Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Web-Tracking ‘Cookies’ Meant to Protect Privacy: Inventor

The data-tracking “cookies” at the heart of concerns over online privacy were meant to shield people, rather than serve as cyber snoops, their inventor told AFP.

California-based engineer and entrepreneur Lou Montulli said the original “cookie” he created decades ago was intended to make life online easier by letting websites remember visitors.

The data-tracking “cookies” at the heart of concerns over online privacy were meant to shield people, rather than serve as cyber snoops, their inventor told AFP.

California-based engineer and entrepreneur Lou Montulli said the original “cookie” he created decades ago was intended to make life online easier by letting websites remember visitors.

Yet the technology has become a lightning rod, attacked for helping tech companies collect data on consumers’ habits key to the targeted web ad business that makes many billions of dollars per year.

“My invention is at the technological heart of many of the advertising schemes, but it was not intended to be so,” said Montulli, who created them in 1994 while an engineer at Netscape.

“It is simply a core technology to enable the web to function,” he said.

Google joined a growing list of tech companies this week by announcing a new plan to block certain types of cookies, after the online ad giant’s previous proposals were roundly criticized.

When discussing his invention, Montulli said the software snippets that let a website recognize individuals helped make possible features such as automatic log-ins or remembering the contents of e-commerce shopping carts.

Without what are called “first-party” cookies — which also are used by websites to interact directly with visitors — every time a person went online, they would be treated as though it were their first time.

Advertisement. Scroll to continue reading.

But Montulli pointed to trouble with so-called “third-party” cookies, those generated by websites and tucked into visitors’ browsers, and ad networks that aggregate data from those snippets.

“It is only through collusion between many websites and an ad network that ad tracking is allowed to happen,” Montulli argued.

Websites share activity data with ad networks, which then use it to target ads for all their members.

– Online ads arms race –

“If you search on some strange niche product and then you get bombarded with ads for that product at a number of websites, that is a weird experience,” Montulli said.

“It is normal human pattern recognition to think if they know I was looking for blue suede shoes, they must know everything about me; then think I want to get out of this.”

Governments have taken notice, with the latest consequence being French authorities fining Google and Facebook 210 million euros ($237 million) this month over their use of cookies.

If one website in a network also collects personally identifying information about a user, say a name or email, that could be “leaked” in a way that enables a browser to be associated with a person.

“It’s a network effect of all these different websites colluding together with the ad trackers,” Montulli said. “Cookies were originally designed to provide privacy.”

He said one possible response would be to stop targeting ads and start charging subscriptions for online services, which run on online advertising revenue.

Montulli also supports phasing out third-party cookies, but warned getting rid of the software snippets altogether would drive advertisers to employ more stealthy tactics.

“Advertising will find a way,” he said. “It will become a technological arms race; considering the billions of dollars at risk, the ad industry will do what they need to keep the lights on.”

Turning off third-party cookies could also unintentionally punish small websites by shutting them out of targeted ads that make money, giving even more power to tech giants such as Apple, Google and Facebook-parent Meta.

Regulation that keeps cookies in use, mandating controls such as letting users opt in or out of sharing data, may be the only viable long-term solution, Montulli said.

“You really couldn’t use the web without cookies,” he said. “But, we are going to need to be more nuanced about how they are used in advertising.”

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...