Cookies, evercookies, and supercookies: what’s going on in the bakery?
Chances are, you’ve heard that people use “cookies” to track you on the internet. But what are cookies? And what on Earth are evercookies and supercookies? Let’s take a look at these not very yummy data morsels, and see what we can and can’t do to keep them under control.
In the early days of the commercial Internet, websites ran into a problem: when you left a page, the site forgot everything it knew about you. Sure, it could ask you to register with your name and password, and then keep track of you each time you returned and logged in. But most visitors don’t log in: they just check out what they’re interested in, and wander away. If you left some merchandise in an online shopping cart, poof, it was gone. If you came back again later, the site had no way of knowing if they’d ever seen you before.
Cookies were the solution.
Tracking, not baking
In the early days, cookies were simply a small chunk of random numbers that uniquely identified your browser. Once a site placed a cookie on your device, even if they didn’t know your name, they could track things like which pages you visited, what you seemed to be interested in, and whether you came back. They could begin to personalize content based on any preferences you’d shown or expressed. They could put the right merchandise back in your shopping cart, so you’d be one big step closer to buying it.
Like bakers, web developers thought up many kinds of cookies. Session cookies stick around as long as you’re browsing a site, tracking what you’re doing but disappearing when you leave. Authentication cookies check whether you’re logged into that site, and how you identify yourself when you do log in. Tracking cookies, like those we described earlier, stay on your computer to gradually build a record of your interactions with a given site. First-party cookies are placed by the site itself, typically for its own use. In contrast, third-party cookies might be placed by an advertising network that can watch you on multiple sites and build a freakishly rich profile of you, whether they can figure out your name or not.
Intrusive, not tasty
It quickly became obvious that cookies were enabling some very intrusive tracking and personalization. In response, web browsers offered ways to clear your cookies. For example, to clear cookies in Chrome, you can click More at the top right; then More Tools [Windows] or History [Android, iOS]; then Clear Browsing Data, and follow the instructions there.
Advertisers, marketers, and some website proprietors didn’t like having their cookies crumbled. So they developed more persistent ways to stay with you. Hence, evercookies and supercookies.
Evercookies squirrelled away data on your device using multiple storage mechanisms – for example, Flash local shared objects, Silverlight isolated storage, browser histories, and various forms of HTML5 storage. A site would check to see if its cookie was still present: if not, it used the other remaining chunks of data to “respawn” it like a zombie in a videogame.
Most people don’t use Flash or Silverlight anymore, and browsers have locked down some of the locations that evercookies relied upon in the early 2010s, so you don’t hear much about them lately. But that certainly doesn’t mean ad trackers have given up – they’ve just moved on.
Another cookie variant you may encounter is the supercookie. These character strings aren’t stored on your device: they’re inserted at the network level by your service provider – most notoriously, Verizon Wireless.
Verizon calls theirs “Unique Identifier Headers,” and when you use a device on their wireless network, these UIDHs appear in the header data your web browser sends to other sites. After an extensive FCC investigation and a $1.35 million fine, Verizon agreed to let you switch them off – but to do it, you must log onto their site, opt out of their Relevant Mobile Advertising program, and make sure you aren’t opted in to their Verizon Selects marketing program, either.
AT&T also used tracking headlines, but announced in 2015 that it would drop them. Around the same time, a research project by the international digital rights organization Access found similar trackers from Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Viettel Peru S.a.c., and Vodafone in the Netherlands and Spain.
Trail of crumbs
Don’t use one of these carriers? That doesn’t mean you’ve escaped tracking. The most powerful tracking method isn’t a cookie at all: it’s browser fingerprinting. A server identifies all it can about your system: what browser you’re using, its settings, fonts, plug-ins, language, screen resolution, and (increasingly) the kind of hardware you’re running it on. You may well be the only person with your unique set of characteristics – and that means every time you go online, you’re potentially identifiable. (To see if you’re truly one of a kind, you can run two online tests: Panopticlick and AmIUnique.)
Some financial institutions use browser fingerprinting to prevent fraud, but most other applications are pretty intrusive. What can you do about it?
Firefox now offers some fingerprinting protection: choose the Firefox menu, click Privacy & Security, and choose Strict in the Enhanced Tracking Protection section. Some of its new features have their roots in the Tor browser, so you could also try Tor itself. The version of Safari in Apple’s macOS 10.14 Mojave and iOS 12 has stronger anti-fingerprinting features, too. Microsoft says it’s building anti-fingerprinting features into Edge (as of November 2019, they’re still in beta). Finally, in Chrome, Canvas Defender and similar third-party extensions may help. And if you want to take the trouble, you might try running your browser in a virtual machine like VirtualBox. But none of this is foolproof: fingerprinting is powerful, and getting more so.
And regardless of which web browser you’re using, it’s always the best practice to maintain online security to keep your browsing safe. Sophos Home offers an unobtrusive means to make sure wherever you go on the internet, regardless of what digital baked goods you might come across, you’re protected against malware and other threats.