Has the cookie crumbled?

elevenM’s Chaitalee Sohoni dives into the what and why of third-party cookies, Google’s plan to phase them out and what this means for businesses and individuals alike.

By 2023, Google Chrome will phase out support for third-party cookies as part of its Privacy Sandbox Initiative with Stage 1 set to start by late 2022.

Google first announced its intention to eliminate third-party cookies from its Chrome browser in early 2020 and made it explicit that they ‘will not build alternate identifiers to track individuals as they browse across the web‘.

If you have been on a website in the last couple of years, you might have encountered an annoying pop-up inviting you to read the company’s ‘cookie policy’ and review your cookie preferences. Chances are you clicked ‘agree’ without reading it and moved on to the content of the page, mostly because privacy policies are tedious to read. The cookie policy on any website is essentially notifying you that a cookie is downloaded to your computer to ‘enhance’ your browsing experience each time you visit the website.

But what exactly are cookies and how do they affect you?

A cookie is a piece of data in the form of small text files that are unique to each user. When you visit a new website, cookies are created to identify you and personalise your experience based on your browsing history.

While cookies aren’t bad, what we choose to do with them is problematic because it raises concerns about data privacy.

Cookies were invented by Lou Montulli in 1994 and have since been the backbone of internet browsing experience. Cookies are created to remember and recall information that is useful while browsing, such as log in information or the previous page on a website. Without cookies, browsing the internet would be an extremely frustrating process — imagine adding an item to your cart when you shop online, and having it disappear each time you go back to add more items. Think Dory from Finding Nemo.

There are two kinds of cookies: First-party cookies and third-party cookies. First-party cookies are created and downloaded from the primary website you are visiting.

Third-party cookies, however, are generated and saved on your computer by multiple websites whose information is embedded on the primary website you browse. For example, when you visit a website, it’ll most likely contain advertisements or images from other websites or even a Facebook ‘like’ button. Even if you don’t click on them, cookies from their websites are created and stored on your system.

If you have ever had an advertisement follow you around on the internet, it is because of third-party cookies. Based on the websites you visit, cookies gather a great deal of information about you such as your age bracket, gender, location, interests, personal preferences etc. Advertising companies use cookies to track your activity on the internet by building a profile of your interests based on your browsing history to send you personalised advertisements. Cookies allow companies to make more money by helping them find the right audience for their products. Platforms such as Facebook and Google are heavily incentivised to ensure advertisements from brands reach the targeted users.

With its Sandbox Initiative, Google aims to withdraw support for third-party cookies. At first glance, this move appears to be a step in the right direction for data privacy, but Google is a tad late to this party. Mozilla’s Firefox, Apple’s Safari and Brave blocked third-party cookies years ago, making them more privacy robust browsers. There’s also DuckDuckGo, a more secure search engine that also offers a browser for mobile phones.

Google may not be the first to ban cookies but Chrome is the most popular browsing platform with a global web browsing market share of 64.4% as of January 2022, which is significant when compared to Safari or Firefox, which only account for 16.9% and 3.9%, respectively. And so, Google’s plan to phase out cookies is a big deal in the world of internet.

With Google hopping on the bandwagon, does this spell the end for third-party cookies? Maybe. Does it mean that your browsing history won’t be tracked anymore? The answer is not that simple.

Eliminating third-party cookies does remove the power advertising companies have in terms of tracking individuals, but it places that power directly into Google’s hands. With Chrome not relying on third-party cookies to collect data about users, Google will no longer support companies in selling targeted web advertisements to individuals. This move will give Google an upper hand in collecting first-party data from users including collecting data from mobile applications to which the cookie ban doesn’t apply.

Google’s move will have a drastic impact on businesses and advertisers as they will need to rely heavily on first-party data or find alternatives to reach their audiences. In a joint statement, the Association of National Advertising and the American Association of Advertising Agencies have pointed out that ‘Google’s decision to block third-party cookies in Chrome could have major competitive impacts for digital businesses, consumer services, and technological innovation.’

