Wednesday, August 31, 2022

Good Cookies, Bad Cookies, and Privacy

Cookies "banners" are a particular pet peeve of me. As in don't get me started or I will be on it for hours if not days on end. So, I will struggle a bit to get this short enough so not to kill any reader of boredom. I am not claiming I will accomplish this goal, so you have been warned.

I should also warn this article has been in the making for months; I collected a lot of real samples I need to cover the names of the companies to protect the guilty. If you recognize the site by looking at the cookie policy form, smirk and keep it to yourself.

So, are cookies bad?

That is an oversimplified question. Cookies are used to track what users are doing in a website, and that may mean storing some personal data no t only of site users but also visitors. Some of which have very valid and important applications, like ensuring users can authenticate and are the right people to access a given resource, like their bank accounts, or repository of cat videos. Then we have the ones companies are interested on, such as:

  • Which pages users go to in a given website, links they have clicked, and how long they spent on a given page. That may help them figure out which content -- primarily cat videos -- their audience seek and which ones they are avoiding. Or find out whether a given page is too convoluted, causing visitors to spend too much time and frustration in them. I can see why anyone wants to provide a website that does not suck.
  • How often they visit a website whose cookie is in their computers.
  • Which products or keywords they search for. This may tell the product lines the websites need to be providing and which ones may be taken down.
  • Geolocation and IP address. A business case is to know where its customers are coming from so they can identify markets they are not covering, and then find out why.
  • Username/password, and even address. Do not ask me why someone thought it was a clever idea to have them in cookies so forms would be conveniently filled, but they are there in the wild.

None of these are really needed to provide a service to users, so GDPR would say you must ask the visitors if they give you consent (Articles 6, 7, and Recital 32) to collect said data, and provide a way for them to remove their consent. CCPA and CPRA are less restrictive, having a set of thresholds (selling personal information of more than 50,000 Californian households, or making more than half of its annual revenue selling that data) before they are applicable and providing a the get-out-of-jail-free card (Art.9(2),e).

Some of these cookies are collected by the company running the website (first-party cookies) and others by whatever add-on they have deplopyed (third-party cookies). Google Analytics is an example of an app that creates the later; we have talked about how nicely it plays with GDPR before. However, that does not necessarily make first-party cookies better for security; but that is the topic of another article.

From a security standpoint, criminals will try to steal -- phishing emails are a popular way to deploy malware to achieve the goal -- cookies to impersonate users. So, a sensible business minimizes how much data it stores in its cookies.

The Good

  • Let's start with a nice bright example of someone who respects the privacy of its website visitors.
    It is written in plain language, gives a quick blurb on what it is being used for, and allows the user the choice to accept all the cookies, deny all of them, or do something in between (which leads to a more itemized list you can enable item by item).
  • The next one, from one of the European Union's official websites, is not as nice but at least they are trying.
    Why am I not impressed with their banner? Because it is an all-or-nothing, without a proper explanation, and mentions these "essential cookies" (is this like "essential oils?") without explaining them. Yes, if you click the link explaining how they use the cookies you realize they are not out to suck you dry of your private info, which is why it is listed here. But, I think they could do a better job given the resources they have.

The Bad

This list is but a tiny sample of my fun collection. Still, get the popcorn.

  • First we will start with one that is on the slippery slope as far as GDPR is concerned. It mentions collected data with "trusted third parties." Who are they? Google Analytics? We have talked before that you can no longer use it on a site that is accessed by European residents.
  • We really should just get serious and look at an example of conning the user. For convenience, I highlighted the relevant wording in their privacy note.
    First we have "This information might be about you" (red), which uses the "might" word to imply that it is ok because maybe the information is really not about you. Well, knowing your IP (considered by GDPR personal data), OS, browser, and other facts that we will not go over here (username?) suffice to uniquely identify you. If you use the same computer without bothering to run VPN later, they will know you are back... specially if from home as your external/public IP rarely changes if at all. But then they smother your worries claiming that "the information does not usually directly identify you" (blue). It is personal data already, sunshine.
  • Here is one from a bank that prides itself to have branches in many countries across the world.
    At first I thought the following cookie banner was just for the American market, but when connecting from Japan and Europe I still was "welcomed" by the very same banner; I do not need to say what that means. I have a ton of other examples following the same pattern, but I think we only need one to get the idea.
  • This one is a variation of the bank banner we saw earlier seen in the website of a professional society. I would not have posted it if it did not have one single word: consent.

    I must assume the reason this specific term was used is because of the language in GDPR, specifically article 7 states that if you do not have a legal reason to collect personal data, you must obtain consent from the user, who must freely give it. They seem to beleive that by having the word "consent" in the banner, they satisfied this GDPR article. However, if the only option is to surrender your private data, this consent is not freely given. Or can be easily revoked.

    "But," one can argue, "you did not consider they are probably an American-based society which does not cross the CCPA requirements by keeping the number of Californian households under the limit." How would that work? Geolocating may be hard: one of the VPN services I use has servers in California; there might be other services with servers somewhere else in the US being used by Californian citizens. Given the banner you are seeing, how would you distiguish the two cases? And besides, if this is an international (they hope they are, as one of the letters in their name stands for that) professional society, GDPR, LGDP, and APPI just to name a few are bound to be triggered. I did my Westen Europe test, and it did not switch to a GDPR-compliant cookie banner.

The Sleazy

Now we get to the really special ones, the ones that decided laughing at the privacy rights of individuals was not enough; they had to make a point.

  • First jewel is what I call a BannerWall: you cannot use the website until you click on the only option ("Accept"), so site owners can then say "here! User consented to use collecting all personal info. We have the log showing the Accept button was clicked!" Hopefully you do not need to use this site, so you can just close your browser and find some other place with similar information but more privacy conscious.
    Looking at the screen capture, do you know if "Privacy Policy" and "Terms of Service" are links? No? You are not alone. Can you say hiding in plain sight?
  • But, what if you have to use the website? For instance, what if you need to log into the site to pay your utilities or rent, and they do not offer another way (mail or in person) to make said payment? Can you say coercion?

Don't Be That Guy

  • Instead of having you site collect personal data based on the location of the site visitor, assume they are all coming from the EU and build it for that, as it is one of the more restrictive ones. Make your life easier, be your website a commercial or educational/research one; we covered that a while ago.
  • What is wrong with asking users if it is ok to collect their data and tell them how you are going to use it without vague words? And by that, ask properly, not like the no-real-option seen in some of the examples above.
  • Document everything, logs included, because the world is changing and you may be audited or even fined for non-compliance. Remember, you do not need to have suffered a personal data breach before a GDPR Data Protection Authority takes legal action against you. Don't believe me? We commented on some cases earlier this year. All is needed to get that avalance running is for someone to file a complaint.