Website cookies are online surveillance tools, and the commercial and government entities that use them would prefer people not read those notifications too closely. People who do read the notifications carefully will find that they have the option to say no to some or all cookies.
The problem is, without careful attention those notifications become an annoyance and a subtle reminder that your online activity can be tracked.
As a researcher who studies online surveillance, I’ve found that failing to read the notifications thoroughly can lead to negative emotions and affect what people do online.
How cookies work
Browser cookies are not new. They were developed in 1994 by a Netscape programmer in order to optimize browsing experiences by exchanging users’ data with specific websites. These small text files allowed websites to remember your passwords for easier logins and keep items in your virtual shopping cart for later purchases.
But over the past three decades, cookies have evolved to track users across websites and devices. This is how items in your Amazon shopping cart on your phone can be used to tailor the ads you see on Hulu and Twitter on your laptop. One study found that 35 of 50 popular websites use website cookies illegally.
European regulations require websites to receive your permission before using cookies. You can avoid this type of third-party tracking with website cookies by carefully reading platforms’ privacy policies and opting out of cookies, but people generally aren’t doing that.
One study found that, on average, internet users spend just 13 seconds reading a website’s terms of service statements before they consent to cookies and other outrageous terms, such as, as the study included, exchanging their first-born child for service on the platform.
These terms-of-service provisions are cumbersome and intended to create friction.
Friction is a technique used to slow down internet users, either to maintain governmental control or reduce customer service loads. Autocratic governments that want to maintain control via state surveillance without jeopardizing their public legitimacy frequently use this technique. Friction involves building frustrating experiences into website and app design so that users who are trying to avoid monitoring or censorship become so inconvenienced that they ultimately give up.
To do this research, I looked to the concept of mindless compliance, an idea made infamous by Yale psychologist Stanley Milgram. Milgram’s experiments – now considered a radical breach of research ethics – asked participants to administer electric shocks to fellow study takers in order to test obedience to authority.
Milgram’s research demonstrated that people often consent to a request by authority without first deliberating on whether it’s the right thing to do. In a much more routine case, I suspected this is also what was happening with website cookies.
I conducted a large, nationally representative experiment that presented users with a boilerplate browser cookie pop-up message, similar to one you may have encountered on your way to read this article.
I evaluated whether the cookie message triggered an emotional response – either anger or fear, which are both expected responses to online friction. And then I assessed how these cookie notifications influenced internet users’ willingness to express themselves online.
The results showed that cookie notifications triggered strong feelings of anger and fear, suggesting that website cookies are no longer perceived as the helpful online tool they were designed to be. Instead, they are a hindrance to accessing information and making informed choices about one’s privacy permissions.
And, as suspected, cookie notifications also reduced people’s stated desire to express opinions, search for information and go against the status quo.
There are three design choices that could help. First, making consent to cookies more mindful, so people are more aware of which data will be collected and how it will be used. This will involve changing the default of website cookies from opt-out to opt-in so that people who want to use cookies to improve their experience can voluntarily do so.
Second, cookie permissions change regularly, and what data is being requested and how it will be used should be front and center.
And third, U.S. internet users should possess the right to be forgotten, or the right to remove online information about themselves that is harmful or not used for its original intent, including the data collected by tracking cookies. This is a provision granted in the General Data Protection Regulation but does not extend to U.S. internet users.
In the meantime, I recommend that people read the terms and conditions of cookie use and accept only what’s necessary.
___
Elizabeth Stoycheff has received funding from WhatsApp and Facebook for other endeavors, but that has no bearing on these research findings.
___
sashk0 // Shutterstock
For any number of reasons, you've likely clicked on your spam email folder from time to time. In doing so, you may have noticed that spam messages have grown more and more sophisticated over time. These days, spam emails often invoke real-life events such as pharmaceutical class action lawsuits or clergy abuse scandals as a way to lure more clicks.
These same scams have now taken to impersonating company bosses: Business email compromise scams are a huge problem with $43 billion lost and more than 240,000 incidents from 2016 to 2021 globally.
As phishing attempts that target business emails become increasingly difficult to identify, Twingate researched helpful ways to verify whether communications you're receiving are really from coworkers, professional contacts, or your boss. These include some simple checks, such as making sure the email address is one you trust, or that a linked page really goes where it claims. The forthcoming tips also include more subtle forms of awareness, like asking yourself if your boss really uses language the way you see in the message or whether they would actually misspell your name—or theirs.
