Ask Leo! #653 – Supercookies and Evercookies: Resistance is Futile

Supercookies and Evercookies: Resistance is Futile

(skip)

I just read an article talking about so-called "supercookies" and "evercookies" — cookies which are supposedly impossible to delete, and left without the computer user's permission or even knowledge. What are "supercookies"? What are "evercookies"? And how can I protect my computer from them?

I'll start out by saying that options to protect yourself from supercookies and evercookies are relatively limited, if effective at all.

Supercookies and evercookies are the result of a website owner's desire (or more often, the desire of the advertising networks used by websites) to accumulate data about computer users and the sites that they visit, even those users that disable or clear cookies in their browser regularly.

Bottom line: clearing cookies isn't enough — not nearly enough. There may be nothing that is.

Cookies

Cookies are part of the http protocol your web browser uses to request web pages, and web servers use to deliver them.

When you visit a site — say https://askleo.com — the web server may include, with the web page you see, a small text file containing some data you don't see. In a sense, your browser says, "Please give me https://askleo.com", and the server replies, "Here's the page you requested, and here's some other data I'd like you to hold on to for me".

The data is called a "cookie". It can be any piece of information, and is stored somewhere on your computer by your web browser.

The next time your browser requests a page from that same site, it automatically sends the contents of that text file along with the request. To continue the analogy above, your browser might say, "I'd like to see https://askleo.com, and here's that bit of data you asked me to keep last time."

That's all a normal cookie is.

As I said, a cookie can be anything. The most obvious example is a unique number. The server makes up a completely new, unique number the first time it sends a cookie back to your computer. When your computer sends that number back on subsequent requests, the server knows the new request is coming from the same machine.

Cookies are most commonly used to remember you're logged into a site as you move from page to page. They're also used, as they are here on Ask Leo!, to remember you've been shown things like newsletter subscription offers, so you're not shown them again and again1.

Cookies also allow ad services to see what pages that machine has been visiting.

Supercookies

It's somewhat ironic, but what are being called "supercookies" aren't really cookies in the traditional sense, because they don't work in that browser-supported behind-the-scenes way.

A supercookie is just any other way of storing something unique from a website on your computer so it can be given back to the website the next time you visit.

The problem is, a supercookie is often difficult or impossible to clear.

Let's say the goal is, as in the example above, to assign your computer a unique number that can be "read" somehow during subsequent website visits to track that it's the same machine visiting each time.

There are perhaps a dozen or more different ways to do this that don't involve traditional cookies at all.

Here are just two examples:

  • Flash Cookies: Many sites (still) use Adobe's Flash player, and as a result, it's (still) on most people's machines. So-called "Flash cookies" are data managed by the Flash player in a way very similar to regular cookies. Unfortunately, your web browser has no way to clear Flash cookies, though some tools, like CCleaner, can.
  • Image hack: I call this a hack because it uses techniques never intended to achieve this goal. There are many possible variations, but as one example, let's say the web page you're visiting includes a small image hidden behind something. The colors values assigned to some pixels in the image, when combined, are the unique ID the web server uses. A small amount of Javascript or HTML5 coding elsewhere on the page then reads the pixel "colors" and reports back to the server the number found. On subsequent pages, the image — containing your unique number — comes from your browser's cache, rather than being downloaded anew.

These are just two examples; one is an intentional feature, and the other is an unintentional side effect of some clever programming. There are other approaches, and perhaps even more that haven't been discovered or devised yet.

Evercookies

Let's assume a website uses all three of the techniques I've discussed so far: http cookies, Flash cookies, and the image hack.

It only takes one of them to work for your computer to be uniquely identified.

In fact, if any one of them work, the website can immediately reset the other two.

That's the concept behind what some have termed the "evercookie" – a technique that uses more like ten different approaches to identify your computer. If any one of those techniques work, the other nine can be reset, no matter how aggressively you clear them.

Clear your browser's http cookies? Evercookie techniques cause it to be immediately reset on your next visit, because perhaps a Flash cookie wasn't cleared. Cleared the Flash cookie? The cookie can be immediately reset on your next visit, because the image cache wasn't cleared. And so on for any number of techniques that could be used.

You get the idea. Evercookies turn this all into a game of whack-a-mole to keep your computer from being uniquely identified.

What I do

What do I do about all this?

Absolutely nothing.

I just don't believe that browser-based tracking represents as huge of a threat as some seem to feel. Even supercookies and evercookies don't really worry me.