Proposed legislative changes in this area will also have a bearing on businesses. In the review of the Privacy Act currently underway, one of the proposed changes includes replacing ‘about’ with ‘related to’ in the definition of personal information in the Privacy Act 1988. The purpose of this change is to explicitly bring more technical identifiers such as IP addresses or unique, persistent identifiers used in cookies within the scope of the Act. Under this new definition, unique identifiers are very likely to be considered personal information and this change will therefore have a bearing on the use of cookies by websites that depend on unique identifiers to track individuals.

Google initially wanted to replace third-party cookies with Federated Learning of Cohorts (FLoCs). FLoCs was designed to track individuals based on their web browsing to group them into cohorts that were defined by similar interests. However, in January this year, Google announced that it was replacing FLoCs with Topics. Topics is also built on the idea of interest-based advertising where the browser determines top interests for users based on their browsing history stating ‘it provides you with a more recognizable way to see and control how your data is shared, compared to tracking mechanisms like third-party cookies.’

Google is still exploring options to fulfil its promise to phase out the use of third-party cookies by 2023, a delay from its initial plan to phase them out by 2022. We may have to wait a little longer to see how third-party cookies will be replaced by Google.

[UPDATE: An earlier version of this post stated Google intended to replace third-party cookies with Federated Learning of Cohorts (FLoCs), however it has now opted to replace them with Topics.]

Towards a safer online world for children and the vulnerable

elevenM’s Jordan Wilson-Otto shares findings from recent research on the privacy risks and harms for children and vulnerable groups.

Yesterday the Government initiated two consultations (on the Online Privacy Bill and the Privacy Act Review), both of which include a focus on better protecting kids. elevenM worked on key research that informed thinking behind these changes, and we are delighted to share the outputs of that research here.

Our research was commissioned by the Office of the Australian Information Commissioner and conducted in partnership with two leading academics from Monash Law School (Normann Witzleb and Moira Paterson). It provides an in-depth analysis of the privacy risks and harms that can arise for children and for other vulnerable groups online and makes recommendations for additional protections that could be put in place to mitigate these risks.

We’re proud of our contribution, and we hope it might serve as a useful reference for those drafting submissions to the Online Privacy Bill exposure draft and the Privacy Act Review Discussion Paper.

If you don’t have time to read the whole report, here are some of our key findings:

  • Children can be vulnerable online due to limitations in their basic and digital literacy, cognitive abilities and capacity for future-focused decision making.
  • Individual characteristics and situational factors shape susceptibility to harm, even for adults. Vulnerability is dynamic and contextual, and its causes are complex and varied. Identifying individuals who need greater protection is not always straightforward.
  • Children and other vulnerable groups face a wide variety of harms online. Mostly, these arise from monetisation of their personal information and the manipulation of their behaviour, but also from the social impacts of sharing personal information on their reputation and life opportunities, and e-safety risks. But it’s also important to remember that no environment is risk free, and participation, the right to take one’s own risks and the development of digital skills are also important goals.
  • Digital platforms have all adopted measures aimed at protecting children and other vulnerable groups. However, these are highly variable between platforms and are often difficult to navigate and limited in their effectiveness.
  • There is an international trend towards implementing additional privacy protections for children, with UK the most advanced, followed by the EU and the USA. We review enhanced privacy protections for children and other vulnerable groups across these jurisdictions.
  • Reliance on consent should be limited. In most cases with social media and digital platforms, even adults are not able to understand the conditions they’re agreeing to.
  • For everyone, but particularly for kids, privacy transparency should aim for more than mere disclosure of material facts, and should instead aim to educate, empower and enable privacy self-management in line with a child’s developing needs and capabilities.

Finally, we made a range of recommendations for additional protections that could be put in place either via an Online Privacy Code, or as part of the broader review of the Privacy Act in order to better protect our most vulnerable. Some of the key ones are:

  • To establish an overriding obligation to handle personal information lawfully, fairly and reasonably, taking into account the best interests of the child (where children are involved).
  • To place a greater onus on platforms to verify users’ age (taking into account any privacy risks arising from verification measures)
  • To strengthen requirements for consent, taking into account whether it is reasonable to expect that an individual understands what it is that they are consenting to.
  • To strengthen privacy transparency requirements, including requirements to collect engagement metrics for privacy notifications and privacy features, and to demonstrate that steps taken to ensure user awareness of privacy matters are reasonable.

