Comment by ranger_danger
9 hours ago
Potential real-world consequences, while they do exist, are simply too subtle to realize. Some actual examples of cookies being used against people:
- CBP has admitted to buying location/advertising data from brokers to use in helping locate people to arrest
- Phishing and identity theft can be made easier due to cookies... security researchers have even demonstrated 2FA bypass techniques based on it
- Price discrimination - Consumer Reports found that flight prices can fluctuate based on your cookies. Sometimes they would even raise the price if you kept searching for routes, as an indication that you were in a hurry, thus likely willing to pay extra.
- Healthcare discrimination - Companies have been found to raise healthcare prices or deny coverage due to cookie data aggregated via brokers where external sites tracked a person's health conditions based on what pages they visited (examples: fertility, cancer and mental health support groups)
- AI models or automated systems using cookie data to predict housing stability, creditworthiness, and employment risk without ever seeing your resume or credit report directly
- ProPublica found that Facebook was allowing advertisers to target their housing ads based on specific age/race groups stored in cookies
- Some recruiting firms have used cookies to infer personality traits and political leanings. Your employment application could be rejected or deprioritized based on that
- Based on the previous examples, I think it is not a far-fetched idea that websites and services could deny you access altogether based on data revealed by a combination of things like your browser fingerprint + brokered cookie data, such as political affiliation, estimated income, race/gender, health situation, etc. Imagine for example, not being able to order pizza because you badmouthed their favorite president online.
It's also harder to change your mind later and go delete a bunch of specific cookies to opt out when you could have just said no from the beginning.
I appreciate the list of potential harms. I'm curious about your last point though. Isn't it trivially easy to wipe cookies from your browser?
You should always configure your browser to automatically wipe all data on exit. The Arkenfox user.js user profile does this and more to mitigate fingerprinting.
I am logged into way too many sites to do that unfortunately. I do use a password manager with a browser plugin to make it easier, but it's still a lot of manual work to re-login to all the sites I use on a normal basis, for both work and home, every time I restart my browser.
Would be nice if there was some other solution, like maybe encrypting the browser profile and then requiring a pin/password/biometric/something to unlock it on each start.
3 replies →
It's not just about cookies but also about fingerprinting, which is extremely hard to prevent.
No extensions that randomly change your fingerprint? I suppose that might trigger a lot of captchas.
3 replies →
It can be yes, although not everyone wants to do that because you will likely be logged out of all the websites you're using, shopping carts cleared out, etc.