Most tracking isn't done at the individual level. No one cares that Leo Notenboom visited this site, and then that site, and then that site. What they do care about is that 1000 people did, and that those 1000 people should now see ads related to that site.

As I said, I don't care. At worst, it's an annoyance when I see the same ad everywhere I go on the internet.

Oh well.

If you want to do something…

I'll admit, though, as unlikely as I think it is, the technology certainly could be used to track me as an individual.

Some people simply don't appreciate their movements being tracked, even in a relatively benign, anonymous aggregate way.

So how can you avoid it?

It's not easy. In fact, it's darned near impossible, if the websites you visit are determined to track you.

The only way is to be certain that nothing has been saved from a prior visit, and thus, there's nothing trackable being sent on subsequent visits.

The only guaranteed way to do that is to start with a completely fresh computer each time that you browse.

Harsh. I know.

The problem with the various techniques that create supercookies and evercookies is that we have no real confidence that we can clear them all. Yes, browser extensions will come along and clear more of them, but as the evercookie example illustrates, a determined site need only have one technique that slips through to continue to track.

As I said, it's whack-a-mole, and the moles are winning.

There are two approaches to making the "start with a clean machine every time" approach slightly more palatable:

  • Do your browsing within a virtual machine you reset each time.
  • Use a live CD, such as the Ubuntu Live CD, that includes a web browser and saves nothing to your disk when it exits.

I don't believe "private" or "incognito" browsing will ever cover all possible tracking techniques.

The future

Even if so-called supercookies were completely outlawed, that law would only be valid in those countries that passed it, and even there, those that choose to flout the law would carry on.

In other words, legislation won't make the technology go away. If supercookies are outlawed, only outlaws will have supercookies.

I expect that the arms race will continue: browser features and add-ons will be developed to increase your privacy, and new tracking techniques will be developed to bypass them.

The good news is, I do believe various privacy watchdog groups will monitor most major sites and advertising networks — and perhaps law enforcement too, should legislation become a reality — and as a result, blatant violations will be taken to task.

I hope.

Related Links & Comments: Supercookies and Evercookies: Resistance is Futile
https://askleo.com/4943

Become a Patron - Get The Ask Leo! Tip of the Day

What's a Screen Shot and How Do I Make One?

A screen shot, screenshot, or screen capture is a way to "take a picture" of your computer screen (or a portion thereof).

Why would you want to do that?

Well, let's say you're trying to explain a computer problem to a technical friend of yours, and you're trying to describe what you see on the screen — the dialogs, buttons, messages, whatever. You're not sure of the terms to use, and your friend is having a difficult time understanding your description.

And of course, your friend insists that the exact wording of everything you see is incredibly important (for the record, he's right.)

You know what they say: "A picture is worth a thousand words." And it can go a long way to eliminating miscommunication.

Let's take a picture of your screen you can email to your friend.

Continue Reading: What's a Screen Shot and How Do I Make One?
https://askleo.com/2080

Google Remembers More than You Realize

One of the least obvious and most ubiquitous collectors of information are the online services we choose to use.

None demonstrate this fact more clearly than Google.

As we go about our online activities, Google maintains a surprisingly detailed history of our activities. Most people don't realize just how detailed it is, or how long it's kept.

More interestingly, Google's one of the good players, as it actually exposes this history to us, and even allows us to clear it if we want.

Continue Reading: Google Remembers More than You Realize
https://askleo.com/27953

The Ask Leo! Tip of the Day

A feature exclusively available to Ask Leo! Patrons Bronze level & above.

More Ask Leo!

Become a Patron
Books - Business - Glossary
Facebook - YouTube - More..

Off-Topic

I miss-spoke last week, I was in Anchorage over the weekend, not Fairbanks. Not sure why I had Fairbanks in my mind.

Bike MS, Alaska, benefitting The National Multiple Sclerosis Society, was a success, and a lot of fun. A small window onto my adventures is posted on my personal blog, in the entry: Roadside Service.

Leo's Other Projects....

HeroicStories Since 1999, HeroicStories brings diverse, international voices to the world ' reminding us that people are good, that individuals and individual action matter. Stories - new and old - are published twice a week.

Not All News Is Bad - Each day I look for one story in the current news of the day with a positive bent. Just one. And I share it.

leo.notenboom.org - My personal blog. Part writing exercise, part ranting platform, it's where I write about anything and everything and nothing at all.

Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at https://newsletter.askleo.com for their own FREE subscription!

Newsletter contents Copyright © 2017,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC