Emily Wearmouth [00:00:02] Hello and welcome to another edition of the Security Visionaries Podcast, a place where we host experts discussing a wide range of topics that will be of interest to anyone in the cyber data or related industries. I'm your host, Emily Wearmouth, and today I have two expert guests who are going to join me talking about cookies. Cookies, not biscuits. I'm marginally disappointed to tell you. So let me set the scene. Back in the late 90s, a network engineer called Limor Tulley invented the internet cookie. The plan was to help websites remember users who they are, what their preferences are, and what they were up to the last time they came to the site, and cookies worked brilliantly. Our shopping cart stored our planned purchases, retailers held on to our delivery addresses, and web services remembered how we wanted our dashboards arranged. So, so far, so good. But then third parties muddied the waters and information about us was sold and traded. And suddenly we were getting skiing adverts eerily popping up on our web searches of our children did homework on the geology of the Alps, and it all got a bit creepy and uncomfortable, if we're honest. So the EU and other regulators stepped in. Cookie consent became a thing in the EU, endless pop up messages now require the user to proactively allow each website to collect information about us. But I'm an EU resident or I was until Brexit, and I can give firsthand testimony that many of us just hit the yes button so that we can get on with our lives. A few years ago. Google. Let's face it, the gatekeepers of the web for many users announced that it was going to start blocking cookies. And here's where I'm going to bring in our experts today. So first, we have a friend of the show returning because he did such a good job last time that we've invited him back on. David Fairman is Netscout CIO and CSO covering the Asia Pacific region, and through the course of his career, he's worked as a CSO for a number of the big global banks, including Royal Bank of Scotland, Royal Bank of Canada and National Australia Bank. Today, I'm going to be taking advantage of his experience helping organizations navigate privacy and risk. So welcome, David.
David Fairman [00:01:58] Emily, thanks again for having me. Yeah, always a pleasure.
Emily Wearmouth [00:02:01] And my second guest is new to this podcast, but no less expert Zohar Hod comes from the fintech world, and I plan to pick his brains today in the area of digital strategies. He's currently CEO of One Creation, and he's working hard to ensure that companies really understand the implications of the latest changes to cookies. So welcome to the podcast, Zohar.
Zohar Hod [00:02:20] Thank you. Emily. Thank you for having me.
Emily Wearmouth [00:02:22] So to start us off, I gave a whistle stop tour, possibly a slightly lengthy whistle stop tour of the cookie back story. Did I miss anything? Is there anything we need to set out on our stall before we dive into discussing the implications of these latest changes?
Zohar Hod [00:02:36] I think one thing that's missing is the amount of pervasive activity. If you ask the average person, what do they know about their data? A few years ago, I asked that question used to be 3% of people really knew what was happening with their data. So there's a mistrust that was created over the years for many, many reasons, some of them being the third-parties, as you mentioned. So the point is, how do we track your activity across the internet and across different websites? The problem is, and that's why the EU reacted and other places reacted, is because it creates an untrusting relationship between the brand and yourself.
David Fairman [00:03:16] One more thing. There is a distinction between first-party cookies and third-party cookies. I think that's an important distinction to make. And when we talk about the changes that we're seeing Google make now, and the reason that's getting a lot of attention is Google has, probably with Chrome, the largest share of the market of internet browsers and internet users. But if you have a look at Mozilla Firefox, Safari, they've been doing some work in blocking third-party cookies already. So now with, you know, the four major browsers, actually, even Microsoft Edge or playing a role and doing something similar, there's a you know, there's a big impact here for consumers. The first-party cookies piece still, you know, they're not being blocked. That that's not changing. And first-party cookies are important to ensure that a user's experience is still smooth and fruitful. And first-party cookies are often used for session management and storing information about how the end user interacts with the exact website that they're interacting with and communicating with, versus the third-party cookies, which is kind of like the other interval collecting information like their browsing history, etc., which is then unsolved. So I think that is really important because not all cookies are being blocked, which would obviously cause a massive disruption to how internet sites they interacted with or websites they interacted with by the end user. And we can talk to some of the security practices and some security implications of that later.
