www.fgks.org   »   [go: up one dir, main page]

Web Cookies Scanner

WebCookies.info provides free audit of web cookies used by a website. See how websites are tracking user activities using web cookies, obtain an easy to understand cookie usage summary and find out about compliance with new EU privacy law. No additional software installation is required.

Terms of the Service

The information on this web site should not be treated as legal advice. It is provided on an "as is" basis and without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality of the obtained information is with you.

What are web cookies?

In technical terms web cookie (RFC 6265) is a small piece of text that a website stores on you browser, in the background, while it is loading the page. In HTTP protocol server uses Set-Cookie header to set cookie in a browser. The browser then sends the cookie back to the website using Cookie header.

Cookies were introduced because websites handle thousands of clients at each moment and have no way to distinguish your network connection from the multitude of other users' connections. This would make any multi-step or transactional operations impossible. So on the first connection website assigns you a random identifier (a cookie), which your browser reflects with each future connection. This way the website can distinguish your connection from the others. This is just the simplest example — in reality cookies can be used for numerous other purposes that share the same goal — uniquely identify a client to the website.

What types of cookies are used?

From privacy and compliance point of view there are three main types of cookies:

  • Session cookies — used for purely technical purposes, like storing your session over multi-step processes etc. These cookies are usually considered harmless (and it doesn't necessarily mean that the others are harmful). These cookies are usually forgotten when your browser is closed.
  • Permanent cookies — allow the website to recall your preferences or presence for longer time. This can be used to keep things like your color preferences but also identify you as a returning customer, that has purchased X, Y and Z in the past, even if you did not register. These cookies can be stored in your browser for months or years.
  • Third party cookies — these can be set by ExampleBookstore.com, but with instructions to send them also to ExampleAdvertising.com, a completely separate company. If you searched for pizza books, and then go to ExampleFoods.com the latter will display pizza components in the first place, because the advertising company they both use told it so. These cookies cause most controversies, especially that they are usually permanent at the same time.

An example of a session cookie:

Set-Cookie: sessionid=0c3ca1b85524d571454b2cf22c62fb34; httponly; Path=/

An example of a permanent cookie:

Set-Cookie: csrftoken=NUZeWttMIijbs7OQrVNm0k1pIknjLyPW; expires=Thu, 27-Feb-2014 22:55:03 GMT; Max-Age=31449600; Path=/

An example of a third party cookie (and it's permanent at the same time):

Set-Cookie: GAD=0c3ca1b85524d571454b2cf22c62fb34; Domain=hub.com.pl; Path=/; Expires=Wed, 30 Aug 2017 00:00:00 GMT

Do I have to publish a cookies report for my website?

If your website or business is based in the European Union then yes. The extent of the information depends on the interpretation of the EU law, but in most cases this needs to be a list of cookies your website sets with a brief description of their purpose.

You can start with the cookies report provided by WebCookies.org and then add the informative and legal content specific to your website. British International Chamber of Commerce published a guidance document ICC UK Cookie guide that comes very handy for writing the legal part.

Why do people worry about web cookies?

There are two main reasons why people are concerned about web cookies:

  • End-users are concerned because they feel that cookies can be used to track their activities on the web (behavioral profiling). For example, if you search for "Camels" today on your favorite search engine, you might continue to see cigarette related advertisements on other, unrelated websites for the next month or so. It's the profiling network that worked here and decided that you might be interested in cigarette ads. In more sophisticated, future schemes you might get a higher health insurance premium once the network becomes suspicious that you're smoker :)
  • Because of these concerns European Union has enacted new law regulating storage of data on consumer devices. The scope of this directive is rather wide and it is not limited to classic HTTP cookies but any kind of data (see Evecookies below). As result, if you are a website owner in Europe, you just became a "data controller" and as such should comply with a number of regulations related to cookies.

What about the "EU Cookie Directive"

European Directive 2009/136/EC (more on Wikipedia and Directive itself) has much wider scope. It doesn't actually regulate "cookies" in specific, technical meaning. This is what the Directive says:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
There's also paragraph in the preamble (non-binding but setting context):
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

As you can see, the Directive does not prohibit use of cookies — it only requires that end-users are fully informed about their purpose and give their consent. With the latter being quite a challenge if you actually try to implement it in real websites.

