The European Network and Information Security Agency (ENISA) has published a report outlining how advertisers are using increasingly sophisticated varieties of cookie to identify web users. The technology could breach EU laws on privacy, it said.
"In most cases users cannot easily manage cookies," said ENISA's report (16-page / 864KB PDF) "This is particularly true for new type of cookies that are not controlled by browsers and require additional management tools."
"For a user with limited IT expertise there is not enough information available to explain cookies’ management," said the report. "All cookies should have removal mechanisms that are easily used by any user; the storage of these cookies outside browser control should be limited or prohibited."
ENISA advises the European Commission and EU member states on information security, helping them to identify and address information security problems.
Cookies are small text files that web servers store within web users' browsers to help ensure the smooth operation of sites by remembering a user's activity. They are vital, for example, to the functioning of web payment systems or online shop checkouts, where the system must know what a user previously did in a visit.
Traditional cookies are relatively easily managed through a browser's settings, but new kinds of cookie have been developed which bypass those controls. ENISA identified these as a potential threat to users' privacy.
"The use of tracking cookies is ubiquitous to a large extent and there are known techniques for avoiding them," said the paper. "This generates a big impetus in the Internet tracking industry to discover and deploy more robust tracking mechanisms, often referred to as Supercookies."
Supercookies include the 'Flash cookie', an element within Adobe's Flash plugin that can be used to retrieve and reactivate traditional cookies that have been deleted by a user.
"Since these cookie files are stored outside the browser’s control, web browsers do not directly allow users to control them. In particular, users are not notified when such cookies are set, and these cookies never expire," said the paper. "Flash cookies can track users in all the ways traditional HTTP cookies do, and they can be stored or retrieved whenever a user accesses a page containing a Flash application."
The paper said that 'evercookies' had emerged that can re-identify a user when even Flash cookies have been deleted by the user. They do this by storing information in several types of storage mechanism within the browser, it said.
The paper said that national laws governing cookies should be assessed once EU member states had implemented a change to the Privacy and Electronic Communications Directive. Countries are due to implement that change by 25 May, and the UK Government has said that it will implement it using the same language as is used in the amendment.
This changed law may or may not force service providers to ask specific permission for storing information on users.
Advertisers have said that 'consent' can be given via a web user's cookie settings. But the Article 29 Working Party, a committee of the EU's national data protection watchdogs, said last year that the new law would require consent to be given before a cookie was placed on a user's computer. It said that consent for one advertising network could cover its activity on thousands of sites, though.
ENISA said that once the implementation date of May has passed research should be carried out into the approach taken by each EU country.