021019-2:

Discuss privacy risks emanating from the use of cookies.

Answer

  • Cookies allow a server to recognize a user between connections.
  • Server can save information about a user's surfing behaviour such as which pages a user searched for or what a user bought through the Internet.
  • This is however restricted, since a server only can see what the user has done on that particular server.
  • But servers can co-operate to combine their information. Most well-known is the co-operation between servers and the company Doubleclick, which has a very high percentage of all Internet advertisiming, gets info from many different web servers, and can combine this to make a profile of a user.
  • Doubleclick says they only use this to send user-adjusted advertisements, but can we trust them? If a user fills in name and e-mail address, the server can combine this with other cookie-produced knowledge to know who you are. A spam e-mail may also contain a hidden HTTP retrieval, which will send your e-mail address and cookie to a server.
  • If several people share the same computer one might get access to information for the other user. Someone who can get access to your computer (physically, using viruses, etc.) can read your cookie-file, which may contain sensitive information. This risk, of course, is not limited to cookies but to other sensitive information, such as passwords which a user might store, history files in web browsers, etc. Cookies can also contain sensitive information in clear text which someone who eavesdrop on your connections can read.
  • These risks can be reduced using different techniques. Examples are to let users see what is stored in their cookies, let them control who can set cookies for them, and how long time the cookies are valid. A fifteen-minute cookie is obviously less dangerous than a cookie with unlimited life-time, which in practice is about three months.

List of exam questions