What is a cookie?

A cookie is a technology for remembering information between webpages. Because of cookies, your web browser can remember you are logged in, or have visited a site before, or what your personal preferences are.

In reality, a cookie is a small text file which is stored by the user’s browser. The cookie only contains data, not code, so it can’t contain a virus or spyware. This doesn’t mean that all cookies are harmless in intent, but they can only ever store information.

A cookie remembers information about a specific website, for example.

fontsize=large

This information is restricted to a specific domain, e.g.

www.silktide.com

The domain prevents other websites from accessing each other’s cookies. However there are ways that websites can share information as we’ll see.

Session cookie

A session cookie expires when the user closes their browser, and sometimes just after a certain period of time has elapsed (for example, on mobile devices, where the concept of ‘closing your browser’ is less relevant).

Sessions are therefore ideal to remember – for example – if a user has logged in to a website. When they close their browser they are automatically logged out. They are usually considered relatively unobtrusive from a privacy perspective.

Persistent cookie

A persistent cookie expires after a fixed date, for example after one year. They are not cleared when the user closes their browser.

A common use of a persistent cookie is the “Keep me logged in” box found beneath many login areas. For this to work, the cookie must be stored after the user closes their browser.

However persistent cookies are also used to track users in unexpected ways. For example, if you visit Google they give you a unique cookie to track you with. They can then use this cookie to recognise and link your behaviour between their many sites – they might for example know what you search for, what websites you visit etc. They can then use this information to target advertising at you on those same sites.

First party cookies

A first party cookie is restricted to the same domain as the website you are viewing. For example, if you were visiting www.silktide.com, a first party cookie would only be readable by pages inside www.silktide.com.

Third party cookies

A third party cookie is set by a domain other than the one the user is visiting. For example, if a user visits www.example-one.com, a third party cookie might be set by www.example-analytics.com. Now if the user visits www.example-two.com, this website could also use the third party cookie set by www.example-analytics.com. In effect, the user is recognised between sites.

The reality is more complex. In this example neither www.example-one.com or www.example-two.com can actually see the cookies being set, only www.example-analytics.com can. However there is nothing stopping www.example-analytics.com from collecting information in this way and sharing it with others, including the other two websites.

Third party cookies are most commonly used for tracking users by advertising networks, search engines and social media sites. For something like the Facebook Like button to work on websites other than Facebook’s, third party cookies are essential. However, because they allow tracking between websites that a user may not expect, they are generally frowned upon by privacy advocates.

How browsers control cookies

All major browsers provide security controls for cookies. Generally these allow users to choose to block all cookies, to only allow specific cookies, or to block third party cookies.

The official standards for cookies (RFC 2109 and RFC 2965) say that by default browsers should block third party cookies. However almost all browsers permit them, as long as the website setting the cookie has a P3P privacy policy installed, which is a simple system for stating what your website’s privacy policy is. In reality, a P3P policy can be empty or unused, allowing third party cookies regardless.

For example, this is Facebook’s P3P policy:

“Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p

Browsers permit third party cookies by default largely because failing to do so would appear to ‘break’ the browser in the eyes of most users.

The law doesn’t just mean cookies

The law isn’t actually about cookies, but because it affects them so much people have started calling it the ‘Cookie Law’. It’s actually about all technologies which store information in the “terminal equipment” of a user, so that includes so-called Flash cookies (Locally Stored Objects), HTML5 Local Storage, Silverlight and more.

In fact, the law appears to frown even more on these alternatives to cookies, because users are even less likely to understand them, and may incorrectly assume that they can opt out of them via traditional browser controls:

“Therefore, since flash cookies cannot be as simply deleted as other third party cookies (whether by browser setting or manually) they circumvent the user’s personal browser settings and therefore also circumvent the consent issue, i.e. article 5.3 of the e-Privacy Directive becomes applicable. The same goes for other devices, such as HTML5- techniques, Java API, Silverlight or similar technique.”

For simplicity we refer to cookies throughout this book, but this meaning extends to all equivalent technologies.