A new type of internet cookie threatens users' privacy and security by tracking their online behaviour for advertising management, profiling, and other reasons, the EU's cyber security agency Enisa warns.
Describing the latest breed of cookies (short bits of code that help to regulate a user's visit to a website via the browser) Enisa says the advertising industry has led the drive for new, persistent and powerful cookies, with privacy-invasive features for marketing practices and profiling.
It says both the user's browser and the origin server must assist informed consent, and that users should be able to manage their cookies easily.
Enisa says the new cookies support user identification in a "persistent manner". They do not have enough "transparency" in how they are being used, so it is hard to quantify their security and privacy implications, it says.
Enisa says informed consent should guide the design of systems using cookies and that their use and the data stored in cookies should be transparent to users.
"All cookies should have user-friendly removal mechanisms which are easy to understand and use by any user," Enisa said.
It says storage of cookies outside browser control should be limited or banned, and that users should have an alternative service channel if they do not accept cookies.
Enisa executive director Udo Helmbrecht said these next-generation cookies need to be as transparent and user-controlled as regular HTTP cookies. "This would safeguard the privacy and security aspects of consumers and business alike," he said.