Kingdom of Saudi Arabia

Ministry of Education
Imam Mohammed Ibn Saud Islamic University
College of Computer and Information Science
Department of Information Security

The Evolution of Data Privacy in Cookie Usage

By
Raghad Mohammed Alayfan

1
Introduction

In the vast expanse of the digital universe, a seemingly insignificant yet profoundly influential com-
ponent has emerged: cookies. These minuscule data fragments, saved on user devices, have become
indispensable in shaping our online interactions, influencing the content we encounter, the items we
buy, and the services we utilize. Beneath their simple exterior lies a labyrinth of technical complexi-
ties, regulatory hurdles, and pressing issues related to data privacy [1] [2].

This thesis sets out to explore the intricate world of cookies, charting their journey from modest ori-
gins to their present role as potent instruments of digital engagement. Cookies are more than mere
digital footprints; they are the custodians of customization and convenience on the web. They act as
a website’s memory, storing user preferences, login details, and shopping cart information, thereby
enhancing and personalizing the online experience [1] [3] [4].

However, with the increasing complexity and ubiquity of cookies come growing concerns about
user data privacy and security. This study delves into the technical nuances of cookies, unraveling
their various forms and highlighting the potential risks they carry. From session hijacking to cross-
site scripting, cookies are vulnerable to a spectrum of malicious attacks that compromise user pri-
vacy and security. This dissertation will delve into these threats in depth, offering insights into how
these risks can be mitigated through encryption, secure cookie flags, and other defensive strategies
[3] [4] [5].

Beyond their technical aspects, cookies also operate within a convoluted network of laws and regu-
lations. From the European Union’s General Data Protection Regulation (GDPR) to the California
Consumer Privacy Act (CCPA), the global regulatory landscape around cookies is in flux. This re-
search will critically examine existing legal frameworks, identifying potential loopholes in user pri-
vacy protection and proposing enhancements or new regulations where needed [6] [7].

Moreover, as digital marketing increasingly leverages user data for targeting and personalization,
cookies have become instrumental in reshaping this field. This dissertation will investigate how
cookies have revolutionized digital marketing strategies, enabling marketers to gather and leverage
user keywords to deliver personalized content. It will also probe into the ethical and privacy impli -
cations of these practices [7].

As we navigate through this complex maze of cookies, we will address the technical, regulatory,
and societal facets that characterize their existence in the digital domain. Through an exhaustive ex-
ploration of cookies and their impact on user privacy, this research aims to add valuable insights to
the ongoing dialogue surrounding data privacy in the digital era [8].
2
Objectives
The objective of this study is manifold, encompassing an exhaustive investigation of web cookies
and their implications for data privacy [2] [3]. These objectives are intended to illuminate the tech -
nical, legal, and practical facets of cookie usage, offering a comprehensive understanding of their
role in the digital domain.

Technical Comprehension: The initial aim is to furnish a profound and intricate comprehension
of web cookies, including their technical aspects, classifications, and functionalities (HttpOnly
Cookies, Zombie Cookies, Third-party Cookies etc).

This will necessitate a meticulous examination of session cookies, persistent cookies, and other
variants, as well as their roles in enhancing user experiences on websites [3].

Risk Evaluation and Mitigation: The subsequent aim is to pinpoint and evaluate the risks associ-
ated with cookies, including potential susceptibilities and attacks such as session hijacking, cross-
site scripting (XSS), and cross-site request forgery (CSRF). This encompasses an exploration of
techniques and strategies to alleviate these risks, such as encryption and secure cookie flags. For in-
stance we can mitigate the CSRF attack by use utilize anti-CSRF tokens in your forms and requests,
ensuring that even if an attacker tricks a user into making an unwanted request, it won't be honored
without the correct token [9].

Legal Framework Scrutiny: The third aim involves scrutinizing the legal regulations and frame-
works that govern cookie usage. This includes a critical assessment of existing rules, such as the
GDPR and CCPA, and evaluating their effectiveness in safeguarding user privacy. The research
will also strive to identify gaps in regulations, particularly in the context of Saudi Arabia, and pro-
pose potential enhancements or new rules [10] [11].