There was a lot of confusion and discussions on how this should be actually implemented. One of the first countries in EU to enact this law on national level was United Kingdom, and their Information Commissioner's Office (ICO) decided to give a good example and for some time it presented a very literal approach, so to say, especially about the user's consent being "prior" to website display.

As result, if you visited ICO website at that period a part of it was covered by a rather annoying pop-up banner asking if you agree to receive a cookie. If you did, the banner would disappear — and your "yes" answer would be of course stored in a cookie. If you did not agree, you'd see the annoying pop-up on each page of ICO's website you'd browse, because the website has no way to remember that you answered "no". Later on ICO has reverted their policy towards a more liberal interpretation.

I have a website - how can I comply with the EU directive?

For most websites in most EU countries it should be sufficient to provide a clear, easy to read information on what cookies your site sets and what is their purpose (example on ICO website). To do that, you need to actually know what cookies sets — and this is where WebCookies.org helps a bit. You can scan your website and use the obtained results as a starting point to develop full documentation of cookies used.

Note however, that the road to the directive was long, bumpy (see NoCookieLaw) and full of rather complicated legal discussion (see Opinion 04/2012 on Cookie Consent Exemption) which is not always consistent with technical understanding of how cookies work.

In addition to that, there's one Directive and 27 Member Countries in European Union to implement it, and each country took slightly different approach. As result these local implementations can substantially differ from each other. So if you need to be certain about your compliance against the laws in your jurisdiction, consult a technology lawyer.

Do you record all cookies that my website sets?

The short answer is: no. In some cases this service will not be able to see and record all cookies used by a website.

First, WebCookies.info will load the page as an anonymous user and will only receive cookies intended for such users. It's quite common (and it's actually good security practice) to set session cookies after the user has authenticated — and these cookies we will not recorded.

Second, a website can display different cookies on different pages. If you scan main page and then some other part of the website, you may get different results. You need to understand technology used to build different parts of your website to know which pages to test.

Third, we are currently recording only traditional cookies set using HTTP Set-Cookie header. While this is what is most often meant by web cookies, remember that the Directive talks about "storing information", not only HTTP cookies. And there are some other ways to track users apart from cookies. Data can be stored in similar way in other objects such as, Flash cookies, HTML5 storage and other means collectively named Evercookie. We are working on detecting those alternative storages.

Can I opt-out from tracking?

  • Network Advertising Initiative Consumer Opt-out is a joint effort of ~100 advertising companies that offers a single interface for opting out from their tracking. Note that activating opt-out will actually set opt-out cookies in your browser. These will be a special opt-out cookie for each compliant advertising provider, so it's kind of "Catch 22" — you need a cookie to get rid of a cookie. But it seems to work (at least for Google ads, which was the only I actually tested)
  • WikiHow has easy to follow instructions on how to view and delete cookies in Microsoft Internet Explorer, Mozilla Firefox and Google Chrome. Note that right after you delete your cookies, websites will start setting them again and if you delete the opt-out cookies mentioned above, your preference will be no longer passed to ad companies.
  • Most recent browsers have a special "anonymous" browsing mode. It's called Incognito in Chrome, InPrivate in MSIE and Private browsing in Firefox. It's not really anonymous as websites will still see your original network address, but your browser will not store any permanent data, typically used by Evercookies mentioned above.
  • If you don't like advertisements, you might consider ad-blocking software such as AdBlock. Please note however, that majority of your favourite websites are alive only because they can pay their bills with ads, so the more people block ads, the more — some of them will just disappear, some will only offer paid content.
  • Even ad-blocking software will no be able to prevent some forms of sophisticated tracking, such as HTML canvas fingerprinting. Specialised add-ons such as NoScript for Firefox can help here and are strongly recommended if you're concerned about your privacy. If you're able to accept a slightly increased page loading times in exchange for high level of privacy, you might try TOR Browser.

What is WebCookies/1.0 agent?

This site uses a script that emulates a web browser to render page for which people wanted to check the cookies. The script uses the following User-Agent string:

WebCookies/1.0 (+http://webcookies.org/faq/#agent)

The script does not crawl the whole website, it just fetches a single page entered by an user on WebCookies.org main page. The script renders JavaScript and fetches images just like a standard browser, so you will see requests for JS, CSS and images.