What's a "super cookie"?

Helping people with computers... one answer at a time.

So-called "super cookies" are techniques that track the websites that you visit, even if you regularly disable or flush normal cookies.

I just read an article where Congress is asking the FCC to look into sites that use “super cookies” without the computer user's permission or even knowledge. What are “super cookies”? And how can I protect my computer from them?

•

I'll start out by saying that protection options are currently relatively limited, if even possible.

Super cookies are the result of website owner's desire (or more often, that of the advertising networks) to accumulate data about computer users and the sites that they visit - even those users that disable or clear cookies in their browser regularly.

And then, there are "ever-cookies".

•

Cookies

Cookies are part of the http protocol that your computer (more specifically, your web browser) uses to request web pages and that web servers use to deliver them.

When you visit a site, say http://ask-leo.com, the web server may return with the page - a small text file that contains some data. In a sense, your computer says, "Please give me http://ask-leo.com/some_page.html", and the server replies, "Here's the page that you requested and here's some data that I'd like you to hold on to for me."

“... it's whack-a-mole, and the moles are winning.”

The data can be anything and is stored somewhere on your computer by your web browser.

The next time that the computer requests a page from that same domain - ask-leo.com, in this example - it automatically sends the contents of that text file along with the request. To continue the analogy above, your computer might say, "I'd like http://ask-leo.com/whatever.html, and here's that bit of data that you asked me to keep before."

That's it. That's a cookie.

As I said, a cookie can be anything, but perhaps the most obvious example might be something as simple as a unique number.

The server would make up a completely new and unique number the first time that it sends back a cookie to your computer. When your computer sends that back on subsequent requests, the server knows that it came from the same machine, and thus, can track what pages that machine has been visiting.

Pretty simple.

Super cookies

It's somewhat ironic, but what's commonly being discussed as "super cookies" aren't really cookies at all. By that I mean that they're not using http cookies.

A super cookie is simply some means of storing something unique from a website on your computer that can be retrieved the next time that you visit and that a) doesn't use http cookies and b) is often difficult or impossible to clear.

Let's say that the goal is, as in the example above, to simply assign your computer a number that can then be "read" somehow by subsequent website visits to track that it's the same machine visiting each time.

There are perhaps a dozen or more different approaches to do this that don't involve http cookies at all.

Here are just two examples:

Flash Cookies: Many sites use Adobe's Flash player, not just for video but for animation, slide shows, and even just plain old static images. As a result, the Flash player is on most people's machines.

As it turns out, Flash has a separate mechanism that works pretty much like http cookies. These so-called "Flash cookies" aren't http cookies at all, but are simply data managed by the Flash player in a very similar way. The "problem" is that your web browser can't clear Flash cookies because flash cookies aren't http cookies.

The important take-away here is that is that Flash cookies are a cookie-like mechanism explicitly implemented in Flash by design.
Pixel hack: At the other end of the spectrum, I call this a hack because it uses techniques that were never intended to achieve this goal.

Using this technique, the web page that you're visiting includes an image that includes a pixel or two where the color values have nothing to do with visual appearance. The color values assigned to those pixels, when combined, are the unique ID that the web server is attempting to assign to your computer.

Each time that a new computer comes along the server, it creates a completely new image with new unique values for these pixels, so once again, every computer gets a unique number.

A small amount of Javascript elsewhere on the page can then read the pixel "colors" and report back to the server the number found.

This technique relies on web browsers caching images on your hard drive for speed. The first time your computer needs the image that it's downloaded from the server with the uniquely assigned pixel values. Thereafter, the image is retrieved from your web browser's cache where the pixel values are unchanged from what was originally assigned.

As I said, these are just two examples; one is an intentional feature, and the other is an unintentional side effect of some clever programming. There are other approaches, and perhaps more that haven't yet been discovered or devised.

Ever-Cookies

Let's assume that a website uses all three techniques that I've discussed so far: http cookies, Flash cookies, and the pixel hack.

It only takes one of them to work for your computer to be uniquely identified.

In fact, if any one of them work, then the website can immediately reset the other two.

That's the concept behind what some have termed the "ever-cookie" - a technique that uses more like ten different approaches to identifying your computer. As soon as any one of those techniques work, the other nine can be reset no matter how aggressively you clear them.

Clear your browser's http cookies? The cookie can be immediately reset on your next visit because perhaps a Flash cookie wasn't cleared. Cleared the Flash cookie? Then the cookie can be immediately reset on your next visit because the image cache wasn't cleared. And so on for any number of techniques that could be used.

You get the idea. It turns into a game of whack-a-mole to keep your computer from being uniquely identified.

What I do

What do I do about all this?

Absolutely nothing.

I just don't believe that browser-based tracking represents as huge of a threat as some seem to feel.

Most tracking isn't done at the individual level. No one cares that Leo Notenboom visited this site and then that site and then that site. What they do care about is that 100 people did, and that perhaps those 100 people should now see ads related to that site.

As I said, I don't care. At worst, it's an annoyance when I see the same ad everywhere I go on the internet.

Oh well.

If you want to do something...

I'll admit, though, that as unlikely as I think it is, the technology certainly could be used to track me as an individual.

And some people simply don't appreciate their movements being used even in the relatively benign, anonymous aggregate way.

So how can you avoid it?

It's not easy. In fact, it's darned near impossible if the websites that you visit are determined to track you.

The only way is to be certain that nothing has been saved from a prior visit, and thus, there's nothing trackable being sent on subsequent visits.

And the only guaranteed way to do that is to start with a completely fresh computer each time that you browse.

Harsh. I know.

The problem is that with the various techniques that can be used to create super-cookie like behavior, we simply have no real confidence that we can clear them all. Yes, browser extensions will come along and clear more of them, but as the ever-cookie example illustrates, a determined site need only have one technique that slips through to be able to continue to track.

As I said, it's whack-a-mole and the moles are winning.

There are two approaches to making the "start with a clean machine every time" approach slightly more palatable:

Do your browsing within a virtual machine that you reset each time.
Use a live CD, such as the Ubuntu Live CD, that includes a web browser and saves nothing to your disk when it exits.

It's unclear, but I expect that "private browsing" will not cover all of the possible tracking techniques, although sandboxing - similar in many ways to virtual machines - might, depending on the specific technology being used.

The future

The investigation that you refer to, and any legislation that might result, is interesting, but it can go only so far. Even if so-called super cookies were completely outlawed, then that law would be in effect only for those countries that have it, and even there, those that choose to flaunt the law will carry on.

In other words, legislation won't make the technology go away. If super cookies are outlawed, only outlaws will have super cookies.

I expect that the arms race will continue - browser features and add-ons will be developed that increase your privacy, and new tracking techniques will be developed that bypass them.

The good news is that I do believe that most major sites and advertising networks will be monitored by various privacy watch dog groups - and perhaps law enforcement as well should legislation become a reality - and as a result, any that blatantly violate our privacy will be called to task.

I hope.

•

Note: I've intentionally glossed over some of the specifics as this can get incredibly complex very quickly. What's most important here are the general concepts.

Article C4943 - October 1, 2011

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

What are tracking cookies and should they concern me? Cookies are placed on your machine by websites, but often more websites than you realize. We'll review cookies and how third parties can use them.
Where do all these cookies come from? Cookies are a fact of life when browsing the web. But, if you look at the cookies stored on your machine, you might be surprised at the number.
Does the browser store passwords in cookies? Once you've logged into a site cookies are often used to keep you logged in for some period of time. There are risks associated with that, and more.
What are browser cookies and how are they used? Browser cookies are a way that web sites can leave information on your computer that they can use when you return to their site. Simple and powerful.

Recent Comments

23 Comments

There are some programmes that remove cookies. I have used Maxa Cookie Manager for some time and it removes all the usual cookies and flash, silverlight, IE UserData DOM and FirefoxDOM cookies. It also marks all persistent cookies so you can remove them.