The best way to prevent these phishing scams in the long run is to continuously hone your gut instinct and be cautious when it tells you something smells fishy. When in doubt, hop on the phone, the company Slack channel, or your email and politely check with colleagues to be sure the message you received is real. Maybe your boss is on the go and typing too fast without paying close attention to typos, and they’ll appreciate your attention to detail.
sashk0 // Shutterstock
For any number of reasons, you've likely clicked on your spam email folder from time to time. In doing so, you may have noticed that spam messages have grown more and more sophisticated over time. These days, spam emails often invoke real-life events such as pharmaceutical class action lawsuits or clergy abuse scandals as a way to lure more clicks.
These same scams have now taken to impersonating company bosses: Business email compromise scams are a huge problem with $43 billion lost and more than 240,000 incidents from 2016 to 2021 globally.
As phishing attempts that target business emails become increasingly difficult to identify, Twingate researched helpful ways to verify whether communications you're receiving are really from coworkers, professional contacts, or your boss. These include some simple checks, such as making sure the email address is one you trust, or that a linked page really goes where it claims. The forthcoming tips also include more subtle forms of awareness, like asking yourself if your boss really uses language the way you see in the message or whether they would actually misspell your name—or theirs.
The best way to prevent these phishing scams in the long run is to continuously hone your gut instinct and be cautious when it tells you something smells fishy. When in doubt, hop on the phone, the company Slack channel, or your email and politely check with colleagues to be sure the message you received is real. Maybe your boss is on the go and typing too fast without paying close attention to typos, and they’ll appreciate your attention to detail.
Some forms of scamming are very sophisticated, but most phishing attempts are not particularly elaborate. One of the easiest ways to prevent phishing attempts from succeeding is to pay attention to the sender.
If you’ve ever looked in your email’s spam folder, you're already semi-versed in doing this at least some of the time. Sometimes, a message looks like it might be something real—but when you click, you see that the email address is just a string of numbers or other nonsense instead of your bank. It’s easy to cross-check a phone number using websites that list known fake numbers in your local area code. But the best thing to do is to stay wary of numbers you don’t recognize. Legitimate colleagues calling you can leave a voicemail.
fizkes // Shutterstock
Some forms of scamming are very sophisticated, but most phishing attempts are not particularly elaborate. One of the easiest ways to prevent phishing attempts from succeeding is to pay attention to the sender.
If you’ve ever looked in your email’s spam folder, you're already semi-versed in doing this at least some of the time. Sometimes, a message looks like it might be something real—but when you click, you see that the email address is just a string of numbers or other nonsense instead of your bank. It’s easy to cross-check a phone number using websites that list known fake numbers in your local area code. But the best thing to do is to stay wary of numbers you don’t recognize. Legitimate colleagues calling you can leave a voicemail.
In some forms of spam, grammar mistakes are part of the draw: Scammers want to select out the most vulnerable people, which often includes those with less education or literacy. But when it comes to phishing scams, scammers want to seem as close as possible to the people they’re imitating. For this reason, look out for messages that immediately sound like they’re not quite right. Maybe your boss sounds weirdly informal, they’ve misspelled your name or your department, or their characteristic long email signature is missing.
Listen to your gut and tap into your inner copy editor.
Canva
In some forms of spam, grammar mistakes are part of the draw: Scammers want to select out the most vulnerable people, which often includes those with less education or literacy. But when it comes to phishing scams, scammers want to seem as close as possible to the people they’re imitating. For this reason, look out for messages that immediately sound like they’re not quite right. Maybe your boss sounds weirdly informal, they’ve misspelled your name or your department, or their characteristic long email signature is missing.
Listen to your gut and tap into your inner copy editor.
This one can be tricky because exchanging attachments is often a big part of the workflow. But you know when you’re waiting for the newest departmental report from a certain person or a PDF of the latest sales numbers.
Be especially wary of any attachment that comes from more of a personal-seeming message. Scammers can load malware into almost anything you can download to your computer, and attachments are one of the easiest ways into your system. In the same vein, be cautious when downloading software updates. In all of these cases, ask your IT office to help you make sure the update is legit.
Canva
This one can be tricky because exchanging attachments is often a big part of the workflow. But you know when you’re waiting for the newest departmental report from a certain person or a PDF of the latest sales numbers.
Be especially wary of any attachment that comes from more of a personal-seeming message. Scammers can load malware into almost anything you can download to your computer, and attachments are one of the easiest ways into your system. In the same vein, be cautious when downloading software updates. In all of these cases, ask your IT office to help you make sure the update is legit.
You may already be doing this behavior without realizing it’s a best practice for cybersecurity.
