Cookies: Privacy Perils and How VPNs Safeguard Your Bytes

In the digital era, internet cookies are pivotal for enhancing user experiences and customizing online content. As websites request consent for cookie usage, ePrivacy concerns become paramount. This article explores various internet cookie types and functions, shedding light on intricacies related to privacy concerns. Additionally, it highlights the role of Virtual Private Networks (VPNs) as robust tools against malicious cookies, ensuring a secure and private online browsing experience. Join us in navigating the complex realm of internet cookies, ePrivacy considerations, and the protective capabilities of VPNs.

What are Internet Cookies?

When we visit a website for the first time, the message “This site uses cookies to improve the user experience” pops up. So, let’s explore what a cookie really is.

A cookie is a small piece of data that a website requests to store on your computer’s or mobile device’s browser. Cookie management is exclusively handled by the browser, and each browser has its own cookies. An essential point is that each website is allowed to control only the cookies it has created.

The cookie allows the website to “remember” the actions or preferences of each user over time. Most browsers support cookies, but users can configure their browsers to reduce or delete cookies whenever they wish.

Websites use cookies mainly for:

Identifying users.

Knowing and remembering user preferences to help them complete tasks without re-entering information (such as preferred language and country, login information, etc.) when navigating from one page to another or when revisiting the website later.

Cookies can also be used for targeted behavioral advertising, showing ads related to something the user has searched for in the past. The information collected in this way should not be linked to the user’s personal data but used solely for security and statistical purposes.

Possible Origin of the Name (Cookies) – Cookies:

One simple theory is that the name comes from the fairy tale Hansel & Gretel, where the characters dropped breadcrumbs to find their way back. Another, more widely accepted theory is that the name comes from a technique used by programmers in the past, the “magic cookie,” to refer to a small piece of code not directly visible to the user.

Let’s take a closer look at the categories of Cookies:

Authentication Cookies:

The most common are authentication cookies, aiding in the user profile’s identification. Depending on the application, they may have a limited duration (temporary cookies). Such cookies are found on banking websites, where, after a certain time for security reasons, they expire, and users need to re-enter their details. In other cases, the “Remember Me” or “Keep Me Logged In” option actively sets them until we explicitly log out (permanent cookies). Authentication cookies are always sent encrypted.

They allow users to navigate and use the website’s functions, such as accessing secure areas.

Performance, Analysis, and Research Cookies:

These cookies are purely used for internal research on ways to improve the service a website provides to all users. They evaluate how the user interacts with the website as an anonymous user (collected data does not identify the user), gathering information such as the number of people visiting the sites and individual pages, the number returning, search keywords used, user location, and more.

Advertising Cookies

These cookies help websites customize ads that may interest users, collect, and use other data related to users’ activities on the websites and/or the services of the website (e.g., to allow them to tailor ads to third-party services). These cookies allow the website administrator to receive information about the user’s interest in advertised products and services available on the respective website.

Legal Considerations Arising from Cookies

The type of information contained in these files and whether they can be considered personal data is a critical point for examination from a legal perspective. This is also the reason they are mentioned in the General Data Protection Regulation (GDPR). According to Article 5 of the aforementioned Regulation:

Principles governing the processing of personal data

Personal data must:

a) be processed lawfully, fairly, and transparently in relation to the data subject (“lawfulness, fairness and transparency”),

b) be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes (“purpose limitation”),

c) be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”),

d) be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased, or rectified (“accuracy”),

e) be kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of the appropriate technical and organizational measures required by the present Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”),

f) be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The data controller is responsible and able to demonstrate compliance with paragraph 1 (“accountability”).

The operation of cookies, in addition to the General Data Protection Regulation (GDPR), is also governed by the ePrivacy Directive, namely “Privacy and Electronic Communications Directive 2002/58/EC,” aiming to protect the personal data of online visitors.

The ePrivacy Directive sets data protection standards for all electronic communications, such as text messages, emails, WhatsApp messages, and any other form of digital communication. This includes call content, metadata (such as location tracking), and cookies (online tracking devices).

The current framework is not entirely clear due to many technical parameters, such as the following issues that raise doubts:

• Whether cookies transmit data to the website itself or to a third party.

• Whether cookies are deleted after closing the browser or continue to send information even after that.

In summary, we would say that what is currently valid is that the installation of cookies is allowed only in cases where it is absolutely necessary. Otherwise, user consent is required, provided that appropriate and clear information has been previously provided to the user.

Due to the ePrivacy Directive, banners for cookies appear on many websites, allowing users to choose whether to use cookies. This is one of its most obvious outcomes. Thus, the aforementioned Directive is sometimes referred to as the “cookie law.”

There is an exception to the user consent requirement: for any cookie necessary for the proper functioning of a website or application. For example, the Directive does not require user consent for a cookie that remembers a user’s login. Without this cookie, users would not be able to log in and use the website.

For website owners, obtaining information about user behavior can be challenging without cookies.

It is crucial to remember that if cookies can identify a natural person, they fall under the scope of GDPR. Of course, not all cookies can identify a person, but most, when combined with third-party sources, can. To comply with GDPR and avoid the significant fines it imposes, websites should either stop collecting cookies that can identify a person or establish a legitimate and legal reason for collecting and processing such information.

This is defined in paragraph 30, which is included in Article 4 of the GDPR, stating, “Natural persons may be associated with online identifiers provided by […] such as internet protocol addresses, cookie identifiers or other identifiers […]. These may leave traces which, particularly when combined with unique identifiers and other information received by servers, may be used to create profiles of natural persons, and identify their identity.

It is essential to take preventive measures against malicious cookies. Firstly, users should disable the storage of cookies from unknown third-party websites in their browsers (although not storing any cookies could be problematic in today’s era). Additionally, users should be prudent and only visit websites they trust, avoiding clicking on ads that do not display any company, logo, or entity. Another stronger measure is using a VPN program that does not allow websites to store cookies, except those specified by the user.

As for the VPN (Virtual Private Network), it relies on an encrypted connection to a specialized server located anywhere on the planet. In practice, the user’s computer connects exclusively to the VPN server, with all data traffic on the rest of the internet passing through the VPN server. This way, all intermediate nodes only “see” a flow of encrypted data that they cannot know what it is or where it is headed. The VPN provides the ability to hide the actual IP address of the end-user, making it almost impossible to trace. It is something that can be installed either on the end device (computer or smartphone) or on the router so that all devices connected to the network can enjoy the VPN services. Obviously, the security provided by the VPN depends to a large extent on the reliability of the VPN provider, as this provider can “see” everything. Therefore, the proper selection of the VPN provider is crucial.

To sum up, grasping the intricacies of internet cookies equips website visitors with protective measures. Cookies take on various roles, from remembering user actions to enabling targeted advertising. They are classified based on their functions into user authentication cookies, performance cookies, and advertising cookies, raising fair cybersecurity concerns. Legal considerations under GDPR and the ePrivacy Directive emphasize the crucial nature of user consent, especially for cookies that reveal individual identities. The article emphasizes the necessity of preventive measures against malicious cookies, proposing the use of VPNs for enhanced security and privacy. Now, armed with this knowledge, you are prepared for the ultimate cookie adventure.

Chrysoula Tsiotsi
Law Graduate – Judicial employee
LL.B (Athens Law School); LL.M in Information Technology and Telecoms Law (U.K-Glasgow)