Emily Wearmouth [00:04:55] Brilliant. That's a very important thing. We're talking about changes to third-party cookies and not to first-party cookies. Is in these Google changes. Zohar are these changes coming from Google about helping get people privacy back, or is it about market competitiveness? Let's just throw that question out there to start us off.
Zohar Hod [00:05:13] If you go a few years even back, you see that Apple, unlike Google, has started creating all these different user-based customer privacy features. And the biggest question that was asked was exactly the question you just asked me. Is it for the purpose of protecting the customer or is it for gaining more market share? Well, I think it's a combination of both. I think that these companies realize that the legal and regulatory burden that's related to the current infrastructure and the way that we track our customers or try to personalize our customer's behavior is no longer going to be tolerated by regulators. So they've decided to take a proactive approach to try and get the regulators off their back. But at the same time, if you think about it, it looks like they're creating walled gardens.
Emily Wearmouth [00:06:02] Are of these changes are going to effectively remove some of the headaches of having to comply with cookie laws. I mean, David talked about all of the different tech companies that are bringing about changes and controls to third-party cookies. Does this mean when you add all of those changes together, that we're essentially looking at potentially killing off the third-party cookie and therefore maybe killing off some of the requirement to comply with regulations around those cookies? Is that a potential upside for organizations, or am I dreaming of too perfect a future?
Zohar Hod [00:06:32] Well, the way I look at it is that there's not going to be an absolute deprecation of all cookies. But if you are looking in the long view and if you looked at the regulatory curve, you could see that it's all moving towards an opt in model rather than an opt out model. So all of this activity is really several steps towards this opt in model. That said, as Google is basically, blocking IP tracking from at least 1% of its customers, it does represent approximately 300 million consumers. So it's a large amount of people that are going to be affected. And that means that the efficacy.
Emily Wearmouth [00:07:14] And it's just that 1% just to start with, isn't it? There going on, is that it is more than one. But that's just the trial.
Zohar Hod [00:07:20] Exactly. They're trying to see how it will work. And let's all remember Google is doing this because their ability to track what you're interested in is actually buried within the search and not within the cookie. We're talking about other brands that are attempting to basically be customers of Google, and therefore Google is concerned about cannibalization of their ad business. What I said at the beginning is that I believe that as we go across the regulatory curve towards a complete opt-in model, the efficacy of third-party cookies is diminishing. And actually the cost of collecting it is becoming more expensive. There are going to be other mechanisms of collecting more personalized data on you with something called zero party data, or being able to track your behavior rather than tracking cookies while you're on the website. These are other mechanisms to try and enhance personalization, but I just believe that the efficacy of cookies is going to diminish. And therefore, yes, I do think that they're going to be something of the past.
David Fairman [00:08:19] Zohar, great explanation on the impact on companies that are trying to reduce cookies. Also, think about the impact of the consumer, right? We've gotten very used to convenience. We've gotten very used to this almost personalized web browser experience using the internet services. With the deprecation of the third-party cookies, I think society or internet users as a whole are we going to start to lose an element of that personalization or customization. But I think what that starting to drive and as consumers, we like that sometimes. You spoke about zero party data. Also think about informed consent or progressive consent, which is another let's call it a business model. So I think there's an opportunity here for innovation in this space. I think there's an opportunity for organizations to think a little bit differently and maybe think a little bit more about privacy and consent, because I think privacy and consent, those two things go hand-in-hand. I might be okay with sharing certain information, so let me share that information. So I think those things are, you know, we'll start to see more of an emergence of that. And I think we'll need some helpful mechanisms for when we do hit a website. It's not just accept all cookies and we'll use imperative cookies only. Whatever the terminology is, I think there'll be a little bit more granularity and and user control, but on that. So I think it's a bit of a watch this space.
