What is a superkookie? Why are supercookies worse than regular cookies?
Here’s what you need to know about supercookies and how to properly delete them.
What are Cookies?
To understand supercookies, you need to understand what regular cookies are. An HTTP cookie, commonly known simply as a cookie, is a small piece of code that is downloaded to a user’s browser when they visit a website. Cookies store small information that is useful for websites, users and interactions between them.
For example, when you place items in your Amazon shopping cart, those items are stored in cookies. If you leave Amazon, when you return, your items will still be in your cart. Cookies send that information back to Amazon when you return to the site.
Regular cookies also serve other functions, such as notifying websites that you are logged in, so you don’t have to log in again when you return. More controversially, third-party tracking cookies follow you across the internet, reporting back to marketing and other companies about what you do online.
And What are Supercookies?
Supercookies are tracking cookies but have a more sinister use. Supercookies also have a different function from regular cookies too.
With regular cookies, if you don’t want to follow you on the internet, you can delete your browsing data, cookies and more. You can block cookies and third party cookies from your browser, and delete cookies automatically after your browser session ends. You have to sign in to each site again, and your shopping cart items can’t be saved, but that also means tracking cookies are tracking you again.
Supercookies are different. Clearing your browsing data doesn’t help. This is because supercookies are not cookies; it is not saved in your browser.
Instead, the ISP inserts information unique to the user’s connection into the HTTP header. This information uniquely identifies any device. In Verizon’s case, this allows tracking of every website visited.
Since the ISP injects a supercookie between the connected device and server as well, there is nothing the user can do about it. You can’t delete it, because it’s not saved on your device. Ad-blocking software and scripts can’t stop it, because it happens after the request leaves the device.
Danger of Supercookies
The potential breach of privacy here should be clear – in most cases, cookies are bound to one website, and cannot be shared with other sites. The UIDH can be disclosed to any website and contains a potentially large amount of information about a user’s habits and history. Verizon also advertises this capability to its partners. It is quite possible that this particular use of supercookies is meant to capture a lot of data in order to sell it.
[S]uppose an ad network assigned you a cookie with the unique value “cookie1,” and Verizon assigned you the X-UIDH header “old_uid.” When Verizon changes your X-UIDH header to a new value, say “new_uid,” the ad network can connect “new_uid” and “old_uid” to the same cookie value “cookie1” and see that they all three values represent the same person. Similarly, if you then clear cookies, the ad network will assign a new cookie value “cookie2.” Since your X-UIDH value is the same (say, “new_uid”) before and after clearing cookies, the ad network can connect “cookie1” and “cookie2” to the same X-UIDH value “new_uid.” The back-and-forth bootstrapping of identity makes it impossible to truly clear your tracking history while the X-UIDH header is enabled.
Thanks For Visit
If translated [S] position the ad network that gave you a cookie with the unique value “cookie1,” and Verizon gave you the X-UIDH header “old_uid.” When Verizon changes your X-UIDH header to a new value, say “new_uid,” the ad network can informasi “new_uid” and “old_uid” to the same cookie value “cookie1” and see that all three values represent the same person. Similarly, if you subsequently delete cookies, the ad network will set a new cookie value of “cookie2.” Since your X-UIDH value is the same (say, “new_uid”) before and after deleting the cookie, ad networks can informasi “cookie1” and “cookie2” to the same X-UIDH value “new_uid.” Bootstrapping identities back and forth makes it impossible to completely clears your tracking history when the X-UIDH header is enabled.
In the same blog post, the EFF also notes that UIDH can also apply to data sent from apps, which isn’t easy to track otherwise. This combination allows the creation of fine grain images of the user’s internet usage. Verizon has also bypassed the “Limit ad tracking” setting on iOS and Android. Exceeding this limit increases the potential for privacy violations by supercookies.
What Data Do Supercookies Send?
Supercookies include information about requests made by users, such as the website they were trying to visit and when the request was made. This is known as metadata (and is very similar to the metadata the NSA collects from cell phone records). But supercookies can include other data types as well.
Regardless of the exact type of data, if Verizon had a data breach and these cookies were tied to specific users, it would be a privacy nightmare. The EFF has already discovered that hashed phone numbers are used as user identifiers, which is a worrying sign. Hackers, other companies, or government organizations would love to get this type of information.
What are Zombie Cookies?
Zombie cookies are another type of supercookie. As the name suggests, you can’t kill zombie cookies. And just when you think you’ve turned it off, zombie cookies can come back to life.
Zombie cookies remain intact because they hide outside your browser’s regular cookie storage. Zombie cookies target local storage, HTML5 storage, RGB color coded values, Silverlight storage and more. That’s why they are known as zombie cookies. The advertiser only has to find a cookie present in one of these locations to generate the rest. If the user fails to delete a zombie cookie from any of the save locations, they are back where they started.
How to Delete Supercookies
Supercookies store a lot of information about you. Some can revive normal deleted cookies, and some are not stored on your device. So, what can you do about them?
Unfortunately, the answer to some types of supercookies is “not so much.”
Verizon allows customers to opt out of UIDH tracking. If you are a Verizon user, go to www.vzw.com/myprivacy, log in to your account, and go to the Relevant Mobile Advertising section. Select “No, I don’t want to participate in Relevant Mobile Ads.” Please note that opting out doesn’t actually disable the header. This simply tells Verizon not to share detailed demographic information with advertisers seeking UIDH values. In addition, if you participate in the Verizon Selects program, UIDH will remain active even after exiting.
If your ISP decides to use a UIDH-grade supercookie to track you, you’re basically out of luck. If someone is tracking you with a supercookie, your best bet is to use a VPN to establish an encrypted connection between you and the rest of the internet. HTTPS is almost the de facto standard for internet browsing, which also protects your internet traffic from prying eyes. Whenever possible, always use HTTPS over a basic HTTP connection.
Thanks For Visit