Security
Headlines
HeadlinesLatestCVEs

Headline

What Do Those Pesky 'Cookie Preferences' Pop-Ups Really Mean?

We asked the engineer who invented cookies what they mean and how to handle them.

Wired
#web#google

You are not the only person irritated by those pesky cookie permissions boxes. If you click “Accept” by rote, you have no idea what you’re agreeing to. Or perhaps you don’t care? Many users think they have to accept all cookies to access the website, but that’s not always the case. Another option is to manage your cookies, but what does that even mean?

To find out, we spoke to Lou Montulli, the engineer who invented cookies at age 23.

“I’m just like everybody else,” says Montulli. “I want that pop-up to go away as soon as possible. The idea of asking people about permissions every single time they go to a website is annoying.”

Every website you visit places cookies on your browser. The purpose of the cookie is to allow a website to recognize a browser. That’s why you can return to a site and be recognized, even if you don’t always log in. It’s why the stuff in your shopping cart is still there the next day, or that article remembers where you stopped reading. You don’t have to “introduce” yourself every time you visit a site, but is the convenience worth it?

With Montulli’s help, here are some of the most frequently used terms those annoying permissions boxes are asking you about, and what you might want to choose when you see them.

Common Terms

First, let’s explain what some of the types of cookies you’ll see really do:

  • Session Cookies are temporary. These aren’t saved when you quit your browser.
  • Persistent Cookies will stay on your hard drive until you delete them, or your browser does. These have an expiration date written into their code. That expiration date varies depending on the site or service that issued them and is chosen by the website that places them on your browser.
  • First-Party Cookies are those placed directly onto your device by the website you’re visiting.
  • Third-Party Cookies are placed on your device but not by the website you’re on, aka the first party. Instead, they’re put onto your device by advertisers, data partners, or any analytics tools that track visitors (usually at the request of that first party. Think Google Analytics for your favorite tech magazine website, for example.)
  • Strictly Necessary Cookies allow you to view a website’s content and use its features.
  • Preference Cookies, aka Functionality Cookies, allow a website to remember data you typed: for example, your user ID, password, delivery address, email, phone, and preferred method of payment.
  • Statistics Cookies, aka Performance Cookies, record how you used a website. Although these see links clicked and pages visited, your identity is not attached to these stats. These can include cookies from a third party. So if a website uses an analytics system from a third party to track what visitors do on that first-party website, it only divulges that tracking info to the website that hired the third party for analytics.

What Am I Supposed to Choose? Does It Matter?

Montulli refers to the pop-up permissions box as “a really silly idea.” His preference would be a much more efficient and technical solution. For example, a user could choose their cookie preferences once in their browser, and every website they visit would honor that choice, similar to the design of Do Not Track. Montulli explained it like this: “Say I want to accept one type of cookie, but not that other cookie, or those cookies, any website could just ask the browser once what any user’s preferences are.” One and done.

That would be better, but what happens when you click “Accept All”—aside from thoughts like, Why does every website keep asking me these questions?

What many people (especially Americans) may not know is that in 2018, the European Union (EU) passed the General Data Protection Regulation (GDPR). And even if they have heard of it, they may not know enough to understand that this law is partially why cookie permission boxes are becoming more prevalent.

As part of GDPR, companies based outside Europe can be hit with enormous fines if they track and analyze EU visitors to their website. In other words, say your company resides in New York, but that company has European visitors and customers, or collects their data. If that’s the case, they can be penalized to the tune of tens of millions in fines if they don’t disclose their data collection and obtain the user’s consent.

Understandably, American companies want to avoid huge fines, which is why US users are seeing more and more of these permission boxes.

The boxes are designed to offer users more control over their data, as the EU law was put into place to protect all data belonging to EU citizens and residents. The confusion within the US market exists because the country doesn’t have similar laws to protect the privacy of its citizens.

In February 2022, Saryu Nayyar wrote a piece for Forbes that asks if it’s time for a US version of GDPR. Nayyar wrote that the point of such a law would be “gaining explicit consent for collecting data and deleting data if consent is withdrawn.” That sounds like an awesome idea, but after consulting Montulli, the privacy plot thickens.

Personally, I find it impossible to separate cookies and privacy online. I asked Montulli if it’s true that everything on the internet stays on the internet.

“No,” he says. That’s because information on the internet is detached from your current online presence. The purpose of the cookie is to allow a website to know when the same browser returns. The cookie may contain additional pieces of information. “But the predominant use of it is to pass an ID to your browser as an identifier,” he says.

“Therefore, they can see that this is the same browser that was here a few seconds ago or even a few months ago. But, once the cookie is cleared, there’s no longer any attachment to you.”

The lack of transparency about how cookies work and who manages the data collected from them is a big part of the problem. When you visit a primary website that has hired a third-party ad-tracking network, your browser can get a third-party cookie without your knowledge. “The lack of transparency means that another cookie by another website has added embedded content, without your knowledge.”

Montulli says that if you clear your browser’s cookies frequently there’s no longer any attachment to you and your personal data, at least for that first-party website. “When you return to that website after clearing your cookies, or even if you have a new set of cookies, there’s no association between your browser and the browser that connected to that site several months ago with that old cookie.”

To test the hypothesis, I tried managing and blocking cookies on random sites. I completely ignored the permission box on any that asked me to accept cookies. The majority of those sites allowed me access anyway. Only a few sites blocked me because I ignored the permissions box. In those cases, the only decision I had to make was whether to trust the site. Since I did not actually need to read any content from those sites, I simply moved on. Bottom line, it doesn’t hurt to select the cookies you want to accept and those you want to block. Just be prepared to do it every time you visit, or every time you clear your cookies, which you should probably get used to doing regularly.

Wired: Latest News

Russia’s Ballistic Missile Attack on Ukraine Is an Alarming First