I’ll start out by saying that options to protect yourself from supercookies and evercookies are relatively limited, if effective at all.
Supercookies and evercookies are the result of a website owner’s desire (or more often, the desire of the advertising networks used by websites) to accumulate data about computer users and the sites they visit — even those users who disable or clear cookies in their browser regularly.
Bottom line: clearing cookies isn’t enough — not nearly enough.
And there may be nothing that is.
Become a Patron of Ask Leo! and go ad-free!
Cookies are part of the http (and https) protocol your browser uses to request webpages and web servers use to deliver them.
When you visit a site — say https://askleo.com — the web server may deliver, along with the webpage you see, a small text file containing some data you don’t see. In a sense, your browser says, “Please give me https://askleo.com“, and the server replies, “Here’s the page you requested, and here’s some other data I’d like you to hold on to for me.”
The data is called a “cookie”. It can be anything — what a cookie looks like is not defined in any way. It’s just data provided by the website that your browser stores on your computer.
The next time your browser requests a page from that same site, it automatically sends that saved data along with the request. To continue the analogy above, your browser might say, “I’d like to see http://askleo.com, and here’s that data you asked me to keep last time.”
That’s all a cookie is.
As I said, a cookie can be anything. The most obvious example might be a unique number. The web server might make up a completely new, unique number the first time it sends a cookie back to your computer. When your computer sends that number back on subsequent requests, the server knows the new request is coming from the same machine.
Cookies are most commonly used to remember you’re logged into a site as you move from page to page. They’re also used, as they are here on Ask Leo!, to remember you’ve been shown things like newsletter subscription offers, so you don’t see them again and again1.
Cookies also allow ad services to see what pages that machine has been visiting.
It’s somewhat ironic, but what are called “supercookies” aren’t really cookies in the traditional sense, because they don’t work in that browser-supported, behind-the-scenes way.
A supercookie is just any other way of storing something unique from a website on your computer so it can be given back to or somehow detected by the website the next time you visit.
The problem is, a supercookie is often difficult or impossible to clear.
Let’s say the goal is, as in the example above, to assign your computer a unique number that can be “read” during subsequent website visits to track that it’s the same machine visiting each time.
There are perhaps a dozen or more different ways to do this that don’t involve traditional cookies at all.
Here are just two examples:
- Plugin cookies: Even though Adobe Flash is falling into dis-use, it’s an example of plugin-provided cookies. “Flash cookies” are managed by the Flash player in a way very similar to regular cookies. Unfortunately, your web browser has no way to clear Flash cookies, though some tools, like CCleaner, can. Other plugins have the capability to maintain their own cookies or cookie-like data.
These are just two examples. One is an intentional feature and the other is an unintentional side effect of some clever programming. There are other approaches, and probably more that haven’t yet been discovered or devised.
Let’s assume a website uses all three of the techniques I’ve discussed so far: http cookies, Flash cookies, and the image hack.
It only takes one of them to work for your computer to be uniquely identified.
In fact, if any one of them works, the website can immediately re-create the other two.
That’s the concept behind what some have termed the “evercookie” — a technique that uses more like ten different approaches to identify your computer. If any one of those techniques work, the other nine can be reset, no matter how aggressively you clear them.
Clear your browser’s http cookies? Evercookie techniques cause it to be immediately reset on your next visit, because perhaps a Flash cookie wasn’t cleared. Cleared the Flash cookie? The cookie can be immediately reset on your next visit, because the image cache wasn’t cleared. And so on for any number of techniques that could be used.
Evercookies turn all this into a game of whack-a-mole to uniquely identify your computer, despite any attempts at the contrary.
No cookies at all
Visit the site amiunique.org (Am I Unique?), and click “View my browser fingerprint“. You may find that you are, indeed, unique, and thus trackable.
Whenever you visit a website, your browser provides that site a variety of information, including the version of the browser, your screen resolution, your operating system, and so on. Other information — like the plugins you have installed, whether there’s an adblocker present, or if Flash player is available — can also be determined by script included on any webpage you view. All of this information is made available so websites can use it in various ways to provide you features and functionality — in other words, for “good”.
But the combination of all these bits of information (amiunique.org examines 17 different items) can indeed be completely unique to you. As improbable as it might seem, yours might be the only computer connected to the internet with that specific combination of characteristics. That means when websites see that specific combination of characteristics, they know it’s your machine.2
What I do
What do I do about all this?
I just don’t believe that browser-based tracking represents as huge of a threat as some seem to feel. Even supercookies, evercookies, and browser fingerprints don’t really worry me that much.
Most tracking isn’t done at the individual level. No one cares that Leo Notenboom visited this site, and then that site, and then that site, or bought this or that. What they do care about is that 1,000 people did, and that those 1,000 people should now see ads related to that site. Anyone that bought X might be interested in Y, so we’ll show ads for that.
As I said, I don’t care. At worst, it’s an annoyance when I see the same ad everywhere I go on the internet.
If you want to do something…
I’ll admit, though, as unlikely as I think it is, the technology certainly could be used to track me as an individual.
Some people simply don’t appreciate their movements being tracked, even in a relatively benign, anonymous, aggregate way. And some are legitimate targets for some form of state-sponsored tracking at the individual level.
So how can you avoid it?
It’s not easy. In fact, it’s darned near impossible, if the websites you visit are determined to track you.
The only way is to be certain that nothing has been saved from a prior visit, and thus, nothing trackable is sent on subsequent visits.
The only guaranteed way to do that is to start with a completely fresh computer each time you browse.
Harsh, I know.
The problem with the various techniques that create supercookies and evercookies is that we have no real confidence that we can clear them all. Yes, browser extensions will come along and clear more of them, but as the evercookie example illustrates, a determined site need only have one technique that slips through to continue to track.
As I said, it’s whack-a-mole, and the moles are winning.
There are two approaches to making the “start with a clean machine every time” approach slightly more palatable:
- Do your browsing within a virtual machine you reset each time.
- Use a Live CD (or DVD or USB), containing a completely stand-alone operating system, including a web browser, that saves nothing to your disk when it exits.
“Private” or “incognito” browsing does not cover all possible tracking techniques; you need to take much more aggressive steps.
Even if so-called supercookies were completely outlawed, that law would only be valid in those countries that passed it, and even there, those that choose to flout the law would carry on. Legislation won’t make the technology go away. If supercookies are outlawed, only outlaws will have supercookies.
I expect that the arms race will continue: browser features and add-ons will be developed to increase your privacy, and new tracking techniques will be developed to bypass them.
The good news is, I do believe various privacy watchdog groups monitor most major sites and advertising networks — and perhaps law enforcement too, should legislation become a reality — and as a result, blatant violations will be taken to task.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Footnotes & References
1: Or at least for “a while”. The newsletter offer popup on Ask Leo! should appear only every month or six. Unless, of course, you clear cookies.
2: Even when it’s not truly unique, but say, limited to “only a few” that share the characteristics, that level of tracking can still be valuable.