Supercookies, also known as evercookies or zombie cookies, are like browser cookies in that they can be used to track you, but are much harder to remove.
What is a supercookie?
The way I first heard supercookies described was as a cookie that you can appear to delete, but as soon as you do, software rewrites the cookie. Like the Hydra from Greek mythology, cutting off a head does no good because it grows back [1].
This explanation is oversimplified. It doesn’t quite work that way.
A supercookie is not a cookie per se. It’s anything that can be used to uniquely identify your browser: font fingerprinting, flash cache, cached images, browser plugins and preferences, etc. Deleting your cookies has no effect because a supercookie is not a cookie.
However, a supercookie can work with other code to recreate deleted cookies, and so the simplified description is not entirely wrong. A supercookie could alert websites that a cookie has been deleted, and allow those sites to replace that cookie, or update the cookie if some browser data has changed.
What about ‘Do Not Track’?
You can ask sites to not track you, but this works on an honor system and is ignored with impunity, even (especially?) by the best known companies.
Apple has announced that it is removing Do Not Track from its Safari browser because the feature is worse than useless. Servers don’t honor it, and it gives a false sense of privacy. Not only that, the DNT setting is one more bit that servers could use to identify you! Because only about 9% of users turn on DNT, knowing that someone has it turned on gives about 3.5 bits of information toward identifying that person.
How to remove supercookies
How do you remove supercookies? You can’t. As explained above, a supercookie isn’t a file that can be removed. It’s a procedure for exploiting a combination of data.
You could remove specific ways that sites try to identify you. You could, for example, remove Flash to thwart attempts to exploit Flash’s data, cutting off one head of the Hydra. This might block the way some companies track you, but there are others.
It’s an arms race. As fingerprinting techniques become well known, browser developers and users try to block them, and those intent on identifying you come up with more creative approaches.
The economics of identification
Given the efforts companies use to identify individuals (or at least their devices), it seems it must be worth it. At least companies believe it’s worth it, and for some it probably is. But there are reasons to believe that tracking isn’t as valuable as it seems. For example, this article argues that the most valuable targeting information is freely given. For example, you know who is interested in buying weighted blankets? People who search on weighted blankets!
There have been numerous anecdotal stories recently of companies that have changed their marketing methods in order to comply with GDPR and have increased their sales. These are only anecdotes, but they suggest that at least for some companies, there are profitable alternatives to identifying customers who don’t wish to be identified.
More privacy posts
[1] In the Greek myth, cutting off one head of the Hydra caused two heads to grow back. Does deleting a supercookie cause it to come back stronger? Maybe. Clearing your cookies is another user behavior that can be used to fingerprint you.
As a follower of this blog for several years, I found the style of this post a bit unusual. Its use of exclamation points and bold feels uncharacteristic for you, and almost makes it seem like someone else wrote (or edited) this post. Which is an interesting impression to get from a post about subtle ways by which people can be fingerprinted.
Interesting. Nobody else wrote or edited this. I suppose two exclamation points in one article is a lot for me, but both were to denote irony.
How much of a help is a script blocker, e.g. NoScript, at least on desktops?
I have a question related to fighting supercookies. MS Windows 10 has a feature called Application Guard. It allows running the Edge browser in its own virtual environment. See https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.
It appears that this would provide strong protection against supercookies. Do you agree? Does it also provide significant protection against fingerprinting?
Chuck
I’m aware this comment by Chuck is a year old but that’s interesting. I’ve been incredibly interested in evercookies and know that a virtual machine is pretty much the only way to ensure you’re not infected (for lack of a better term) by this. I’m not sure how this would work on a network or through a browser though. windows 10 and edge are not highly regarded in terms of security and privacy. It’s kind of crazy how little amount of research has been put into this