On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies. Some security and privacy considerations.”
With respect to security, the report distinguishes among three types of security threats: (i) network threats, (ii) end-system threats and (iii) cookie-harvesting attacks. It also discusses a number of attacks targeted at cookies, such as cache sniffing, cookie sniffing and session hijack attacks.
With regard to the privacy of Internet users, the report states that, while first party cookies are sometimes useful, third party cookies that track online behavior raise serious privacy concerns, particularly since they have become increasingly powerful and more difficult to remove. The report mentions studies that show that Internet users can be linked with identities and personal information found on online social networks.
ENISA notes in the report that a number of issues still require clarification. These include the question as to whether browser settings can constitute valid consent. The report recommends that an overview study of measures implemented at a national level be carried out after the transposition deadline of May 25, 2011.