We’re encouraged to see that the focus on better protecting kids online is already generating national and international headlines, and hope this research will play a role in steering us towards the right reforms. Ultimately, any new code or reforms to the Privacy Act must not only protect children and vulnerable groups from online risks, but also enable them to fully access and participate in the benefits of the online world.

If you would like to discuss this research in more detail, or would like us to assist you to understand the broader Privacy Act changes being considered, drop us a line at hello@elevenm.com.

The need to look beyond cyber

elevenM Principal Pete Quigley explores whether a siloed mindset is constraining the value digital risk professionals can bring to organisations and their clients.

I was lucky in the early 2010s to be consulting into Australia’s financial services industry when AWS came to town. I saw first-hand the internal struggles between business and technology teams who wanted to adopt a cloud-first strategy and risk, privacy and security teams who felt they were giving away the keys to the castle.  

Based on my position at the time with PwC, I had a number of fireside chats with the technology risk team from APRA, Australia’s financial services regulator. APRA foreshadowed an impending situation in which institutions would become reliant on digital channels to service their customers, but would lack visibility into what individual services and vendors made up those channels.  

Fast forward a decade and most revenue producing digital channels leverage a multitude of vendors to provide critical online services. One such widely-used vendor who has been hitting the headlines recently is Akamai. 

Akamai provides a number of services to optimise and protect digital channels. The nature of these services requires that you allow Akamai to manage critical digital services like Domain Name System (DNS). For those unfamiliar with DNS, it acts as the phonebook of the internet and allows users to connect to websites using domain names such as elevenM.com, instead of IP addresses.  

DNS is commonly considered to be a fragile system. When there are errors in the use or updating of this phonebook, users can’t find websites. This was the case with Akamai recently, whose DNS failure led to a massive internet outage

When I am asked what elevenM does, I usually revert to our tagline of ‘specialist cyber, privacy and data governance professionals’. I say that because it is what people understand and can draw a line to specific services and, indeed, specific outcomes. Within elevenM, however, we talk in terms of digital risk – the risk our clients face when operating in a digital economy.  

The outage caused by a bug in Akamai’s DNS service was not cyber, privacy or data governance related. In fact Akamai was at pains to say the issue “was not a result of a cyberattack”, even though it had very little else to say about the root cause. 

But the issue still had a significant impact on the availability of the digital channels of a large portion of the internet, and thus on the trust and confidence of users of those services – which is arguably ultimately what our industry is about. 

So, is it time we stop talking about specific delivery-focused silos and start thinking in terms of the customer’s digital experience? To more holistically assess risks to those digital experiences and how we are effectively measuring and managing those risks?  

Rotting fish: The need to improve cyber culture

elevenM’s newest recruit Jasmine Logaraj shares her thoughts on improving the culture within the cyber security industry, and how that will help to defend cyber threats.

This week, I had the opportunity to attend The CyberShift Alliance’s discussion “Addressing workplace culture in the cyber security sector.” The CyberShift Alliance is a collaboration between several associations including ISACA SheLeadsTech, FITT, CISO Lens, AWSN, the Australian Signal Directorate, AustCyber, ISC2 and AISA, DOTM, EY and Forrester Researcher, with the goal of addressing culture change within security. This alliance formed from an earlier International Women’s Day event run by AWSN and ISACA.

The purpose of the discussion this week was to raise awareness of toxicity in the cyber security industry. Speaker Jinan Budge, Principal Analyst at Forrester, described the main reasons for toxicity in the industry as being lack of organisational support, ego, and low leadership maturity.

Poor workplace culture is preventing good talent from joining the industry and making it harder to retain it. It is hindering the quality of work and preventing us as a nation from tackling cyber threats in the most inclusive, collaborative and, therefore, the most optimum way.

I asked Jinan and the panelists during the Q&A session to elaborate on the idea of toxicity being a barrier to young talent. Panelist Jacqui Kernot, Partner in Cyber Security at EY, said the reason it was hard to hire good talent was not because of a shortage of professionals with STEM skills, but because the industry needs to become a better place to work.

