In its policy paper Bittersweet cookies: Some security and privacy considerations, ENISA said that new types of cookies being developed by the advertising industry support user-identification in a persistent manner and do not have enough transparency about how they are being used.
"There is limited support for confidentiality, integrity and authentication in the way cookies are used. In this respect, the possibilities for misusing cookies are very real and are being exploited. Furthermore, due to the nature of the information they store and the way cookies are used for profiling, privacy concerns have been raised and policy initiatives have been initiated to address such issues”, ENISA warns in the paper.
To mitigate the privacy and security implications of these next-generation cookies, ENISA recommends that users' informed consent should guide the design of systems using cookies; the use of cookies and the data stored in cookies should be transparent for users.
In addition, users should be able to manage cookies, in particular new cookie types. All cookies should have user-friendly removal mechanisms which are easy to understand and use by any user.
Also, storage of cookies outside browser control should be limited or prohibited, and users should be provided with another service channel if they do not accept cookies, ENISA recommends.
”Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies to safeguard the privacy and security aspects of consumers and business alike”, said ENISA Executive Director Udo Helmbrecht.
ENISA supports implementation of European Union Directive 2009/136/EC by member states by the May 25, 2011, deadline. Among other provisions, the directive requires that user consent be obtained before a cookie is placed on a computer.