Investigation of Cookie-Related Attacks: The fourth aim is to undertake a comprehensive investi-

gation of real-world attacks and breaches resulting from cookie usage. This will involve categoriz-
ing and analyzing these attacks, understanding their impact on user privacy, and evaluating the effi -
cacy of existing security measures [12].

Impact on Digital Marketing: The fifth aim is to probe the evolving landscape of digital market-
ing and how it has been influenced by cookies. This includes examining how user keywords are col-
lected and utilized for targeted advertising, as well as assessing the ethical and privacy implications
of these practices [13].

3
Identification of Research Gaps: Throughout the research process, a critical aim is to identify any
gaps in the existing literature and research related to cookies and data privacy. This will ensure that
the research objectives are based on prior knowledge. Here are some specific research gaps in this
area:

• HTTP-only Flag vs. Modern Attacks:

While the HttpOnly flag prevents cookies from being accessed by JavaScript, there might be
emerging attack vectors that bypass this protection.

• Cookie Lifetime and Expiry:

Research into optimal cookie lifetimes that balance usability and security, particularly for
critical applications like online banking.

• Cookie Consent Mechanisms:

Research on the effectiveness of various cookie consent mechanisms in truly informing

users and the potential for "consent fatigue." Additionally, investigating how often users in-
teract with or understand these banners could be insightful.

• The effectiveness of modern countermeasures against third-party cookies:

Third-party cookies are often used for tracking and advertising purposes, and they can be
difficult to block or delete. More research is needed to develop effective countermeasures
against third-party cookies.

• The impact of countermeasures on the user experience:

Some countermeasures, such as blocking all cookies, can have a negative impact on the user
experience. More research is needed to develop countermeasures that are effective at pro-
tecting user privacy without sacrificing the user experience.

By addressing these objectives, this research strives to provide a comprehensive and current analy-
sis of the evolution of data privacy in cookie usage, offering valuable insights into the challenges
and opportunities presented by this integral component of the digital world.

Literature Review

Web cookies, an integral component of the digital ecosystem, have a far-reaching impact that tran-
scends their seemingly benign existence. This literature review offers a comprehensive overview of

4
the pivotal facets of web cookies, including their technical complexities, implications for privacy,
legal frameworks, and influence on digital marketing.

Technical Aspects of Cookies: Web cookies, also known as HTTP or browser cookies, are diminu-
tive data fragments that websites deposit on a user’s device. They are primarily classified into two
types: session cookies and persistent cookies. Session cookies are ephemeral and expire when the
user terminates their browser session, whereas persistent cookies endure on the user’s device for a
predetermined duration. These cookies are instrumental in augmenting user experiences by preserv-
ing information such as login details, contents of shopping carts, and user preferences [3] [14].

However, their ubiquitous usage has sparked concerns about user privacy and security. Cookies can
be manipulated in various ways, leading to risks such as session hijacking, cross-site scripting
(XSS), and cross-site request forgery (CSRF). To counter these risks, protective measures like se-
cure cookie flags, HTTP-only cookies, and encryption have been devised [6][14].

Regulatory Frameworks and User Privacy: The dynamic landscape of data privacy regulations
has significantly influenced cookie usage. Regulations such as the General Data Protection Regula-
tion (GDPR) by the European Union and the California Consumer Privacy Act (CCPA) have estab-
lished stringent rules for data collection, storage, and user consent. These regulations mandate web-
sites to disclose cookie usage to users and obtain their consent [6] [11][14].

In the context of Saudi Arabia, there is a burgeoning focus on data protection. However, there may
exist gaps in regulation. Further scrutiny is required to evaluate the sufficiency of current rules and
explore potential enhancements or new regulations.

