Buzz
Supercookie Decoded: What Is It and How to Erase It
1. What is a Cookie?.
2. What is a Supercookie?.
3. The perils of supercookie.
4. What data does supercookie transmit?.
5. What is a Cookie Zombie?.
6. How to eliminate a supercookie?.
1. Understanding Cookies
To delve into the realm of supercookies, it's essential to grasp the concept of regular cookies. An HTTP cookie, commonly referred to as just a cookie, is a small piece of code downloaded to a user's browser when they visit a website. Cookies store small pieces of useful information for the web, users, and the interaction between the two.
For example, when you add items to your cart on Amazon, those items are stored in a cookie. If you leave Amazon's website and return later, your items will still be in the cart. The cookie sends that information back to Amazon when you revisit the website.
Regular cookies also serve other functions, such as storing passwords for websites you've logged into, saving you from the hassle of logging in again. However, there are controversies surrounding cookies, like third-party cookies tracking your internet activities and sending information to other companies about what you search for or share online.
2. Unveiling Supercookies
A supercookie is a tracking cookie that seems nearly impossible to remove.
Supercookies track users for specific purposes. Unlike regular cookies, where you can erase browsing data, your own cookies, and more to avoid being tracked online, dealing with supercookies is a different story. Even if you clear your web browsing data, you can't eliminate a supercookie. It doesn't reside in your browser. Instead, it lurks between your network and the HTTP server of the website. Before your network forwards the request to the server, it adds a unique identifier string to your request header.
Deleting supercookies is not as straightforward as regular cookies. The persistent nature of supercookies poses challenges to user privacy, as they remain resilient even after traditional measures are taken to clear browsing data.
The unique identifier string allows websites to identify you as the same user every time you access, even with a different device, even after clearing cookies. In the case of Verizon, their supercookie enables them to track all accessed websites.
Since the network embeds the supercookie between the device and the connecting server, users are powerless to prevent it. You can't delete it because it's not stored on your device. Ad-blockers and scripts can't stop it since it occurs after the request leaves the device.
3. The Perils of Supercookies
Supercookies blatantly violate privacy because, in most cases, cookies are tied to a single website and may be shared with another. Meanwhile, UIDH can be exposed to any website, containing a potentially vast amount of user habits and history. Supercookies can be exploited to gather extensive data for resale.
Supercookies pose a significant threat by violating user privacy.
The Electronic Frontier Foundation (EFF) also highlights that advertisers can use supercookies to resurrect deleted cookies from user devices and link them to new strategies, evading user-initiated tracking avoidance measures:
'Imagine an advertising network assigns you a cookie with the unique value cookie1; Verizon assigns you the X-UIDH header as old_uid. When the network changes the X-UIDH header to new_uid, the advertising network can connect the values new_uid and old_uid to the same cookie1 value, realizing that all three represent the same person. Similarly, if you later delete the cookie, the advertising network will only identify the new cookie as cookie2. Because your X-UIDH header is the same (e.g., new_uid) before and after cookie deletion, the advertising network can link cookie1 and cookie2 with an X-UIDH value of new_uid. The continuous reinvention of identifiers makes it nearly impossible to truly erase your tracking history while the X-UIDH header is active.'
Furthermore, EFF notes that UIDH can also be applied to data sent from applications. This combination allows for a detailed picture of users' internet usage habits.
4. What Data Does a Supercookie Transmit?
A supercookie comprises information about user requests, such as the website they are attempting to access and the duration of their stay. This is referred to as superdata. However, supercookies can also encompass other types of data.
Regardless of the precise data linked to specific users that supercookies record, it raises serious concerns about privacy infringement. In fact, the use of phone numbers for user identification is deemed worrisome by the EFF. Hackers, other companies, or government organizations may seek detailed information about users.
5. What is a Cookie Zombie?
Cookie zombie is another breed of supercookie. True to its name, you can't 'kill' the cookie zombie. Even when you think you've 'killed' it, the cookie zombie can still 'come back to life.'
A cookie zombie remains intact because it hides outside the regular cookie storage of your browser. It targets locally stored data, storing HTML5, RGB color code values, Silverlight storage, etc. That's why they're called cookie zombies. Advertisers only need to locate an existing cookie in one of those locations to recover the rest.
6. How to Remove a Supercookie?
Supercookies store a wealth of information about users. Some can recover regularly deleted cookies, while others are not stored on your device. What can you do to eliminate it?
Networks may allow subscribers to opt out of UIDH tracking, but remember that opting out doesn't truly disable the header. It simply requests the network not to share detailed demographic information with advertisers seeking UIDH value.
If a network decides to use UIDH supercookie to track you, you're essentially out of luck. If someone is tracking you with a supercookie, the best course of action is to use a VPN to establish an encrypted connection between you and the rest of the internet. HTTPS is practically the standard for internet browsers; it also safeguards your internet traffic from prying eyes. Whenever possible, prioritize using HTTPS over a basic HTTP connection.
On the flip side, utilize the best browser security tools to identify top antivirus and security applications.
UIDH poses a serious threat to internet privacy. They aren't stored on your computer, can discern your web traffic, and are extremely difficult to detect. Using HTTPS and VPN may be helpful choices, but what internet users need is legislation requiring networks to allow opt-outs from tracking programs.
