Privacy & Information Security Law Blog

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

The primary goal of the report is to address security and privacy concerns associated with the use of cookies.  The report provides an overview of common types of cookies and how they operate.  It explains the technical differences between first party and third party cookies and notes the emergence of more powerful and persistent cookies such as super cookies, flash cookies, evercookies and ubercookies.  The report also categorizes cookies based on their lifespan, i.e., non-persistent cookies, temporary cookies and session cookies versus persistent and permanent cookies.

With respect to security, the report distinguishes among three types of security threats: (i) network threats, (ii) end-system threats and (iii) cookie-harvesting attacks.  It also discusses a number of attacks targeted at cookies, such as cache sniffing, cookie sniffing and session hijack attacks.

With regard to the privacy of Internet users, the report states that, while first party cookies are sometimes useful, third party cookies that track online behavior raise serious privacy concerns, particularly since they have become increasingly powerful and more difficult to remove.  The report mentions studies that show that Internet users can be linked with identities and personal information found on online social networks.

The ENISA report also discusses the rules for the use of cookies under EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which EU Member States must transpose into their respective national laws by May 25, 2011.  ENISA compares the regime currently in place, where notice and opt-out is required for placing cookies, to the upcoming framework in which notice and prior consent will be the default rule (though exceptions will apply, particularly for first party cookies).

ENISA notes in the report that a number of issues still require clarification.  These include the question as to whether browser settings can constitute valid consent.  The report recommends that an overview study of measures implemented at a national level be carried out after the transposition deadline of May 25, 2011.