I’ll start out by saying that options to protect yourself from supercookies and evercookies are relatively limited, if effective at all.
Supercookies and evercookies are the result of a website owner’s desire (or more often, the desire of the advertising networks used by websites) to accumulate data about computer users and the sites that they visit, even those users that disable or clear cookies in their browser regularly.
Bottom line: clearing cookies isn’t enough — not nearly enough. There may be nothing that is.
When you visit a site — say https://askleo.com — the web server may include, with the web page you see, a small text file containing some data you don’t see. In a sense, your browser says, “Please give me https://askleo.com“, and the server replies, “Here’s the page you requested, and here’s some other data I’d like you to hold on to for me”.
The data is called a “cookie”. It can be any piece of information, and is stored somewhere on your computer by your web browser.
The next time your browser requests a page from that same site, it automatically sends the contents of that text file along with the request. To continue the analogy above, your browser might say, “I’d like to see http://askleo.com, and here’s that bit of data you asked me to keep last time.”
That’s all a normal cookie is.
As I said, a cookie can be anything. The most obvious example is a unique number. The server makes up a completely new, unique number the first time it sends a cookie back to your computer. When your computer sends that number back on subsequent requests, the server knows the new request is coming from the same machine.
Cookies are most commonly used to remember you’re logged into a site as you move from page to page. They’re also used, as they are here on Ask Leo!, to remember you’ve been shown things like newsletter subscription offers, so you’re not shown them again and again1.
Cookies also allow ad services to see what pages that machine has been visiting.
It’s somewhat ironic, but what are being called “supercookies” aren’t really cookies in the traditional sense, because they don’t work in that browser-supported behind-the-scenes way.
A supercookie is just any other way of storing something unique from a website on your computer so it can be given back to the website the next time you visit.
The problem is, a supercookie is often difficult or impossible to clear.
Let’s say the goal is, as in the example above, to assign your computer a unique number that can be “read” somehow during subsequent website visits to track that it’s the same machine visiting each time.
There are perhaps a dozen or more different ways to do this that don’t involve traditional cookies at all.
Here are just two examples:
- Flash Cookies: Many sites (still) use Adobe’s Flash player, and as a result, it’s (still) on most people’s machines. So-called “Flash cookies” are data managed by the Flash player in a way very similar to regular cookies. Unfortunately, your web browser has no way to clear Flash cookies, though some tools, like CCleaner, can.
These are just two examples; one is an intentional feature, and the other is an unintentional side effect of some clever programming. There are other approaches, and perhaps even more that haven’t been discovered or devised yet.
Let’s assume a website uses all three of the techniques I’ve discussed so far: http cookies, Flash cookies, and the image hack.
It only takes one of them to work for your computer to be uniquely identified.
In fact, if any one of them work, the website can immediately reset the other two.
That’s the concept behind what some have termed the “evercookie” – a technique that uses more like ten different approaches to identify your computer. If any one of those techniques work, the other nine can be reset, no matter how aggressively you clear them.
Clear your browser’s http cookies? Evercookie techniques cause it to be immediately reset on your next visit, because perhaps a Flash cookie wasn’t cleared. Cleared the Flash cookie? The cookie can be immediately reset on your next visit, because the image cache wasn’t cleared. And so on for any number of techniques that could be used.
You get the idea. Evercookies turn this all into a game of whack-a-mole to keep your computer from being uniquely identified.
What I do
What do I do about all this?
I just don’t believe that browser-based tracking represents as huge of a threat as some seem to feel. Even supercookies and evercookies don’t really worry me.
Most tracking isn’t done at the individual level. No one cares that Leo Notenboom visited this site, and then that site, and then that site. What they do care about is that 1000 people did, and that those 1000 people should now see ads related to that site.
As I said, I don’t care. At worst, it’s an annoyance when I see the same ad everywhere I go on the internet.
If you want to do something…
I’ll admit, though, as unlikely as I think it is, the technology certainly could be used to track me as an individual.
Some people simply don’t appreciate their movements being tracked, even in a relatively benign, anonymous aggregate way.
So how can you avoid it?
It’s not easy. In fact, it’s darned near impossible, if the websites you visit are determined to track you.
The only way is to be certain that nothing has been saved from a prior visit, and thus, there’s nothing trackable being sent on subsequent visits.
The only guaranteed way to do that is to start with a completely fresh computer each time that you browse.
Harsh. I know.
The problem with the various techniques that create supercookies and evercookies is that we have no real confidence that we can clear them all. Yes, browser extensions will come along and clear more of them, but as the evercookie example illustrates, a determined site need only have one technique that slips through to continue to track.
As I said, it’s whack-a-mole, and the moles are winning.
There are two approaches to making the “start with a clean machine every time” approach slightly more palatable:
- Do your browsing within a virtual machine you reset each time.
- Use a live CD, such as the Ubuntu Live CD, that includes a web browser and saves nothing to your disk when it exits.
I don’t believe “private” or “incognito” browsing will ever cover all possible tracking techniques.
Even if so-called supercookies were completely outlawed, that law would only be valid in those countries that passed it, and even there, those that choose to flout the law would carry on.
In other words, legislation won’t make the technology go away. If supercookies are outlawed, only outlaws will have supercookies.
I expect that the arms race will continue: browser features and add-ons will be developed to increase your privacy, and new tracking techniques will be developed to bypass them.
The good news is, I do believe various privacy watchdog groups will monitor most major sites and advertising networks — and perhaps law enforcement too, should legislation become a reality — and as a result, blatant violations will be taken to task.