If you have got as far as reading this then you have just been made to dismiss a “rinky dinky” little pop up layer by clicking a button marked “That’s fine”. This is because as from today, it is now law that all websites owned by businesses must choose between devices such as the aforementioned pop – up, or a £500,000 fine.
Since the subject has arisen I thought that it might be interesting to dredge up a little “cookie theory” from my computer programming days: Cookies are tiny text files which are stored on a web user’s computer. Contrary to popular terminology they are not stored “in your browser” because browsers are pieces of software and things only get stored on hardware… ie: in this case, your hard drive. Cookies are extremely small and simple, comprising of a name and an attribute; if you have ever returned to a website and found that it remembers you by name then almost certainly this was done with a cookie which contained information akin to this: cookieName=”username”; attribute=”Ettore Bugatti”. If a website needs to do something more complex than this then it will need to find something more sophisticated than cookies in order to do it.
Cookies come in two flavours: Persistent or Session. Session cookies get deleted when you close your browser but Persistant ones remain in storage for your next browsing session.
One of the most important features of cookies which was deliberately engineered by the good folk who designed the whole thing is this: Only the website which dispensed the cookie in the first place can read it later. This means that my website can not possibly obtain any data from cookies stored by anyone else’s website. But what about the so called “third party cookies” we keep hearing about? In order to understand these we need to know a little about how web pages are made up: A typical web page contains text from a file with an extension ending in .html (or .htm) but in that file may also be instructions to load other content. In this blog for example I have added pictures which load amongst the text and which are stored in separate files. On this site all the content of the blog apart from today’s post, is stored on the computer which hosts the site. But it doesn’t have to be this way – I could use the code of my site to link to pictures stored on other websites and the end user wouldn’t see anything different.
Take the EU banner on the Left for example. This isn’t hosted by me at all – it is hosted by the official EU website and in order to display it, your computer retrieved it from there. You can test this for yourself by right clicking on it (control clicking if you use a Mac) and choosing to “View Image” All of a sudden the address bar at the top of your browser will no longer contain the address of my website but instead it will display that of the EU website. (You can click your back button to return here afterwards). This means that if the banner had come from an appropriate page of the EU website (which it doesn’t incidentally) that website could have stored “third party” cookies on your computer while you were unknowingly visiting it. The manner in which I have displayed the image is known as “hot linking”. It’s the first time I have ever implemented it because when used in this way it is considered by purists to be an antisocial pracise. This is because it uses someone else’s bandwidth without consent. When it is done with consent it is more often than not used to collect or share information without the user’s knowledge. The owner of a website can configure their web server so that hotlinking is not possible but it would appear that the EU either wish to support hot linking or that they are not “tech savvy” enough to bother stopping it. It is probably true to say that a law requiring sites to declare that they are hot linking content would do more to protect privacy: Cookies are like lead: A simple material which can be incredibly useful, adorns countless church roofs and when combined with a shotgun can also be used to rob banks. Hot linking can be the shotgun.
I do think that it is an excellent thing that users should be openly offered information about cookies but I am also quite confident that they are too simple to pose any serious threat. Websites wishing to operate in more sinister fashions would need to eschew cookies in favour of “HTTP session objects” which are far more powerful, never talked about in newspapers, and completely unregulated by the European Union…