• Vaultree

Stop The Cookie Madness!

Updated: May 10

Before diving into the cookie madness, we should advise that we are not speaking about the delicious cookies you're used to from Sundays at your grandparents', but more the type of Cookies which are an ad hoc feature utilised to identify users, store their preferences, and help complete tasks without them needing to re-enter information when browsing on the internet. Actually sounds pretty good? Well, keep on reading.

Cookies actually serve solely to help companies collect massive amounts of data about their users, as these are crucial for online tracking (which is a privacy issue) or displaying information based on previous visits from that device or user account. These “small” cookie files are sent by web servers to devices. There are different types of cookies varying from session cookies which are erased once the session is over to persistent cookies which persist for a period afterwards. They can also be classified as first-party or third-party depending on whether a site serves cookies from other domains which is common with advertising.

But why are we writing about cookies? Well, because these tiny little cookie pop-ups which are used by most of the websites are following us wherever we go on the internet, collecting information about our usage patterns as well as about us, the users, pushing us into a quid pro quo, that if we give them our data, they will allow us to use their services. In a nutshell this means that we are paying and sadly do so with our personal data.

OK, let's take one step back: How would that look like? If we visit a specific website which we have not visited before or deleted the browser's cookie history at one point, we will be presented with a pop-up asking for our consent to allow cookies. What does this mean? Is it good or bad for me? Also, and being honest here, will anybody ever read the fineprint?

This is a clear example of politicians legislating for the internet without understanding the underlying technology which requires websites to warn users that certain information about them will be stored, tracked and harvested by the site they visit. The law behind this is the EU Cookie Directive, Directive 2009/136/EC, which claims to reinforce protection for users on electronic communication networks and services on cookies. Sadly again, it only claims but does not protect.

If we take a look at the General Data Protection Regulation (GDPR) in this regard, we see that it iterated on the EU’s previous data protection law aiming to safeguard EU citizens and one of the key tenets is that user consent must be freely given, specific, informed and unambiguous. It also must be a positive opt-in and consent can never be inferred from silence or nefarious activities such as pre-ticked boxes or inactivity. The spirit of GDPR is that any data collected on us should be accurate, protected, and available to individuals to collect, move, delete, modify and view and that they should only collect what is necessary. In addition, consent should be freely given. In other words, companies should not capture too much data nor treat it lightly and not use covert measures to opt users into services. The key to GDPRs effectiveness is of course adherence and adherence will only come about through the hefty fines outlined which are up to EUR 20M or 4% of global turnover of the previous fiscal year (whichever is higher). There have been large fines levied already on IT giants like Google.

Cookies are covered in the GDPR, with repercussions for any company that uses them to track user browsing activity. GDPR considers cookie data as collecting personal data as it can identify individuals. It is worth stating that not all cookies can identify people, but the majority do such as advertising and analytical cookies. Interesting in this context is that the EU Cookie Directive is still reigning over our privacy and enforcing itself over GDPR when browsing on the internet. The solution for more privacy and protecting us properly would then be to abolish the Cookie Directive and to start enforcing the more relevant GDPR in order to stop the privacy breaches which are happening on a daily basis to millions of users browsing the internet, giving away their personal data in order to access any kind of information.

The solution lies in proper data controls such as envisaged by the MIT led Solid project which is a proposed set of conventions and tools for building decentralized social applications based on Linked Data principles. In a nutshell, users should have the freedom to choose where their data resides and who can access it. By decoupling content from the application, users will be able to do so with Solid pods (personal data storages), which would completely inhibit the senseless cookie warnings.