With the rise of artificial intelligence and its thirst for data, Sergiu Rezmives, CC, highlights the need to focus more closely on cookie security and the trend for accepting cookie terms without reading them.

Sergiu Rezmives, CCJust as we saw the space race, we’re now witnessing a new technological race to be first and/or dominant in the field: the Artificial Intelligence (AI) race.

Putting aside the outreach and dissipation limitations of AI in less-connected parts of the world, its impact on society is already noticeable. While I have no political position to convey here, I do pay attention to the international geopolitical arena and other socio-economic events. In March 2024, two important events took place, The Select Subcommittee on the Weaponization of the Federal Government (US Government-led) and the Graphic Processing Unit (GPU) Technology Conference (corporate-led).

On paper, there seems to be no obvious link between the two. However, these two events, so opposite in members and audience, are more relevant for future technological development than they initially appear.

Using Collected Data

The US Government-led event focused on the risks of executive outreach and how it can use data collected by banks to achieve its goals. While it might not sound Orwellian at first, your opinion might shift should you review the testimonies from some invited guests and experts.

To summarize the scenario: one entity (a bank) holds your online data such as banking transactions, geolocation at the time of those transactions, etc. The other entity (a government) can access that information when specific legal and regulatory conditions are met and could use it to take specific actions (potentially punitive) against other entities or individuals (namely the account holders or entities involved in transaction with them).

Hardware Enabling AI

The second event was about showcasing the latest capabilities in CPUs and GPUs for hardware used in data centers and AI development. This event was focused on Big Tech, and, to summarize it: CPUs are more powerful than ever, can process information faster and can support Large Language Models (LLM) and AI development at a higher rate compared to previous years.

LLMs are computer programs (a form of AI) that are “served” with massive amounts of data, which they are trained to recognize. The most commonly known example at the moment is the LLM that powers ChatGPT. Later, they can be used for a variety of purposes, producing text, writing code, customer service functions, the list goes on. AI and LLMs are used interchangeably in the industry, differentiated typically by their scope: generative AI creates more than text while LLMs are more focused on text.

The Role of Cookies

You almost certainly know what a cookie is and what it does: it’s a small piece of information (a text file) that helps identify your computer on the internet. According to w3techs.com, “42.1% of all websites” use cookies. Considering there are approximately one billion websites worldwide, that means approximately 420 million websites currently use cookies in one form or another.

If you decide right now to search for anything online, and decide to open a page which appears to have what you seek, you are likely to stumble across a prompt like this:

Cookie Use Requester

When you click “Accept” in response to such a pop-up, you allow that website to leave a text file on your computer which it reads back. And, as you all know, that file contains unique data about your device (computer, phone, laptop, tablet etc.) that could, in effect, allow identification of a person.

Look again at the picture, where it states “…we and our 218 partners use technology such as cookies to store and/or access device information.” Where the website allows it, you can see the list of partners, what data they store/process/collect from a device and how long they keep it for.

Reading What You Accept

Specific legislation regarding cookies varies greatly between countries and political territories, with some imposing requirements on websites to allow a user to “accept, reject or manage” what data a website can collect about a device and user. However, when you – like many individuals – are in a rush to find information about a product, place, how to do-it-yourself or a recipe etc. you are probably using a phone. When you find the information – without even blinking – you likely hit “Accept” on the cookie prompt without a second thought or further investigation.

It’s likely that nothing will happen straight away. Some actions may be covert or unnoticeable; you won’t see anything obvious at all. However, don’t be surprised if your social media account, smart TV or other device start to show more adverts relating to what you were just searching for. Other examples are more overt and clear: you may find yourself receiving spam or even fraudulent phone calls, along with spam or phishing emails.

Consider this scenario:

A user always accepts cookies, never managing or rejecting them. Their digital footprint is large and the user is active on social media platforms, expressing opinions and views, some not resonating with those of others. The user never searched for a bank online or used online banking services.

Imagine, now, that this person searches online for a bank and applies to open an account. Thanks to cookies, the following two extremes are both equally imaginable in today’s AI-powered world.

At one extreme, the user’s application to open an account may be refused by the bank due to their online profile without any reason given. Under this outcome, the user can, of course, be psychologically or physically impacted.

At the other extreme, the user’s application is not only welcomed but, instead of a person, the user is greeted and dealt with by a generative AI that appears to know the user's tastes and preferences very well due to having access to that cookie data. But could the revelation that the user’s entire online life is available to organizations ‘on demand’ be just as psychologically disruptive?

The Intersection of Cookies and AI

This exemplifies how both government and corporate-led events impact the future use of AI and end-users.

Generative AI and LLMs are already being put to good use. Personally, I’m resistant to some AI-based developments, but I also recognize that I’m probably already benefiting from them without even knowing. The point is that both generative AI and LLMs rely on access to massive amounts of data, which cookies help to generate.

In this respect, the humble cookie is a very powerful tool which, like any tool, can be used to build or to dismantle. Accepting cookies by default is a behavior that is unlikely to end any time soon. Being aware of the impact of cookie data can help users make more informed decisions.

Regardless of one’s views cookies and AI are here to stay. To quote the author Frank Herbert: “A process cannot be understood by stopping it. Understanding must move with the flow of the process, must join it and flow with it.”

Sergiu Rezmives, CC, has 13 years of experience in the security industry, with a focus on physical security implementation, design, and operations. He has held management and technical roles with the Romanian Army, ICTS UK and Amazon.