Saturday, March 5, 2011

ENISA: EU cyber security agency warns of new cookies risk

The EU’s cyber security agency ENISA has published a position paper on the security and privacy concerns regarding new types of online cookies.

The advertising industry has led the drive for new, persistent and powerful cookies, with privacy-invasive features for marketing practices and profiling.

The Agency recommends that both the user browser and the origin server must assist informed consent; that users should be able to easily manage their cookies; and that users should be provided with another service channel if they do not accept cookies.

The Agency recommends a thorough study of different interpretations in the Member States, once the Directive 2009/136/EC has been implemented, by 25 May 2011.

The new Agency Position Paper identifies and analyses cookies in terms of security vulnerabilities and the relevant privacy concerns. Cookies were originally used to facilitate browser-server interaction.
 
Lately, driven by the advertising industry, they are used for other purposes; e.g. advertising management, profiling, tracking, etc. The possibilities to misuse cookies both exist and are being exploited.

The new type of cookies support user-identification in a persistent manner and do not have enough transparency of how they are being used. Therefore, their security and privacy implications are not easily quantifiable.

The Executive Director of ENISA, Prof. Udo Helmbrecht states:
”Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies, to safeguard the privacy and security aspects of consumers and business alike”.

No comments:

Post a Comment