a method of tracking your session from page to page, otherwise you would have to re-enter these details every time you click a link. Cookies solve this problem (and potential annoyance) by storing a session ID in your browser that can be sent to the website rather than your username and password.
A cookie is quite simply a small piece of data that a website can issue to your browser. When you visit a website, any cookies in your browser which are associated with that website are sent with your request. This not only allows for session management, but also features like virtual shopping baskets that you see on e-commerce websites. Without cookies, the web would be a very different (and frustrating) place.
Web browsers also implement their own rules for how cookies are accessed. Only the website that issued the cookie can access it (i.e. example1.com cannot access cookies created by example2.com), and a website can only create cookies for its own domain (i.e. example1.com cannot create cookies for example2.com). Additionally, cookies can be set to expire at a certain time, and this value can be overridden by the user.
The Bad
The problems with cookies start with so called "third-party cookies", which are cookies set by sites other than the site you are browsing. The same rules for access apply, but a cookie is set for the other site despite the fact that you may not have visited it. Third-party cookies do have their uses, as social media buttons (e.g. Facebook's "Like" and Google's "+1") use them so that you can share content quickly. However, they can also be used by other companies to track where you go on the web.
Advertising companies are always trying to increase their revenue, and people are more likely to click on adverts that are tailored to their interests. By using third-party cookies, an advertiser could track the sites that a user went to the most, and then use that information to create targeted adverts based on the content of those sites.
Obviously, this is a privacy issue, and the EU Cookie Law was written to try and prevent this kind of behaviour. Now, websites that use cookies will have to explain to users what their cookies are used for, as well as obtaining consent from users before issuing any.
The Ugly
Unfortunately, the problems don't end with third-party cookies, because with each new web technology that is developed, more methods become available for websites to store information on your computer. Flash (often used in advertising) has the ability to store data, and HTML5 has specific storage methods to help developers. Whilst there are legitimate uses for this storage, it can be used to track users as well, and it is harder to control from a user's perspective.
In 2010, security researcher Samy Kamkar developed the "evercookie", which uses many modern techniques to try and store data in your browser indefinitely. Since this could be used by advertisers as a loophole, the EU Cookie Law covers any method for storing data, not just standard cookies.
Of course, non-EU websites are not affected by the legislation, so users should still be wary of cookies on other sites. Disabling third-party cookies is a feature in most web browsers, and doing so will massively reduce the amount of tracking done by advertisers. Installing anti-tracker add-ons like Ghostery or Do Not Track Plus will stop trackers from even loading in your web browser.
