Could European cookie law be a threat to cybersecurity?

Dr Andres Guadamuz

The history of Internet Law is littered with bad legislation and legislative proposals. From the infamous SOPA and PIPA, to the Draft Investigatory Powers Bill, there is no shortage of badly-conceived legislation dealing with the Internet. Sometimes the bad law is the result of powerful lobbying, sometimes it is caused by ignorance of the technology, sometimes it is done for political reasons, such as trying to cater to political fads and concerns of the day. And sometimes bad law arises from miscalculation and trying to guess legal developments that will take place in the future. Does anyone remember electronic signatures?

But of all of the pieces of legislation dealing with the Internet, few annoy me as much as the so-called European Cookie Law. The regulation of cookies arose in the 2002 ePrivacy Directive, amended in 2009 by the Directive 2009/136/EC, Art 5(2) of the amended directive requires consent for “storage or access to information stored on a subscriber or users terminal equipment”. In other words, the law demands the consent of users for the storage of a cookie in their computer.

Cookies are small files that websites store in your computer with all sorts of information, such as the last settings that you used to view a site, or allow you to remain logged in to a service. They can be very useful, the capacity of a site to remember settings is particularly helpful. However, cookies can also be used to potentially infringe on a user’s privacy by storing information such as sites visited.

So one would think that regulating such a practice is a good thing, right? The law serves to protect our privacy after all. The answer is that in principle, the idea of regulating this technology has good intentions, but I would argue that the end result actually affects privacy.

The main implementation of the law is that it encourages nagware pop-ups that ask you to click to comply with the cookie settings. This I believe is detrimental because it has the effect of making people believe that their privacy is somehow secure because the sign gives them a choice. But this is of course a false choice, as most people do click OK to make the message go away. Those who do not cannot user the site to its full capabilities. So we just click Yes and forget about it. In other words, this is regulation by nagging.

The other problem has come to light recently. Malwarebytes Labs is a site specialising in cyber-security, and they have warned that “rogue actors” are now using the cookie law to “clickjack” websites, making users click on content that they were not intending to. They describe the operation like this:

“A legitimate ad banner is loaded via an iframe and placed right on top of the warning message. However, that ad is invisible to the naked eye because of a parameter within that iframe which sets its opacity to zero.

To that effect, when a user clicks anywhere on the pop up message it acts as though they clicked on the ad banner itself, which loads the advertiser’s website.”


This is a very worrying development. Users in Europe have become used to clicking on the pop-up messages almost without thinking about it, so this is extremely effective scam as it generates ad revenue for the scammer. I believe that it would be possible to have even more malicious uses, such as making the click install malware itself.

I think that the way to regulate cookies is not at the browser level, which can be misused as you can see, but to have robust regulators that pursue privacy breaches at the point of origin. Regulators should really look at clickjacking seriously, as it is detrimental to privacy as a whole.

Comments 1

  1. The e-privacy directive, as the data protection directive before it, requires user consent for tracking. Nobody cares about short duration cookies used to fulfill a requested service on a a website or that are required to enable the underlying communication mechanism, but they object strongly to being tracked around the web by the use of persistent unique identifier cookies without their consent, and most often without even their awareness.
    The e-privacy directive complemented the data protection law by adding rules for storage and access to peoples’ browsers and devices, mainly after 2009 to require “freely given, specific & informed” user consent. The response by the “stupid cookie law” brigade was to plaster the web with irritating, malware enabling but ineffective banners which are no more than a smokescreen, then try and pretend they were the inevitable result of the law.
    In fact all that needs to happen is to forego the use of persistent UID cookies for tracking, and the use of third-party elements that do so. A discreetly placed icon or link pointing to page that explains the reasons and consequences of tracking can the offer the opportunity to opt-in.

Leave a Reply