Emily Wearmouth [00:09:57] I've got a question then. So if we're talking about a potential change in the relationship between service provider and consumer. And some changes to existing models of consent and privacy. What are the implications that data protection officers need to consider about how this changes what they're tracking, how they're tracking it. And I guess as well how that ties in, how it might change the way they need to move to comply with other areas like GDPR. I mean, I don't know whether the cookie data came into the organization in a way that was easier to comply with GDPR, and maybe some of these new models create new complexities. What are your thoughts on what is the Data Protection Officer's challenge at this point?
David Fairman [00:10:39] Well, it's a really good question, and I think I want to be thoughtful about how I approach that question. I think for me, GDPR is a great example of a privacy legislation that is looked at globally as best practice. But I think a lot of other countries jurisdictions still have very specific privacy laws themselves. From a DPO perspective or a data privacy officer perspective, I think you need to have a look across multiple jurisdictions in which you operate and understand what some consent requirements are around that. And I know this is a little bit of a blanket statement, but I think it holds true for the most part. And I'm going to give myself a little bit of room in case it isn't necessarily appropriate across every jurisdiction. But consent is a way that organizations can ensure that they are meeting the customer's expectations around privacy and data collection. And I think what we'll start to see comes back to that progressive consent topic I sort of mentioned. And I think what we'll start to see is more progressive consent approaches like zero party data like Zohar called out. I think data protection officers need to understand how their organization is thinking about those two areas, so that they can make sure that they're complying to the needs of the pivacy legislation within the jurisdictions within reach.
Emily Wearmouth [00:12:13] So walk me through zero party consent. What is this?
Zohar Hod [00:12:17] Well, zero party data.
Emily Wearmouth [00:12:20] Zero party data.
Zohar Hod [00:12:21] Yes. Zero party data is is basically voluntary data. That's the easiest way to to explain zero party data. It's data that the customer understood that is volunteering to give you and the problem with consent, if you just left it at consent, is that once you've got this consent, you almost feel as a data protection officer or data privacy officer that you have, you know, leeway to do whatever you want once you've received the customer's consent. The question is, in what situation and what manner that you get the customer's consent. And this you know, there are many regulations that are passing in Europe, the Digital Markets Act in the UK, a new April regulation that's about the digital markets, a Consumer Collaboration Act or DMCC, all are basically trying to now go a little bit more granular than just getting your consent. Because if I clicked, as you said, yes, because I was bothered and I said yes all the time, then now you've got my consent. Does that mean still that I trust you to do the right thing with my data? And that's where usually the chief privacy officer stop and say, well, I've gotten your consent. The difference is to try and give you a more clear understanding of what's happening to your data. How long is it going to be used? And then give you the option to actually opt out if you wanted to at any time. That theoretically was already passed in GDPR, but never materially actually enforced. So today, if I asked you even under GDPR to go and delete me in Google or any other mechanism in Europe, I can bet you that that action would be very difficult to do. So there's a difference between getting legal consent and understanding as a consumer, and trusting that you're going to have the right interests, of me as a consumer in mind, and therefore that requires more transparency, more understanding from the customer, and more trust.
Emily Wearmouth [00:14:17] I'm almost kicking myself for bringing this topic in. It's impossible to have a conversation these days without talking about AI, and I wonder how you see, AI or machine learning growing in importance as as cookies are faded out.
Zohar Hod [00:14:31] Yeah, well, I have spoken about that a lot, but I think that the places that AI is going to be really powerful is in personalization. But the problem with AI is they're based on a lot of learning models and a lot of data behind it. And the question is, how does the AI personalize your experience? Even then, let's take the experience of a banking experience while you're asking for a loan. If the result is favorable, you're not going to ask a question. If the result is not favorable to your personalization, you might ask a question what went into that aI model in order to give me? And that lack of transparency is exactly what we're talking about. So if you do not change the mechanism of how do you explain to the customers what you do with their data, the mistrust is going to even be deeper and deeper as you try to apply AI. I think AI is actually a great catalyst for creating even more changes in business models related to how customers data is treated.
