What Are Supercookies? The Web's Latest Tracking Device

Did you delete your cookies? Think again as new research has discovered that major websites have been using supercookies to track you online

What is a Cookie?

A cookie is a small text file stored on your hard drive and used by sites to tailor your viewing experience. They typically contain information such as the last time you visited the side, a session ID, or any preferences you have set for how you customise the website (font size, colour scheme, and so on). These cookies can only be accessed by that one website and are entirely optional.

Over the years, these cookies have been manipulated to provide tracking information and targeted advertising, and alongside this, our browsing habits have changed. We now access the Internet via multiple devices (desktops, laptops, tablets and smartphones, to name a few). The traditional cookie cannot be used to track across multiple devices. Thus, the person doing the tracking can only track what you do on each device, not across all devices. With the recent advent of the "Do Not Track" movement and some browsers turning off cookies by default or via extensions, the age of cookies is quickly drawing to a close.

What Are Super Cookies?

Researchers from Stanford University and the University of California at Berkeley have discovered new "supercookies" lurking on some major websites which can identify and track users across multiple devices and multiple websites, with some even being able to access your internet browsing history. The browser does not control these cookies, making them difficult for users to block or identify. There are no controls on what information they capture and what they do with it.

The exact details of their implementations have not been released, but it has been rumoured that these supercookies will probably gain access to the unique identifiers or serial numbers of your devices and link them to some global accounts, such as your Microsoft or Google account. Once the unique ID of your smartphone, laptop, TV, and game console has been linked to a central point, it becomes very easy to track your behaviour. Microsoft, Google, Apple or Facebook will know what time of day you wake up from the first time you check email or browse the web, the route you take to work and where you work (via GPS), what job you do via searches, as well as pretty much anything else you do online. Even if supercookies are not to be linked to your Microsoft, Google or Facebook accounts, it could allow skilled hackers to gain access and swipe your information.

Supercookies are stored in different places than regular cookies, such as within the Web browser's cache of previously visited websites, where the Microsoft ones were located. Privacy-conscious users who know how to find and delete regular cookies might have trouble locating supercookies. Supercookies have also been found in Microsoft's advertising network, which places ads for other companies across the Internet. As a result, people could have had the Supercookie installed on their machines without visiting Microsoft websites directly. Even if they had deleted regular cookies, Microsoft could have retained information about their web browsing.

There is another word for software that installs itself onto a computer without permission, is difficult to get rid of, replicates to many locations, and restores deleted versions. That word is computer virus, and I treat supercookies with the same contempt.

Why do these companies want to know your visiting sites?

Gathering information about your browsing history can offer valuable clues about your interests, concerns or household finances. For example, suppose you were to start researching a disease online. In that case, they can identify you as having or knowing someone with the disease, then target advertisements towards prevention or cures at you wherever you go. The data collected about you may be stored remotely without you knowing about it or where the data is, and it will more than likely be sold to the highest bidder for large sums of money. And let's not forget that most of these companies also have our credit card, contact, and address details.

Let's say you are on Amazon browsing for a few products. You then look at the same products on eBay or another retail site. Both sites feature advertisements served by the same provider (9/10 times DoubleClick network). Then, while reading on a forum site or looking at the news, you see adverts for those same products. How did these adverts get there?

This is called targeted advertising. These ad networks use third-party cookies - cookies set by sites other than the ones you are looking at. The more sites you look at, the more complete the browsing habits and interests that are collected about you. When they serve adverts, they know what sites you've been on, what you've looked at, and what products you like.

A Real Example

I keep my work and personal data separate. I have a work laptop and a personal laptop. They are separate; I don't do personal stuff, surf personal sites or sign into personal accounts on my work laptop. Likewise, I don't do anything work-related on my laptop. There are no ways to connect the two.

That is until I needed to access my personal Gmail on my work computer urgently. Having entered my username, password, and authentication code, I opened the email and printed the needed part. I then signed out and closed the browser. Imagine my surprise when I turned on my laptop and was browsing one of the car forums and saw adverts for the products we use at work showing. By signing into my Google account, they linked my work browsing habits to my personal account.

Supercookies in the Wild

So far, supercookies have been found to infect the following storage areas on computers:

• Standard HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Silverlight Isolated Storage
• Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in Web History
• Storing cookies in HTTP ETags
• Storing cookies in Web cache
• window.name caching
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite
• Probably more yet to be found...

One particular pest is called evercookie, which seems to be a method for tracking people. It has been around since the start, and even a WordPress plugin exists. In their own words:

evercookie is a javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

Evercookie accomplishes this by storing the cookie data using several storage mechanisms available on the local browser. Additionally, suppose Evercookie finds that the user has removed any cookie types in question. In that case, it recreates them using each mechanism available.

How to Block evercookie and supercookies

Currently, there is no practical way to block supercookies. Using Incognito or Safe Browsing modes will help, but they are not guaranteed to block supercookies.

The only surefire method is to disable JavaScript and block the regular cookies as well, but as , I found out most websites will not function anymore.

Disabling JavaScript will not remove existing supercookies but will be inactive due to the disabled JavaScript support.

Another option, although hardly feasible, is to use a virtual machine. When you're finished browsing the web, delete the virtual machine and clone a copy from the master. Next time, you start from a clean copy, and when you're done, delete it again.

My current techniques for blocking supercookies consist of using the FlashBlock plugin which disables all flash unless I specifically allow an applet to run.

I also use AdBlockPro which most ads and tracking, which speeds up browsing and also blocks cookies by advertisers.

I have also disabled JavaScript, which only allows specific sites to run, and the same goes for cookies.

Unfortunately, applications such as CCleaner cannot remove all Evercookie records, so I cannot recommend their use now.

What can be done about Supercookies

Simply clearing out your internet history, temporary files, and cookies isn't going to cut it in today's information age, nor are cookie blockers and history erasers.

Do Not Track (DNT) is a technology and policy proposed in 2009 that enables you to opt out of tracking. However, it is not widely implemented and is only voluntary.

Unfortunately, the supercookie technology is in its infancy, and a proper defence has yet to be established. For the time being, this is what I do -

• Use Google Chrome
• Set cookies to delete when I close my browser
• Block all third-party cookies
• Set temporary files to be deleted when I close my browser
• Install AdBlockPlus addon I can no longer in good conscience recommend AdBlockPlus as the developers now provide a means for ad publishers to bypass ad blocking through means of an "acceptable ads" policy.
• Install uBlock Origin
• Install HTTPS Everywhere
• Install FlashBlock
• Do not use web service to resolve navigation errors
• Do not log into my Google account unless I have to
• Make sure that "Automatically send usage statistics and crash reports to Google" is UNTICKED.
• Running Windows 10? Geez, you'd better read this: Windows 10 Privacy Settings

Further Reading

1. Tracking the Trackers: Microsoft Advertising
2. How to optimise Google Chrome for Privacy
3. Do Not Track