Australia needs cookie privacy audit: researcher

Powered by SC Magazine
 

Information commissioner needs sharper teeth.

The University of Canberra's Centre for Internet Safety (CIS) has called for greater powers for the Office of the Information Commissioner to assist with a crack-down on the use of digital cookies.

In a report dubbed "Taming the Cookie Monster" (pdf), CIS security researcher Dr Paul A Watters said internet users were not informed about how their personal data was retained within cookies.

Dr Watters said more research needed to be done to determine the prevalence of tracking cookies that targeted Australian users, along with an audit of how and if explicit and informed consent was taken when personal data was stored in cookies.

The Office of the Information Commissioner should be granted powers to seize digital evidence and run forensic analysis on IT systems to investigate organisations' use of cookies, he said.

"In relation to cookies, an organisation is effectively a collector of personal information, and could be the target of investigation for a privacy breach," Dr Watters wrote.

"For example, an investigation of an advertising company’s information systems could reveal the extent to which persistent cookies are used for tracking and for the subsequent identification of users, by requesting information and requiring the provider to take an oath that its contents are correct and complete."

This would draw on sections 44 and 45 of the Privacy Act, according to Dr Watters.

Dr Watters said Australian websites should be investigated to determine how many used tracking cookies, and what they were used for.

Such a study should investigate if and how websites obtained "explicit informed consent" when collecting users' personal data in cookies, he said.

Findings would help develop privacy policy and provide scope for privacy breaches, he said.

Dr Watters cited a study by Truste that found an average of 14 tracking cookies per page within the Top 50 British web sites. Most of these cookies were made by third-party companies and half were persistent.

"Given [Europe's] recent directive on cookie use and storage, Australia should consider undertaking further analysis of the technical implications of restrictions through policy on the use of cookies, and only enact changes which are enforceable and meaningful to users," Dr Watters wrote.

He recommended that web sites adopt a cookie policy that:

  • Gives users the choice to indicate wherever customisation or personalisation is required, rather than storing persistent cookies. Sessions should be managed using session cookies, and all user data should only be stored on the server-side.
  • Requires explicit informed consent to be obtained from users for persistent or tracking cookies to be stored.
  • Requires cookies to be stored adhering to an approved standard such as RFC2109.
  • Presents users upon request with a copy of data being recorded about them that is subsequently used for personalised advertising.
  • Ensures that cookie standards which specify controls to prevent the compromise of cookies on browsers are verified on each browser release.

Copyright © SC Magazine, Australia


Australia needs cookie privacy audit: researcher
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1786

Vote
Do you support the abolition of the Office of the Information Commissioner?