David Fairman [00:15:27] I think it's not only a catalyst, it's really the only way these new approaches to understanding consumer behavior can scale. We're not going to be able to do it by throwing people at that problem or having scripted questions, because the variables, in terms of people's behavior, is so broad. So we're going to need some sort of learning mechanism in the back that can be dynamic in that situation. So you're absolutely spot on in terms of transparency in decision making. I think we can talk about bias, fairness, transparency and explainability on AI, but that's a completely other session. So Emily write that down. We might want to do that. But I think you're spot on. I think you're absolutely spot on with some of those concerns. And I think it's the only way we're going to be able to scale.
Emily Wearmouth [00:16:16] We touched at the very beginning, and I just want to make sure I've got a clear answer and I've not left something hanging. We talked a little bit about how cookies are often used as part of the security functionality. And I think you put them all in the camp that they would be first party cookies so they wouldn't be affected by these changes. Is that right? And then my follow up question is, regardless of whether that's right, will they long term be impacted if there is a general move towards perhaps more advanced ways of personalizing approaches to services? Will those new methods be brought in to replace third party cookies? And should security professionals be keeping an eye on them for how they're delivering digital services?
David Fairman [00:16:57] Look, I'll give a two part question. Yeah, definitely. I'll give my piece. I think for me, the first party cookies are generally used for more session management type variables. I think it's broadly accepted that storing things like usernames and passwords, Social Security numbers in cookies is a bad security practice. Now, I would say a lot of websites don't do that today. But as a security practitioner, I've seen a lot of bad practices in my time, and I wouldn't be surprised if that still happens. Usernames, password, social security numbers, any sensitive type of information should not be stored in a cookie anyway. There should be a different approach to how you manage that. It could be, you know, referencing back to a table in the application that is referencing a unique session ID within the cookie, but the actual sensitive information stored back in the application, things like usernames, passwords, Social security numbers, credit card details that we see in browsers today, how they hook into secure storage, things like the iOS keychain and how that is used to store secure information. It's not actually stored in the cookie browser itself, so there's no sort of security best practices that, you know, we should be seeing. So I think the the security risk of this is low, but I'm sure there's tools and websites out there written with poor security practices.
Emily Wearmouth [00:18:29] So would your recommendation be that developers should be making use of the native security that is built into a lot of these browsers specifically designed to store this very sensitive information and definitely not be using cookies.
David Fairman [00:18:40] Yeah, absolutely. Absolutely. And I would go one step further. You know, application security application development, understanding security best practices for writing web applications. There's a lot of good reference material out there. And, you know, not storing sensitive information and cookies.
Zohar Hod [00:18:58] What I think about is always the future. And you know, there are big, big transformations right now happening in identity. And one of them, you know, let's let's talk about the web 3 and why am I talking about web 3? Because that's where potentially two is going to. So the web 3 is the internet to me. And the business model there is really transferred from I have all of your information, and now I'm going to verify you to make sure that that's who you are to actually something called zero knowledge proof. Or basically I don't want to go to too technical here, but basically the ability for two entities to exchange data without really needing to know each other, but still can have trust between themselves. David, I'm sure, is both investing time and effort in these type of solutions. But the point is that I see in the future just, you know, a situation where I'm a node on a chain and I'm coming into a brand and the brand does some sort of computation together with me. And there are many things like multiparty computation. There's key sharding. There's all these different mechanisms in order to make sure that we can exchange securely data and verify between us without the need to know who we are. And that really changes completely the whole cookie situation. So no, I don't believe that if you looked as far as that, that this current security environment is going to be the security environment of the future.
Emily Wearmouth [00:20:31] Cool. I like that I made you guys deep dive into the tech there. I was very impressed with that. I sprung that one on you as well. Okay. Crystal balls out. So we talked about you know, this isn't a set path even for the midterm. We know that Google suggested changes are currently being checked out very closely by the competitions authority in the UK. There's going to be a lot of iterations over the coming months and years, but are either of you prepared to make any predictions about where we're going in the long term for anything we've not touched on already? And if not a prediction, maybe you'll just offer us an opinion. Are these changes. More of an opportunity or more of a nuisance? So crystal gazing or two more opinions? Yeah, please do.