As cyber security professionals, we need to make this industry a more exciting and happier place. When recruiting, employers need to consider not only whether the employees are properly skilled, but whether they are the right fit for a good workplace culture, and in turn, whether their company is worthy of such wholesome candidates. Knowledge can be taught. Personality cannot.

Another interesting point raised during the discussion was the inability to speak out about bad behaviour in the cyber security industry. Jinan surveyed her professional network and found that 65% of respondents voted it to be “career suicide” to speak up about workplace problems, highlighting a fear of potential punishment for doing so. 

Changing this consensus relies on us as cyber security professionals leading the way. As Jacqui pointed out: “the fish rots from the head.” It is not a HR problem, but something to be fixed at the leadership level and not denied or swept under the rug. If companies do not address these problems, they will continue to lose good talent, and in turn waste money, time, and effort, leaving them with fewer employees and a lessened reputation. Akin to our efforts to create a security-focused culture in our clients, at elevenM we believe good workplace culture similarly requires an effort to foster shared values through leadership and role-modeling.

I am grateful that there are individuals such as Jinan, Jacqui and James working in my industry who realise the importance of fostering a good workplace culture. With leaders like these, I remain hopeful for the future.

Of Mice and Coin

elevenM’s Peter Quigley takes a closer look at what Australia can do in the face of a modern scourge – ransomware – as governments up the ante against the threat.

Plummeting winter temperatures in Australia have led to an unexpected threat for car and home owners: rats and mice. Like most of us, these rodents are trying to find a place to take refuge from the cold and the resulting damage has been significant.

The scale of this threat has led major insurers to reject many claims made, stating that their insurance only protects against vermin infestation as a flow-on effect from a fire or flood.

As a risk person, I have always found the insurance industry interesting. At its core, it is a system which derives profit from the analysis of risk data. This is why I keep an eye on what the industry is saying about cyber security.

Like homeowners in Australia, companies around the world are now having insurance claims rejected – not for vermin but for infestation of a different kind: ransomware.

As you will have undoubtably read, ransomware incidents have significantly increased over the past year. The reasons for this have been well reported and we won’t delve into them here. What I want to talk about is what happens to a cyber risk when, like vermin infestation, it becomes uninsurable?

If companies are not able to insure against a potential risk event, then they have two options: (i) accept the risk and wear the cost of that event should it happen or (ii) not engage in the practices which may lead to that risk event. In the case of ransomware (and most cyber threats), given the digital nature of every business today, the latter is not a viable option. So, we are left with the former – that is, taking the position of, as we say in Australia: “She’ll be right”.

If, however, businesses begin to fold and the broader economy is impacted, there’s a case to be made that the government needs to step in. In Australia, we are seeing building momentum as ransomware is yielded as a political stick – most recently by Tim Watts, Australia’s Shadow Minister for Cyber Security, calling for A National Ransomware Strategy. Ransomware was also on agenda at the G7 summit in London last weekend, with various commitments made to fight the threat collaboratively.

What governments can do to combat this technical and geopolitical threat in real terms is unknown. Mr Watt’s strategy contemplates a variety of measures including increased law enforcement, crackdowns on rogue bitcoin exchanges and various sanctions.  

The strategy also advocates for Australian organisations to develop a reputation for being less likely to pay ransoms (through imposing controls on ransomware payments), so that attackers’ return on investment for targeting Australian organisations might fall in comparison to those in other countries. While making yourself a less attractive target is a common and legitimate strategy in cyber security, I tend not to agree with this approach to ransom payments. Due to the random nature of ransomware attacks (often enabled by automated services scanning and prodding IP’s across the internet) it seems likely to me that Australian organisations will continue to be heavily impacted by ransomware – regardless of policies that limit or regulate their ability to pay ransoms.