Cookie-Related Attacks: Real-world attacks resulting from cookie usage have revealed vulnerabil-
ities in this technology. Session hijacking allows attackers to impersonate users, potentially compro-
mising sensitive data. Cross-site scripting attacks exploit cookies to inject malicious code into web-
sites. These attacks have profound implications for user privacy and security [9] [12].

Impact on Digital Marketing: Cookies have catalyzed a revolution in digital marketing by en-
abling personalized advertising based on user behavior. Advertisers use Third-Party Tracking Cook-
ies amass user keywords and other browsing data to deliver targeted content. While this practice
benefits advertisers, it raises ethical and privacy concerns as it involves extensive tracking of user
activities [2] [8] [13].

Research Gaps: Despite the wealth of literature on cookies and privacy, there remain areas war-
ranting further research. The evolving landscape of digital marketing coupled with the changing

5
regulatory environment necessitates continuous exploration to comprehend the latest developments
and potential gaps in knowledge [14].

Overall web cookies serve as both a boon and a challenge in the digital realm. While they enhance
user experiences and enable personalized content delivery, they also pose significant privacy and
security concerns. The evolving regulatory landscape coupled with the need for innovative solutions
to address cookie-related attacks make this an essential area of study for understanding the evolu-
tion of data privacy in the digital age.

Methodology

This research adopts a mixed-methods strategy to thoroughly investigate the evolution of data pri-
vacy in cookie usage, encompassing technical, legal, and practical facets. The methodology com-
prises several stages to effectively accomplish the research objectives:

Literature Review: The preliminary stage involves a comprehensive review of existing literature
on web cookies, data privacy, and related subjects. This review forms the bedrock for understanding
the current state of knowledge and pinpointing research gaps. A systematic exploration of academic
databases, scholarly articles, books, and official documents will be undertaken to amass pertinent
information.

Technical Examination: To acquire a profound understanding of web cookies, their classifications,

and associated risks, a technical examination will be carried out. This will involve studying the in-
tricate workings of cookies, encryption techniques, secure cookie flags, and other security mea-
sures. Furthermore, real-world cookie-related attacks will be scrutinized, categorized, and docu-
mented.

Legal Framework Evaluation: The research will scrutinize existing rules and regulations related
to cookies, with a particular emphasis on the GDPR, CCPA, and any relevant Saudi Arabian regula -
tions. This evaluation aims to identify gaps in privacy protection and areas where improvements or
new rules may be necessary. Legal documents and expert opinions will be consulted for this pur-
pose [16].

Case Studies: Real-world case studies of cookie-related attacks will be examined to comprehend
their impact on user privacy and security. These case studies will offer valuable insights into the ef -
fectiveness of security measures and the evolving nature of threats [15].

6
Survey/Interviews: To gauge the evolving landscape of digital marketing and its connection to
cookie usage, surveys or interviews with digital marketing experts will be conducted. These experts
will provide valuable insights into how user keywords are collected and used for targeted advertis-
ing. Ethical and privacy concerns related to these practices will also be explored through these dis -
cussions [16].

Data Analysis: Collected data, including survey responses or interview transcripts, will be analyzed
using qualitative and quantitative methods. This analysis will aid in identifying patterns, trends, and
emerging issues in digital marketing practices and cookie-related concerns [3] [16].

Identification of Research Gaps: Throughout the research process, a critical objective is to iden-
tify research gaps, particularly in areas with limited existing literature. This ensures that the re-
search objectives remain grounded in existing knowledge while highlighting areas that require fur-
ther exploration [17].

Report and Recommendations: The findings from the technical analysis, legal assessment, case
studies, and expert opinions will be synthesized to form a comprehensive report. This report will in-
clude recommendations for enhancing user privacy protection and addressing emerging challenges
in the digital marketing landscape [17] [18].

The mixed-methods approach allows for a thorough examination of web cookies and their implica-
tions from various angles, ultimately contributing valuable insights to the evolving field of data pri-
vacy in cookie usage [18].

