Taming the Internet Cookie Monsters

Posted on July 20, 2015


Following my post last week on Trust in the context of Microsoft’s aspirations for Window’s 10 I mentioned a greater need for making Internet/Web Cookies more visible to users. This raised a number of comments and requests as to what I meant and how I go about taming these particular little horrors.

For any degree of privacy today it is mandatory that users manage their cookie exposure in some form. Without proper user oversight of what vendors like Microsoft and Apple are permitting to occur through their Operating Systems (OS) and Default browsers, these vendors remain complicit in the exposure to privacy abuse. The default options in the default OS web browsers are derisory, if not designed to make it hard for users to manage these infernal things.

First of all, web cookies are not something new. They have been around for as long as the modern Internet and are a mechanism with multifaceted uses. In their most innocent use case they are there to make your life more convenient as you browse the web. They do this by memorising login details (persisting sessions) so you do not have to keep logging in, and user preferences so you get a more tailored experience. The sad reality is the innocent use is more abused to track your every browsing action and share these activities with a horde of adverting companies that harvest your data and sell it to drive advertising into web pages and into your face. Few sites raise this ugly spectra preferring to get your buy in through glossing over the privacy risks and playing up the benefits. Even our UK government website cookie policy which should be making us aware of the risks. The UK Government even play up their use of Google Analytics ignoring the fact that this feeds one of the biggest and most invidious corporate entities agenda to track and trace your every move and know what you want before you even know it yourself, and a US entity outside the UK jurisdiction!

The biggest misnomer in the Cookie world is that cookies aren’t used to identify your personally. This is a white lie at best, most sites DO use cookies to identify you, that is the purpose of using them to maintain your ‘session’ preferences and login with their website. Details that are more often than not also shared with multiple third parties. Furthermore not all Cookies are the same. ‘Super Cookies’ (aka ‘Flash cookies’ and ‘zombie cookies’) are a hybrid class of Cookie that should be classed as malware, the label of Cookie belies their reality. Super Cookies secretly collect user data beyond the limitations of common industry practice and established safeguards. They are know for being crafted so they are hard to remove. The two prime culprits known as :

  1. Zombie Cookies‘ are often stored in non-standard locations in breach of browser security and true to their name can be recreated after deletion.
  2. ‘Flash Cookies’ their official term is Local Shared Objects (LSOs). Their primary purpose is to provide Flash applications with options to save data to your local system which can be used by other websites.

Worst still the super cookie track and record user behaviour across multiple sites and piggybacking off the innocent cookies often harvesting or monitoring them. Super cookies are more than often the result of partnerships with digital marketing firms that places a high value on user behaviour, aggregating the cross site view into a profile of your browsing and purchasing habits, and that includes the sites you probably don’t want your nearest and dearest to know you occasionally ‘stumble’ upon!

The Flash Cookies have taken on an even more sinister dimension in recent month’s with the rolling security breaches that have been revealed in Adobe’s Flash technology and Flash player. To the extent that many third party Browser’s are starting to disable Flash because of its security risks to users. Read more in the article ‘Mozilla blocks Flash by default on Firefox browser

My advice is to disable the Flash Cookie capability in your Adobe Flash player by going to the ‘Settings Manager’ accessed via the Adobe website, which is then run locally on your computer. Under the ‘Website Storage Settings’ tab or link, you will see all Flash cookies that are currently saved on your computer. To disable Flash Cookies un-tick the box to Disable “Allow third-party Flash content to store data on your computer“. In later versions of the Flash Player Adobe have provided a local Windows Control Panel ’Settings Manager’ so you do not have to go to the Adobe site to manage your settings.

Cookies and their tentacles of association are the backbone of how many companies commercialise their websites through advertising. It is the metadata of YOUR browsing habits, the sites you visit, the machine configuration you are using and the purchases you make online that is the currency in this back stage market. Metadata is the data that describes the interactions, not necessarily the intimate details of your browsing.

Metadata has been pumped up as the harmless data that Government and its agencies collect, a subject of huge controversy that has burst into the public limelight since the revelations of the NSA secret surveillance program. The reality is that whilst the NSA have become the poster bad child in this saga the expose implicates a global cadre of governments and their associate intelligence agencies not just the US, UK Government Communications Headquarters (GCHQ), Australia, Canada and New Zealand known sinisterly as the ‘5 eyes‘.

The truth is metadata can be more revealing that the full transcripts of conversations or the websites you have visited. More in a later blog, for now back to Cookies.

Recently I had cause to help a user install a Cookie manger on their PC. It revealed 365 Tracking cookies and over 9,000+ other persistent cookies of various classes including ‘Super Cookies’ and Flash Cookies. The list was staggering, even more worrying as this was not the contaminated state of a poorly managed PC but a fully patched up to date version of Windows 8.1 Professional, complete with Anti-virus and spam protection. Whilst many Cookies could be classed as ‘safe’ if not helpful, the presence of tracking cookies and some of the more pernicious classes of ‘Super’ cookies made this a serious privacy concern.

Back to my user who had woken up to the realities of what Cookies implied and wanted to take control of these. Shocked that the Operating System or Browsers themselves did not provide a system to do this I was asked for help. There is no magic here, just knowing where to go and trust and how to configure a utility to do what Microsoft and Apple should be providing in their Operating Systems if they ever want to win users trust.

The following is a selection of tools I have used successfully over the years, if you know of any better tools please leave a comment, I welcome all collaboration in the battle to maintain privacy.

  • For Apple Mac OSX users the best tool I have found is ‘Cookie’ from the Mac OS X Apple Apps store by SweetP Productions a snip at $14.99 / £10.
  • For PC Users it’s the ‘Cookie Manager’ by MAXA at $29.95 it is a little more expensive but you get it for x2 devices.

Both vendors offer other useful security utilities for their respective platforms, but I will leave you to explore the value of those.

Both Cookie management utilities work in a similar way and cove the core requirements to:

  • Create your own ‘whitelist’ of ‘safe’ or preferred Cookies.
  • Create your own ‘blacklist’ of ‘unwanted’ cookies. (as well as use a global blacklist).
  • Isolate and eliminate tracking cookies and Flash Cookies automatically.
  • Configure the auto deletion of Cookies that are not on your ‘whitelist’ at a selected set of intervals including time.
  • Intuitive interface although not what I call bullet proof and could intimidate the non-technical.

Each have a few options unique to their respective vendor, but do the main job of policing your system for cookies well. One final critical factor is they cater for all leading Web Browsers in one convenient package.

For those of you who want to read more I would suggest:

This is one Cookie munching exercise with little risk to health or your weight.