I logged into a website on two separate instances with a different ID and a different IP. I rebooted my router so the IP changed each time, but from the same machine – trying to create a second account for my brother. I also had all cookies deleted and forbid the specific site from downloading more into my machine. The website actually was able to find out that this was me logging in with different IDs. My question is: how can the website (even after taking all these measures) know that it’s still me?
In this excerpt from Answercast #33, I look at the many methods that websites can use to remember who you are; leaving any one of them in place could result in them remembering you.
Website knows it’s me
It’s surprising that a website would go to these lengths, but it’s certainly possible.
Now, there are a couple of things that I would immediately jump on.
One is are you really sure you got a different IP?
Typically, rebooting a router will not necessarily assign you a new IP address. It depends on your ISP. Sometimes, they do; sometimes, they don’t.
In my case, my experience has been that when you reboot your router, nine times out of ten you get the same IP address you had five minutes ago. So that may or may not have been part of what’s leading into this.
Flash cookies
The other thing that immediately comes to mind is something called Flash cookies.
You’ve cleared your cookies, and I know that you know how to go into the browser and clear the cookies. But in fact, using Flash, there is a different kind of persistent storage that web pages can use Flash to access.
- They can use Flash to drop the equivalent of a cookie.
In fact, we tend to refer to them as “Flash cookies” because they are data left by Adobe Flash technology. It’s possible that the website could be using Flash cookies. You simply didn’t clear them because you didn’t know – most people don’t. So that’s something else to try.
I believe CCleaner will clear Flash cookies for you. If you don’t want to use that, there are other approaches to clearing Flash cookies, even by using some applications available at the Adobe website.
Google “clear Flash cookies”, and you’ll come up with a bunch of ways to do that.
Super cookies
Finally (and this is a little bit more on the slightly paranoid spectrum), if you look into a technology that I think was called “Super Cookies,” they use about ten different technologies to save a piece of information on your computer.
- Now I just mentioned Flash cookies, so obviously, if a site uses Flash cookies, that means that if you erase your regular cookies, the information is still there.
- Conversely, if you know about Flash cookies and erase those, but don’t erase your regular cookies, the information is still there.
- Multiply that by 10. In other words, have 10 different technologies that this Super Cookie technology can use, and there are several different ways to leave something on your machine that can readily identify it as being you.
I’m not aware of any websites that use this. This is really, pretty arcane stuff. A lot of it was done as ‘proof of concept’ as to how easy it is to do. But in reality, I don’t see anybody actually doing it.
More information
I think that to get a little deeper into your problem would probably require understanding what website it is you’re trying to access as well.
But that’s what comes to mind.
End of Answercast #33 Back to – Audio Segment
Using Firefox, flash cookies can very easily be cleared with the add-on Better Privacy. The first time I fired up Better Privacy I was shocked at how many flash cookies (LSO’s) were on my machine, and also at which websites had placed them there. There are different settings that will clear them at a variety of options, e.g. opening or exiting the browser, and you can exclude ones you want to keep from deletion. It is my understanding that LSO’s / flash cookies are not harmless.
10-Jul-2012
Interesting and a bit ironic. vid.askleomedia.com has a LSO on my system. It’s only a little one and I think I’ll let it stay.
10-Jul-2012
I just had this issue whilst using Tor Browser, which is specifically supposed to prevent that.
Crazy how some sites are such control freaks that they will track you. It doesn’t effing translate into sales, because someone into privacy won’t be into getting nudged or manipulated into buying ANYTHING! They buy what they want, a retailer’s or service provider’s site’s job is to get the customer to the service and vice versa, NOT anything else. Unfortunately this industry of mass surveillance capitalism is a beast – maybe the one in the Bible, who knows – it is powerful enough to tally with that kind of prophecy… or is it AI? Anyway, good luck people, I want to go back to pre-9/11/2001 or just pre-pandemic so I can prepare for the damned apocalypse of honest retailers, and death of the human right to privacy at the hands of idiots who think curbs on their inability to handle so much power, are something insane. Got it backwards, they have. Peace.