Security researcher calls for Australian cookie audit

The University of Canberra's Centre for Internet Safety (CIS) has called for greater powers for the Office of the Information Commissioner to assist with a crackdown on the use of digital cookies.

In a report dubbed "Taming the Cookie Monster" (pdf), CIS security researcher Dr Paul A Watters said internet users were not informed about how their personal data was retained within cookies.

Dr Watters said more research needed to be done to determine the prevalence of tracking cookies that targeted Australian users, along with an audit of how and if explicit and informed consent was taken when personal data was stored in cookies.

The Office of the Information Commissioner should be granted powers to seize digital evidence and run forensic analysis on IT systems to investigate organisations' use of cookies, he said.

"In relation to cookies, an organisation is effectively a collector of personal information, and could be the target of investigation for a privacy breach," Dr Watters wrote.

"For example, an investigation of an advertising company’s information systems could reveal the extent to which persistent cookies are used for tracking and for the subsequent identification of users, by requesting information and requiring the provider to take an oath that its contents are correct and complete."

This would draw on sections 44 and 45 of the Privacy Act, according to Dr Watters.

Dr Watters said Australian websites should be investigated to determine how many used tracking cookies, and what they were used for.

Such a study should investigate if and how websites obtained "explicit informed consent" when collecting users' personal data in cookies, he said.

Findings would help develop privacy policy and provide scope for privacy breaches, he said.

Dr Watters cited a study by Truste that found an average of 14 tracking cookies per page within the Top 50 British web sites. Most of these cookies were made by third-party companies and half were persistent.

"Given [Europe's] recent directive on cookie use and storage, Australia should consider undertaking further analysis of the technical implications of restrictions through policy on the use of cookies, and only enact changes which are enforceable and meaningful to users," Dr Watters wrote.

He recommended that web sites adopt a cookie policy that:

• Gives users the choice to indicate wherever customisation or personalisation is required, rather than storing persistent cookies. Sessions should be managed using session cookies, and all user data should only be stored on the server-side.
• Requires explicit informed consent to be obtained from users for persistent or tracking cookies to be stored.
• Requires cookies to be stored adhering to an approved standard such as RFC2109.
• Presents users upon request with a copy of data being recorded about them that is subsequently used for personalised advertising.
• Ensures that cookie standards which specify controls to prevent the compromise of cookies on browsers are verified on each browser release.

Copyright © SC Magazine, Australia