When someone sends you a link, hover your mouse over the text in your browser to show a status bar at the bottom of the window. This preview bar will show you the real URL. This is smart to do, but sometimes it isn’t enough—scammers can “mask” URLs by using lookalike domains that redirect to malware download sites and more. But this one-step check will help prevent a lot that can go wrong when you receive a random link, allowing you to filter out obvious imposter sites.
Potapovpaladin // Shutterstock
You may already be doing this behavior without realizing it’s a best practice for cybersecurity.
When someone sends you a link, hover your mouse over the text in your browser to show a status bar at the bottom of the window. This preview bar will show you the real URL. This is smart to do, but sometimes it isn’t enough—scammers can “mask” URLs by using lookalike domains that redirect to malware download sites and more. But this one-step check will help prevent a lot that can go wrong when you receive a random link, allowing you to filter out obvious imposter sites.
When scammers ask you to “repeat” information like your login credentials or credit card information in the body of an email, that’s a form of hacking known as social engineering. It’s the same as if someone walked into your office and found all your logins written on a Post-It stuck to your computer monitor (another thing you should never do).
If someone emails you from your boss’s name but is asking for private information, call or message the boss to make sure it’s legit. Another tell is if the sender asks for something your boss would already know, like your building’s alarm code.
This scam has a unique quality in that the request may appear benign and may, in fact, mimic something a co-worker naturally asks you for. If you have coworkers who regularly ask for this sort of information via email, consider asking your IT group to share with your colleague some best practices for sharing personal or financial information.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.
vinnstock // Shutterstock
When scammers ask you to “repeat” information like your login credentials or credit card information in the body of an email, that’s a form of hacking known as social engineering. It’s the same as if someone walked into your office and found all your logins written on a Post-It stuck to your computer monitor (another thing you should never do).
If someone emails you from your boss’s name but is asking for private information, call or message the boss to make sure it’s legit. Another tell is if the sender asks for something your boss would already know, like your building’s alarm code.
This scam has a unique quality in that the request may appear benign and may, in fact, mimic something a co-worker naturally asks you for. If you have coworkers who regularly ask for this sort of information via email, consider asking your IT group to share with your colleague some best practices for sharing personal or financial information.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.
As more people have been moving their office work to remote computers, trying to hold secure meetings over technologies like Zoom from home or coffee shops is increasingly common. While some criminal activities like skimming your credit card at gas pumps may be falling out of fashion as fewer people commute every day, other activities, such as classic hacking, can thrive as long as people are using their computers to work remotely, opening new opportunities for hackers. In the past five years, there have been more than 2.76 million complaints to the FBI regarding various cybercrimes, including identity theft, extortion, and phishing, with losses exceeding $6.9 billion, according to 2021 data from the FBI.
With security top of mind, Beyond Identity collected information from think tanks, news reports, and industry professionals to understand landmark moments in internet security over the past 50 years. The internet began as a classified government program to connect different important military and government facilities. The first outside users were from universities, where very smart people have long been inventing new ways to poke holes in the internet as a form of preventive research.
From the first antivirus program in the 1970s to the zero-trust protocols of today, security has evolved over the years as developers strive to stay one step ahead of hackers.
Dusan Petkovic // Shutterstock
As more people have been moving their office work to remote computers, trying to hold secure meetings over technologies like Zoom from home or coffee shops is increasingly common. While some criminal activities like skimming your credit card at gas pumps may be falling out of fashion as fewer people commute every day, other activities, such as classic hacking, can thrive as long as people are using their computers to work remotely, opening new opportunities for hackers. In the past five years, there have been more than 2.76 million complaints to the FBI regarding various cybercrimes, including identity theft, extortion, and phishing, with losses exceeding $6.9 billion, according to 2021 data from the FBI.
With security top of mind, Beyond Identity collected information from think tanks, news reports, and industry professionals to understand landmark moments in internet security over the past 50 years. The internet began as a classified government program to connect different important military and government facilities. The first outside users were from universities, where very smart people have long been inventing new ways to poke holes in the internet as a form of preventive research.
From the first antivirus program in the 1970s to the zero-trust protocols of today, security has evolved over the years as developers strive to stay one step ahead of hackers.
A computer virus is a piece of software the user typically downloads when they click on an infected email attachment or another file. The first virus was a 1970s program called Creeper, which was designed to crawl the early internet known as ARPANET, according to a report from Cyber Magazine. Like modern penetration testers, researchers wanted to see how they could hypothetically invade their own system. In response, email inventor Ray Tomlinson wrote a program he named Reaper, which chased and destroyed Creeper. That makes Reaper the first-ever antivirus program, creating a genre that endures today.
