Potential real-world consequences, while they do exist, are simply too subtle to realize. Some actual examples of cookies being used against people:
- CBP has admitted to buying location/advertising data from brokers to use in helping locate people to arrest
- Phishing and identity theft can be made easier due to cookies... security researchers have even demonstrated 2FA bypass techniques based on it
- Price discrimination - Consumer Reports found that flight prices can fluctuate based on your cookies. Sometimes they would even raise the price if you kept searching for routes, as an indication that you were in a hurry, thus likely willing to pay extra.
- Healthcare discrimination - Companies have been found to raise healthcare prices or deny coverage due to cookie data aggregated via brokers where external sites tracked a person's health conditions based on what pages they visited (examples: fertility, cancer and mental health support groups)
- AI models or automated systems using cookie data to predict housing stability, creditworthiness, and employment risk without ever seeing your resume or credit report directly
- ProPublica found that Facebook was allowing advertisers to target their housing ads based on specific age/race groups stored in cookies
- Some recruiting firms have used cookies to infer personality traits and political leanings. Your employment application could be rejected or deprioritized based on that
- Based on the previous examples, I think it is not a far-fetched idea that websites and services could deny you access altogether based on data revealed by a combination of things like your browser fingerprint + brokered cookie data, such as political affiliation, estimated income, race/gender, health situation, etc. Imagine for example, not being able to order pizza because you badmouthed their favorite president online.
It's also harder to change your mind later and go delete a bunch of specific cookies to opt out when you could have just said no from the beginning.
I appreciate the list of potential harms. I'm curious about your last point though. Isn't it trivially easy to wipe cookies from your browser?
You should always configure your browser to automatically wipe all data on exit. The Arkenfox user.js user profile does this and more to mitigate fingerprinting.
I am logged into way too many sites to do that unfortunately. I do use a password manager with a browser plugin to make it easier, but it's still a lot of manual work to re-login to all the sites I use on a normal basis, for both work and home, every time I restart my browser.
Would be nice if there was some other solution, like maybe encrypting the browser profile and then requiring a pin/password/biometric/something to unlock it on each start.
It shouldn't take more than one second to log into a website using the Firefox password manager.
In my case it often can and does.
Many sites I use force email or SMS-based 2FA, sometimes in addition to "security questions" and/or have other multiple steps of authorization (like captchas) required; it's often not just a simple username/password for me.
Now multiply that by 25 different sites. Not happening.
One option for that is to use multiple Firefox profiles. The main general-purpose browsing profile would have a hardened configuration, while dedicated profiles are used for other websites that should remain logged in.
It's not just about cookies but also about fingerprinting, which is extremely hard to prevent.
No extensions that randomly change your fingerprint? I suppose that might trigger a lot of captchas.
There are but I'm not aware of anything that can reliably fool creepjs.
https://abrahamjuliot.github.io/creepjs/
And yes it often results in endless captcha loops.
Fingerprinting can be extremely sophisticated. Have a look at this test: https://coveryourtracks.eff.org/
Only Tor Browser can reliably fight with it.
Tor Browser will not even hide the OS you're using from javascript... so if you're on Linux, you are automatically more identifiable than >97% of people.
Also, that EFF site only checks against other people who visited the same site, so the results are skewed IMO. The other comment that links to creepjs is what I consider the best available open source tool.
It can be yes, although not everyone wants to do that because you will likely be logged out of all the websites you're using, shopping carts cleared out, etc.