7
References
[1] Digital Shift Media. (n.d.). Cookie. Digital Shift Media.
https://digitalshiftmedia.com/marketing-term/cookie/

[2] Dodt, C. (2020, July 7). Cookies: An Overview of Associated Privacy and Security Risks. In-
fosec Institute. https://resources.infosecinstitute.com/topics/general-security/cookies-an-overview-
of-associated-privacy-and-security-risks/

[3] Wagner, P. (2020, December 8). Cookies: Privacy Risks, Attacks, and Recommendations.
SSRN. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3761967

[4] Title: Cookies & Cybersecurity: What's the Connection? Author: CM Alliance Date: August 26,
2022 Website: CM Alliance Cybersecurity Blog URL: https://www.cm-alliance.com/cybersecurity-
blog/cookies-cybersecurity-whats-the-connection

[5] How do we comply with the cookie rules? (n.d.). ICO (Information Commissioner's Office).
https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/
guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/how-do-we-comply-with-
the-cookie-rules/

[6] Cookies. (n.d.). GDPR.EU. https://gdpr.eu/cookies/

[7] Pantelic, O., Jovic, K., & Krstovic, S. (2022). Cookies Implementation Analysis and the Impact
on User Privacy Regarding GDPR and CCPA Regulations. Sustainability, 14(9), 5015.
https://doi.org/10.3390/su14095015

[8] ICO (Information Commissioner's Office). (n.d.). Guidance on the Use of Cookies and Similar
Technologies. https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-
communications/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/

[9] Ahmed, S. M., Emmanuel, S. S., & John, A. E. (2020). Security and Privacy Concern of Web
Cookies, with User's Understanding and Management of their Web Cookie. International Journal of
Computer Science and Network (IJCSN), 9(3), 130. ISSN (Online): 2277-5420. www.IJCSN.org.

[10] Cookie Law. (n.d.). The Cookie Law. Cookie Law. https://www.cookielaw.org/the-cookie-law/

[11] Lawrence, A. R., Leonhardt, S., & Gathani, M. (2019, November 14). INSIGHT: Website
Cookies and Privacy—GDPR, CCPA, and Evolving Standards for Online Consent. Bloomberg
Law. https://news.bloomberglaw.com/privacy-and-data-security/insight-website-cookies-and-
privacy-gdpr-ccpa-and-evolving-standards-for-online-consent

[12] Stone, M. (2021, April 5). Guide to Cookie Hijacking. Security Intelligence.
https://securityintelligence.com/articles/guide-to-cookie-hijacking/

[13] Fich, O. (2020, July 22). What do ePrivacy & GDPR say about website cookies? Cookie Infor-
mation. https://cookieinformation.com/resources/blog/3-eu-cookie-regulations-you-need-to-know-
about/
8
[14] Quach, S., Thaichon, P., Martin, K. D., Weaven, S., & Palmatier, R. W. (2022). Digital tech-
nologies: tensions in privacy and data. Journal of the Academy of Marketing Science, 1-19.
https://doi.org/10.1007/s11747-022-00845-y

[15] Microsoft Security Blog. (2022, July 12). From Cookie Theft to BEC: Attackers Use AITM
Phishing Sites as Entry Point to Further Financial Fraud. Microsoft Security Blog.
https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-
aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

[16] Deloitte. (Year). Deloitte NL Risk Cookie Benchmark Study. Deloitte.

https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/risk/deloitte-nl-risk-cookie-
benchmark-study.pdf

[17] Harvard Business School Working Knowledge. (2023, August 29). Cold Call Podcast: As So-
cial Networks Get More Competitive, Which Ones Will Survive? Re: Felix Oberholzer-Gee.
https://hbswk.hbs.edu/Pages/browse.aspx?HBSTopic=Marketing

[18] Koch, N., LL.M. (UC Hastings), & Rammos, T., LL.M. (2022, February 11). Cookies under
attack – New decisions by European data protection authorities on online advertising. Taylor Wess-
ing. https://www.taylorwessing.com/en/insights-and-events/insights/2022/02/cookies-under-attack