Australia needs cookie privacy audit: researcher

Powered by SC Magazine

Information commissioner needs sharper teeth.

The University of Canberra's Centre for Internet Safety (CIS) has called for greater powers for the Office of the Information Commissioner to assist with a crack-down on the use of digital cookies.

In a report dubbed "Taming the Cookie Monster" (pdf), CIS security researcher Dr Paul A Watters said internet users were not informed about how their personal data was retained within cookies.

Dr Watters said more research needed to be done to determine the prevalence of tracking cookies that targeted Australian users, along with an audit of how and if explicit and informed consent was taken when personal data was stored in cookies.

The Office of the Information Commissioner should be granted powers to seize digital evidence and run forensic analysis on IT systems to investigate organisations' use of cookies, he said.

"In relation to cookies, an organisation is effectively a collector of personal information, and could be the target of investigation for a privacy breach," Dr Watters wrote.

"For example, an investigation of an advertising company’s information systems could reveal the extent to which persistent cookies are used for tracking and for the subsequent identification of users, by requesting information and requiring the provider to take an oath that its contents are correct and complete."

This would draw on sections 44 and 45 of the Privacy Act, according to Dr Watters.

Dr Watters said Australian websites should be investigated to determine how many used tracking cookies, and what they were used for.

Such a study should investigate if and how websites obtained "explicit informed consent" when collecting users' personal data in cookies, he said.

Findings would help develop privacy policy and provide scope for privacy breaches, he said.

Dr Watters cited a study by Truste that found an average of 14 tracking cookies per page within the Top 50 British web sites. Most of these cookies were made by third-party companies and half were persistent.

"Given [Europe's] recent directive on cookie use and storage, Australia should consider undertaking further analysis of the technical implications of restrictions through policy on the use of cookies, and only enact changes which are enforceable and meaningful to users," Dr Watters wrote.

He recommended that web sites adopt a cookie policy that:

  • Gives users the choice to indicate wherever customisation or personalisation is required, rather than storing persistent cookies. Sessions should be managed using session cookies, and all user data should only be stored on the server-side.
  • Requires explicit informed consent to be obtained from users for persistent or tracking cookies to be stored.
  • Requires cookies to be stored adhering to an approved standard such as RFC2109.
  • Presents users upon request with a copy of data being recorded about them that is subsequently used for personalised advertising.
  • Ensures that cookie standards which specify controls to prevent the compromise of cookies on browsers are verified on each browser release.

Copyright © SC Magazine, Australia

Australia needs cookie privacy audit: researcher
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx