Congressmen blast ‘supercookies’ as privacy menace
How does Amazon know what you were searching for yesterday when you hit their site?
So what’s a supercookie? Ars asked Ashkan Soltani, an independent privacy researcher who has assisted the Wall Street Journal with its privacy reporting. He told us that the term doesn’t have a precise definition. Rather, it’s “more of a marketing term” for cookie-like strategies for tracking users across browser sessions. Supercookies are typically difficult for users to delete, and Soltani said that’s precisely why some less-scrupulous advertisers use them.
In July Soltani was part of a team that uncovered a tracking method using ETags that worked even when the user was in private browsing mode. One of the sites using the technology, Hulu, quickly dropped it and severed ties with KISSmetrics, the company that provided it. KISSmetrics, along with clients such as Spotify and AOL, are now embroiled in a lawsuit arguing that the technology violates privacy laws.
Soltani pointed to Evercookie, a research prototype that demonstrates just how powerful supercookies can be. It stores information about itself in up to a dozen places in the user’s browser. And any time information stored in one place disappears (for example, when a user clears his cookies), it is “respawned” using information stored elsewhere. Such “zombie cookies” are extraordinarily difficult for ordinary users to delete.
Browser vendors have tried to keep up with these increasingly aggressive tracking schemes by adding additional user controls. Earlier this year, Google added the capability to delete flash cookies using the same interface as traditional cookies. And an add-on called BetterPrivacy helps users manage Flash cookies on Firefox.
But Soltani thinks this is a losing battle. “It’s this constant game of whac-a-mole,” he said. “If there’s anywhere to store persistent data, companies are incentivized to do so.”
He said that as soon as browsers started creating user preferences to control Flash cookies, ad networks started moving to other mechanisms that were harder for users to control. Indeed, he said that some vendors explicitly advertise the fact that their user-tracking technologies are impervious to user cookie deletions.