As noted earlier, ransomware is both a technical and geopolitical problem. Looking at both these aspects in detail and asking what can be done, I always arrive at the following:

  • Technical – Ultimately, cyber criminals are most likely to move on if they encounter mature cyber defences. As done in Singapore, Australia should mandate a minimum set of cyber security controls for all critical infrastructure as part of current changes being considered to security legislation. Outline what those controls are and encourage private businesses to adopt those controls. The Australian Government should publish threat data on recent ransomware events to support those charged with the operation of cyber controls to update as required.
  • Geopolitical – Not to appear too cynical, but I maintain low expectations on the current and immediate impact of geopolitical efforts on the ransomware landscape. It’s widely believed that ransomware gangs operate with impunity in some jurisdictions, despite those jurisdictions agreeing to international norms. As these geopolitical efforts slowly gather pace, it’s all the more reason to enhance the defensive maturity of organisations in the meantime.

This is just my view. In the words of John Steinbeck, “Guy don’t need no sense to be a nice fella.”

PAW 2021 – That’s a wrap

Privacy Awareness Week is 5-9 May 2021.

In our final post for Privacy Awareness Week (PAW), we share our five highlights and observations from the week.

1. A privacy win during PAW

The timing may have been coincidental, but we’ll take it. There was a notable win for privacy this week with the Senate Committee that reviewed the Government’s inter-agency data sharing law – the Data Availability and Transparency Bill – recommending the bill not be passed in its current form, noting a need for stronger privacy protections and security measures (among other things).

Our advocacy for greater attention to the privacy risks in the bill (as part of a collaborative submission with other privacy colleagues) was quoted in the Senate Committee’s report and in the news media this week.


2. Momentum building

We were energised to hear this week just how much focus and attention there is on privacy, particularly from a regulatory perspective. At a panel of regional privacy regulators hosted by the International Association of Privacy Professionals on Tuesday, we got insight into the breadth of activity currently underway.

At the Commonwealth level, clearly the focus is on the review of the Privacy Act. The States and Territories are also running various projects to bolster privacy protections, from the privacy officers project in Victoria, mandatory breach reporting in NSW and privacy champions network in Queensland, to the focus on managing privacy in complex cross-cultural contexts in the Northern Territory.

Overseas, New Zealand is looking at improvements within its public sector, the Philippines will be launching a privacy mark and  Singapore is implementing its new data protection law.

Many of the regulators on Tuesday also expressed the view that it is time for everyday Australians to make privacy a priority and realise that every time we hand over our data, we’re not only making an individual decision but also contributing to the future fabric of our society.

3. Privacy spat!

What better way to draw attention to trust and transparency during PAW than a stoush between two technology platforms over privacy.

Signal and Facebook went at it after Signal used Facebook’s own advertising platform to create ads that exposed the categories Facebook uses to classify users. The ads appeared as placards and contained customised messages such as: “You got this ad because you’re a certified public accountant in an open relationship. This ad used your location to see you’re in South Atlanta. You’re into natural skin care and you’ve supported Cardi B since day one.”

Facebook labelled the move a stunt, while Signal claimed Facebook disabled its account as a response. Either way, fantastic timing for PAW.

4. Privacy is precious

Speaking of ads, our attention this week was drawn to New Zealand’s TV commercial for privacy, created to raise awareness of its new Privacy Act, which came into operation in December 2020. The ads feature the theme “Privacy is precious” and are at once simple to understand while being wonderfully evocative. Check it out here.

The Kiwis have a great track record of pumping out great videos to raise awareness – see the Air New Zealand air safety videos and New Zealand Government online safety ads. Perhaps it’s time to add “privacy advertisements” to the list of cross-Tasman rivalries, which already includes cricket, rugby and netball. Can Australian creatives take up the charge and create an even better pitch to help the Australian community prioritise privacy?

5. Hurray for privacy drinks

Finally, it was great to celebrate Privacy Awareness Week with an old-fashioned drink with friends and colleagues. elevenM hosted drinks at O Bar in Sydney on Wednesday night, and we were thrilled to be back together in person with so many of our valued friends, clients, partners, colleagues, and other fellow travelers in attendance.

It reminded us what a diverse and vibrant community we have and filled us with inspiration and optimism about the future, as we work together to solve some of the most complex issues of our time. Thanks to all who came, and we hope those that couldn’t will make it next time.