Tim TrottTim TrottThe time is always right to do what is right

Supercookies: What You Need to Know About the Web’s Latest Tracking Device

By , Sunday 18th September 2011 in Security & Privacy

You deleted your cookies? Think again as new research has discovered that major websites such as MSN.com have been using a new kind of supercookie to track your online activities.

What is a cookie

A cookie is a small text file that is stored on your hard drive and is used by sites to tailor your viewing experience. They typically contain information such as last time you visited the side, a session id or any preferences you have have set about how you customise the website (font size, colour scheme and so on). These cookies can only be accessed by that one website, and they are entirely optional.

Over the years these cookies have been manipulated into providing tracking information and for providing targeted advertising, and alongside this our browsing habits have changed. We now access the internet via multiple devices (desktops, laptops, tablets and smartphones to name a few). The traditional cookie cannot be used to track across multiple devices, thus the person doing the tracking can only track what you do on each device, not across all devices. With the recent advent of the "Do Not Track" movement, and some browsers disabling cookies by default or via extensions, the age of cookies is quickly drawing to a close.

Super Cookies

Researchers from Stanford University and University of California at Berkeley have discovered new "supercookies" lurking on some major website which have the ability to identify and track users across multiple devices and multiple websites, with some even being able to access your internet browsing history. These cookies are not controlled by the browser, are difficult to block or identify by users and there seem to be no controls as to what information they capture and what they do with that information.

The exact details of their implementations have not been released, but it has been rumoured that these supercookies will probably gain access to the unique identifiers or serial numbers of your devices and link them to some kind of global account, such as your Microsoft or Google account. Once the unique ID of your smartphone, laptop, TV, and game console has been linked to a central point, it becomes very easy to track your behaviour. Microsoft, Google, Apple or Facebook will know what time of day you wake up from the first time you check email or browse the web, the route you take to work and where you work (via GPS), what job you do via searches, as well as pretty much anything else you do online. Even if supercookies are not to be linked to your Microsoft, Google or Facebook accounts, if it is technically possible, it could allow for skilled hackers to gain access and swipe your information.

Supercookies are stored in different places than regular cookies, such as within the Web browser's cache of previously visited websites, which is where the Microsoft ones were located. Privacy-conscious users who know how to find and delete regular cookies might have trouble locating supercookies. Supercookies have also been found in Microsoft's advertising network, which places ads for other companies across the Internet. As a result, people could have had the supercookie installed on their machines without visiting Microsoft websites directly. Even if they deleted regular cookies, information about their Web-browsing could have been retained by Microsoft.

Why do these companies want to know the sites you visit?

Gathering information about your browsing history can offer valuable clues about your interests, concerns or household finances. For example, if you were to start researching a disease online, they can identify you with having, or know someone with the disease, then target advertisements towards prevention or cures at you wherever you go. The data collected about you may be stored remotely without you knowing about it, or where the data is and will more than likely be sold to the highest bidder for large sums of money. And lets not forget that most of these companies also have our credit card, contact, and address details, too.

Let's say you are on Amazon browsing for a few products. You then look at the same products on eBay or another retail site. Both sites feature advertisements served from the same provider (9/10 times DoubleClick network). Then, while reading on a forum site, or looking at the news, you start to see adverts for those same products. How did these adverts get there?

This is called targeted advertising. These ad networks are using third party cookies - cookies set by sites other than the ones you are looking at. The more sites you look at, the more complete the browsing habits and interests that are collected about you. When they serve adverts they know what sites you've been on, what you've looked at, the products you like.

A Real Example

I keep my work and personal data separate. I have a work laptop and a personal laptop. They are entirely separate, I don't do personal stuff, surf personal sites or sign into any personal accounts on my work laptop. Likewise, I don't do anything work related on my personal laptop. There are no ways to connect the two.

That is until I needed to urgent access my personal Gmail on my work computer. Having entered my username, password and authentication code I opened the email and printed the part I needed to. I then signed out and closed the browser. Imagine my surprise when I turned on my personal laptop and was browsing one of the car forums and saw adverts for the products we use at work showing. Just by signing into my Google account, they have linked my work browsing habits to my personal account.

What can be done about Supercookies

Simply clearing out your internet history, temporary files and cookies just isn't going to cut it in today's information age, nor are cookie blockers and history erasers.

Do Not Track (DNT) is a technology and policy proposed in 2009 that enables you to opt out of tracking, however it is not widely implemented and only voluntary.

Unfortunately, the supercookie technology is at the moment in its infancy and a proper defence has yet to be established. For the time being, this is what I do -

  • Use Google Chrome
  • Set cookies to delete when I close my browser
  • Block all third-party cookies
  • Set temporary files to be deleted when I close my browser
  • Install AdBlockPlus addon I can no longer in good good conscience recommend AdBlockPlus as the developers now provide a means for ad publishers to bypass ad blocking through means of an "acceptable ads" policy.
  • Install uBlock Origin
  • Install HTTPS Everywhere
  • Install FlashBlock
  • Do not use web service to resolve navigation errors
  • Do not log into Google account unless I have to
  • Make sure that "Automatically send usage statistics and crash reports to Google" is UNTICKED.
  • Running Windows 10? Geez, you'd better read this: Windows 10 Privacy Settings

Further Reading

  1. Tracking the Trackers: Microsoft Advertising
  2. How to optimise Google Chrome for Privacy
  3. Do Not Track

My website and its content are free to use without the clutter of adverts, tracking cookies, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

About the Author

Tim Trott

Tim is a professional software engineer, designer, photographer and astronomer from the United Kingdom. You can follow him on Twitter to get the latest updates.

Further Reading
Leave a Reply

Your email address will not be published.