ENISA warns on cookie security threats

ENISA, the European Union's security agency, is warning about a new breed of computer cookie that could present a serious threat if not tackled quickly.

So-called 'Bittersweet' cookies are one of the main threads in the agency's latest report, and are a new type of advertising tool which could be ripe for exploitation and subversion if left unchecked.

The ENISA Privacy, Accountability and Trust report said that the advertising market has led and supported a drive for new all-pervasive cookies that are particularly stubborn and powerful, and that these privacy-invasive profiling and marketing tools are often used without consent.

"Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies to safeguard the privacy and security of consumers and businesses alike," said Professor Udo Helmbrecht, executive director of ENISA.

The report suggests that the originating server and user should add some sort of consent mechanism before accepting a cookie, and that cookies should be removable.

ENISA found that cookies, which were once just used to facilitate browser/server interaction, had grown into an altogether different beast and are used for "other purposes".

Cookies are being used for advertising management, profiling and tracking, and there is a great opportunity for abuse and misuse, according to ENISA, which called on the industry to be more open and transparent about its activities.

In the meantime, and as an attempt to mitigate current privacy risks, ENISA has recommended that internet users should be allowed to give their consent to the use of this new type of cookie, and should be able to see what kind of data is stored.

Another suggestion is that it should be made easier for internet users to manage their cookies, and to remove individual mechanisms and opt out of receiving cookies altogether.