But to be clear, super cookies aren't technically cookies at all, and use techniques that cookie-clearing utilities cannot detect and thus do not currently clear.

13-Oct-2011

Posted by: Leif Lagerstedt at October 13, 2011 12:50 PM

Re: Stephen at October 4, 2011 9:34 AM

“You should have mentioned that the vast majority of cookies are benign and actually add to the browsing experience. “

I agree completely with the comments made by Carol Putman at October 11, 2011 12:45 PM-

“I don’t care if someone wants to track me… …What really steams me is that they are storing stuff on MY computer…”

But I would like to add my own comments. If these cookies are so benign, why then are online companies and websites finding frankly devious ways to do the same thing with pseudo-cookies (LSO’s); why are they so determined to track us, supposedly anonymously?

Why don’t more websites give us the choice of enabling or disabling cookies? Surely if it is for our convenience as opposed to theirs, cookies should be disabled by default with an option to enable them?

As for the ‘anonymity’ of cookies-

https://secure.wikimedia.org/wikipedia/en/wiki/Data_mining

“Data mining requires data preparation which can uncover information or patterns which may compromise confidentiality and privacy obligations. A common way for this to occur is through data aggregation. Data aggregation is when the data are accrued, possibly from various sources, and put together so that they can be analyzed. This is not data mining per se, but a result of the preparation of data before and for the purposes of the analysis. The threat to an individual's privacy comes into play when the data, once compiled, cause the data miner, or anyone who has access to the newly compiled data set, to be able to identify specific individuals, especially when originally the data were anonymous.”

“One may additionally modify the data so that they are anonymous, so that individuals may not be readily identified. However, even de-identified data sets can contain enough information to identify individuals, as occurred when journalists were able to find several individuals based on a set of search histories that were inadvertently released by AOL.”

So much for anonymity; though I suspect the response will be ‘they just aren’t that interested in you’…. for now; call it paranoia, but being paranoid doesn’t mean they aren’t after you!

Posted by: Smiling Carcass at October 29, 2011 4:58 AM

Will these “Super Cookies” be able to collect signing in passwords to the likes of eBay or PayPal? And more important can they retrieve your credit card details, and anyone doing online banking “which I never do” how safe are their details?

Cookies don't retrieve anything. They simply allow advertising networks to track what sites you visit.

03-Nov-2011

Posted by: Paul R Firth at November 3, 2011 10:14 AM

Interesting article, Leo. Thanks for the insight... very enlightening.

Posted by: Ian G at November 3, 2011 1:05 PM

As a computer geeky person I have found a malware program which protects against not only the 'normal' intrusions, but allows you to double protect your computer against the major of all ;cookies' A combination of Firefiox and Panda Security limit or eliminate most unwanted intrusions.. once you have set permissions for allowing cookies, there two programs work quite seamlessly in tandem .. this DOES include a good portion of javascript and flash cookies.. it allows you to determine which cookies you want and which ones you DON'T. ANYTHING with analytics, ad... track... etal.. will follow every move on the internet you make..
One way to protect yourself is to be aware of what cookies are being stored on your computer!!

Posted by: Jean MC at November 3, 2011 3:04 PM

See all 23 comments...

Post a comment on "What's a "super cookie"?":

Name: (Required - will be included when your comment is published.)

Email Address: (Required - will not be published.)

Remember Me? YesNo

Comments: (You may use HTML tags for style)

Before commenting, please...

READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored.
Comment only on the article. Use the search box at the top of the page if you have a question about something else.
NO PERSONAL INFORMATION in the comment. No email addresses. No phone numbers. No physical addresses.

Anything that looks the least bit like spam will be deleted. Links to unrelated sites or links that appear to be primarily promotional will be deleted, or the comment will be deleted.
Don't ask me to recover lost passwords or hacked accounts. I can't. Those comments will be deleted.
I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...

Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!

Categories | Full Archive
By Date | Business Card | About

Advertisements do not imply my endorsement of any product or service.

Copyright © 2003-2012 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure

http://ask-leo.com/whats_a_super_cookie.html