Befriending the cookie monster

Ramsés Gallego examines the new European Commission cookie legislation regarding internet security and privacy

For users and administrators of the web, chances are the European Commission rules on cookies which became law in May will affect the internet landscape.

These new cookie privacy rules are Citizen's Rights Directive 2009 revisions to the EU Privacy and Electronic Communications Directive 2002, implemented in the UK via the Privacy and Electronic Communications Regulations 2011.

Under these rules, the use of cookies is now only normally allowed if the user has given informed consent, meaning that websites must now give visitors clear and comprehensive information about the purposes for which any cookie is stored and accessed. There are some exceptions to the legislation, but they are very few and far between.

Under the previous regime, cookies were dropped onto a user's computer unless the user had specifically opted out for the site concerned.

The idea is to provide greater privacy for internet users, and control what data website operators can drop onto a visitor's computer.

The legislation is still in its early days of deployment – and the ICO has not yet begun discussions with any website operators failing to abide by the new rules – but my observations are that implementing this directive has not been an easy task for most IT professionals.

Meanwhile, few internet users are fully aware of the new requirements and what they mean, although the ICO has issued helpful guidance notes on the need for cookie audits, user impact assessments, and action plans. Most automated website-in-a-box services have also incorporated EU cookie facilities for their customers.

Geolocation services can bring tremendous rewards to websites when it comes to marketing and the like, but the new law introduces risk for businesses that wish to take advantage. This is mainly because their websites are now required to interpret a lot of the data on the user "in the clear" – including location, time of use and browsing habits.

So most organisations should now be cautious when embracing mobility and all its features, as well as including mobile devices in their corporate security strategies and integrating those devices within their business asset management programme.

The issue of most concern is that an increasing number of mobile devices store corporate information and are used for enterprise activities. Service providers must now indicate explicitly that the browsing session on a given set of web pages is being tracked or recorded.

There are also a number of difficulties from security and governance perspectives. Many of the ways a business will implement the required advisories, in fact, will themselves involve the use of intrusive messages that inform users about the site's privacy policy – with many sites preventing easy access to the pages until the user has explicitly accepted the explanation.

Complying with the EU cookie directive is important because the data involved is both high risk and personal. Without effective implementation, users' digital personae could more easily fall into the wrong hands, including those of other internet marketers. Most web users have fewer barriers and fewer secrets than they did just a few years ago.

Many web users, in fact, think it cool to post where they are, what they are doing, with whom, when, and even why. And our surveys reveal that this proportion of users is growing.

Therefore, organisations must define a security posture for the classification of information, data collection practices and so on, that can identify a person's present, past, and future locations. They must clearly indicate the methods of collection used and the retention policies, as well as when and how the information will be destroyed.

Failure to comply will be costly in financial, legal, and reputational terms. Users must be able to trust an organisation and its information systems. Businesses, no matter where they are located, should provide opportunities for users to opt in – not by default, but explicit consent.

Services and IT providers need to be aware that customer organisations should include geolocation data as one of the priorities within their audit governance strategy, where governance is understood as setting strategic directions and achieving corporate goals, working out that risks are managed and resources responsibly used.

Bodies such as ISACA can help organisations form this central plank of a company's governance strategy. The bottom line is that, properly governed, geolocation technology is a useful tool for both consumers and businesses, and the new EU cookie directive will, in the end, protect both parties.

Ramsés Gallego is international vice president and a member of certification, guidance and practices committees at ISACA as well as security strategist at Quest Software