Since cookies are often a topic that comes up when discussing integrity, we have below compiled how to handle cookies from an information security perspective.
WHAT IS A COOKIE?
Cookies are usually small text files with specified ID tags stored in your computer’s browser directory or application directories. But cookies can provide a lot of insight into your business and preferences, and can be used to identify you without your explicit consent.
The cookies often come not even from the site you are visiting, but from third parties who track you for marketing purposes. Cookies for analysis, advertising, and feature services, such as survey and chat tools, are all examples of cookies that can identify users.
The “Cookies” apply more than just cookies
Section 18 – the so-called cookie law – in the sixth chapter of the Electronic Communications Act (2003: 389), in addition to traditional web cakes that are set with http-headers or javascript, also apply similar technical solutions where information is stored and retrieved from the user’s terminal. This applies to both standard-based solutions such as Web Storage and IndexedDB and other solutions (such as Flash cookies), although they are not displayed and controlled in the same way as traditional cookies.
OTHER LAWS MAY ALSO BE RELEVANT
This text focuses on the “cookie law”, but when cookies and similar solutions are used, it is common for personal data to be handled as well. In such cases, other regulations are also affected. Above all, the Data Protection Regulation (GDPR).
This applies, for example, when IP numbers or “advertiser IDs” replace cookies to keep track of a user between page changes and visits. This type of identification is not necessarily affected by the cookie rules but may entail far more far-reaching integrity risks than cookies, which may imply greater requirements for information and consent (or other legal bases for processing) than set forth below.
BENEFITS AND DISADVANTAGES OF SOME COMMON COOKIES
Different websites relate in a slightly different way to the requirement for consent for the use of cookies. We have been able to distinguish the following main categories, and briefly comment on some of the pros and cons of each:
For example, there are tools that rely on logs over http calls. This can be done in a few different ways:
Without session ID.
With truncated (partially anonymized) IP numbers as identifiers.
With IP number as identifier.
With session ID not retrieved from cookies but from page address.