MIGUEL RIOPA // Getty Images
A computer virus is a piece of software the user typically downloads when they click on an infected email attachment or another file. The first virus was a 1970s program called Creeper, which was designed to crawl the early internet known as ARPANET, according to a report from Cyber Magazine. Like modern penetration testers, researchers wanted to see how they could hypothetically invade their own system. In response, email inventor Ray Tomlinson wrote a program he named Reaper, which chased and destroyed Creeper. That makes Reaper the first-ever antivirus program, creating a genre that endures today.
Cryptography is the blanket term for the field of mathematics and security that involves setting codes and encoding information for safe transit. Encryption simply means applying a cryptographic algorithm to a piece of information. With computers, one of the first examples of network encryption came from IBM in the early 1970s. The first standard encryption algorithm, known as the data encryption standard, lasted for more than 20 years before computer calculations finally broke it. Today, researchers race to keep their mathematics ahead of those who are trying to use the same computing power to break the algorithms.
isak55 // Shutterstock
Cryptography is the blanket term for the field of mathematics and security that involves setting codes and encoding information for safe transit. Encryption simply means applying a cryptographic algorithm to a piece of information. With computers, one of the first examples of network encryption came from IBM in the early 1970s. The first standard encryption algorithm, known as the data encryption standard, lasted for more than 20 years before computer calculations finally broke it. Today, researchers race to keep their mathematics ahead of those who are trying to use the same computing power to break the algorithms.
In the late 1990s, the internet was rapidly growing in popularity, with intrusive technology like cookies and viruses rapidly following. People realized they could use bots, or automated processes, to post spam comments on websites at a massive scale, for example.
Researchers at Carnegie Mellon University invented CAPTCHA in 2000 as a way to combat those bots. Computer programs struggle with many tasks humans do almost without thinking, especially tasks that involve processing visual information. CAPTCHA is now considered deprecated in most usages, but it paved the way for other forms of security like the popular “Which of these pictures shows a motorcycle?” CAPTCHAs that are still used today.
McLittle Stock // Shutterstock
In the late 1990s, the internet was rapidly growing in popularity, with intrusive technology like cookies and viruses rapidly following. People realized they could use bots, or automated processes, to post spam comments on websites at a massive scale, for example.
Researchers at Carnegie Mellon University invented CAPTCHA in 2000 as a way to combat those bots. Computer programs struggle with many tasks humans do almost without thinking, especially tasks that involve processing visual information. CAPTCHA is now considered deprecated in most usages, but it paved the way for other forms of security like the popular “Which of these pictures shows a motorcycle?” CAPTCHAs that are still used today.
Multifactor (or two-factor) authentication is a form of login technology that asks users to offer a second, corroborative piece of information along with their simple username and password. This may come as a text message or through an app like Google Authenticator. While this technology dates back to the 1980s, it was first introduced to consumers in the 2000s when it rolled out to banks. The New York Times reported on the rise of two-factor authentication in 2004, a time when many Americans didn’t even have broadband internet yet.
tsingha25 // Shutterstock
Multifactor (or two-factor) authentication is a form of login technology that asks users to offer a second, corroborative piece of information along with their simple username and password. This may come as a text message or through an app like Google Authenticator. While this technology dates back to the 1980s, it was first introduced to consumers in the 2000s when it rolled out to banks. The New York Times reported on the rise of two-factor authentication in 2004, a time when many Americans didn’t even have broadband internet yet.
If you’ve read this far, you may be starting to feel like no piece of data is ever safe. You’re not alone. Computer security is deeply complex and ever-changing because of the equal pace at which criminals and other bad actors are following new forms of intrusion. One of the latest paradigms is that of zero trust, a term that means doing away with previous ideas like “trusted devices.” This means always verifying security information on each device trying to access a network. Users would only be allowed access to data and information needed to complete a request.
This story originally appeared on Beyond Identity and was produced and distributed in partnership with Stacker Studio.
fizkes // Shutterstock
If you’ve read this far, you may be starting to feel like no piece of data is ever safe. You’re not alone. Computer security is deeply complex and ever-changing because of the equal pace at which criminals and other bad actors are following new forms of intrusion. One of the latest paradigms is that of zero trust, a term that means doing away with previous ideas like “trusted devices.” This means always verifying security information on each device trying to access a network. Users would only be allowed access to data and information needed to complete a request.
This story originally appeared on Beyond Identity and was produced and distributed in partnership with Stacker Studio.
Cookie notifications become a ubiquitous aspect of online life. Mohssen Assanimoghaddam/picture alliance via Getty Images
sashk0 // Shutterstock
Dusan Petkovic // Shutterstock