Zohar Hod [00:21:12] So I definitely think it's an opportunity. And the reason is because if you asked any customer types of research, you'll see the trust in organizations. It's probably at it's it's lowest. The more we know about our brands' activities with our data, the less we trust the brands. And this is not just because of breaches. And of course, you know, there's been many breaches. Take where where David lives in Australia four large breaches in the last year that have really moved the customer's trust down to such a level that the government needed to create new consent regulations, new pharmacy regulations, all related to these sort of the customers is becoming more aware of what's happening with them. And therefore, I think it creates an opportunity for brands that think differently and change into these business models that don't use this mechanism of collecting and personalizing your activity. Something that I'm willing to predict is that today's accept all cookies or reject all cookies is not going to exist in the very near future, in my opinion. And today, some of the regulations are trying to prevent what they call dark practices, where clicking accept is only one click and clicking reject is 4 or 5 different screens in order for you to reject. So if I was predicting something, I would predict that you're not going to see this cookie accept or reject in maybe 24 months.
Emily Wearmouth [00:22:34] Oh, you know, I'm really looking forward to your prediction coming true because I am so bad about being impatient and hitting accept, and I know I shouldn't. What about you, David?
David Fairman [00:22:42] was going to say something similar to Zohar. One I always think disruption in any environment is an opportunity. It all depends on how you can assure. Right. So now you have to think about the problem differently. I think it's an opportunity, I think, where we will start to start to see the emergence of new business models similar to what I spoke about we're starting to see that zero party data progressive consent model. But maybe there's more to it than that. Maybe there's a way for organizations that are collecting information. Maybe there's a way that they can monetize that for their consumer or for their customer to encourage them to share more data. I do think Zohar is spot on in terms of the user experience and what will happen? There won't be just the accept cookies and, you know, necessary cookies only, because I know I personally hate going in and going through those different levels. I think they should be much easier process for that. Consumers are asking for this experience to be much easier. Privacy regulators are really time to the to take a keen eye to this. So I think we will see changes in how this is implemented in practice in the coming. I don't want to say years. I hope it doesn't take that long. But, you know, in the coming, let's say, 12 to 24 months, I think we're going to see significant changes.
Zohar Hod [00:24:05] Can I add something? I'd like to add a couple of tidbits of information. First of all, let's talk about the percentages of people that are actually processing the cookies, the accept cookies. It used to be much higher. It used to be close to 65% of individuals. They would just say accept. Now it's approximately 40% of individuals that say yes. So it is actually large. But what it means is there's there's another 60% that are either checking those functional cookies or just plainly rejecting it. That means that that's an opportunity missed to personalize your customer's experience.
Emily Wearmouth [00:24:40] Staggering that it's gone from 60, 65, down to 40 that I wouldn't have imagined. That's now I feel really laggards that I'm still hitting accept because I'm too lazy to to stop and pause. I'm going to turn over a new leaf, and make a resolution. Today, I'm going to get a lot better at clicking through my cookie, permissions. But thank you both very much. I continue to be disappointed by. The lack of a chocolate hobnobs in particular featured on this episode, but it has been incredibly interesting. And I came in with some genuine questions and you've given me some answers, so I personally am walking away a lot better informed.
Zohar Hod [00:25:11] Thank you, Emily and David.
David Fairman [00:25:13] Emily, thanks again. Always good to be here. And, Zohar thank you so much for being a special guest. Great to see you.
Emily Wearmouthstrong> [00:25:18] Thanks for taking the time to educate me and hopefully our listeners to, around some of this evolving news, that's been going on for a couple of years, and I think we've just, agreed. I've got another at least 24 months to run for some changes. You've been listening to the Security Visionaries podcast, and I've been your host. Emily Wearmouth. If you enjoyed this episode, please share it. But also make sure to follow us on your favorite podcast platforms. Maybe even leave us a review there too. If you're new to the podcast, there's a great back catalog you can catch up on. Since September, we've published a new episode every two weeks, some hosted by me and some by the marvelous Max Havey. If you subscribe, I promise you'll never miss one. I'll catch you next time.
Why Netskope 
){kind=icon}
