This content originally appeared on Bits and Pieces - Medium and was authored by Mahdhi Rezvi
Supercookies and Privacy
The internet has become a part and parcel of our daily lives. According to Hootsuite, we spend around 7 hours each day surfing the web. With all this time spent online, there is a very high chance that you have heard the term “cookies”. You would have even noticed that some websites have put up banners recently, asking for permission to use cookies.
What are Cookies?
Cookies are a mechanism used by websites to keep track of you. In the early days of the web, websites had a problem where they were unable to identify who you were, even if you visited that same site a moment ago. Imagine if you had gone to a store and selected a few items, but had forgotten your wallet in your car. And when you return to the store, your items are missing and you have to start all over again. To solve this problem, cookies were introduced. Cookies are files with small pieces of data that can uniquely identify you. This helps the website remember you and your identity to make things convenient for you.
Although cookies are not troublesome in general, certain types of cookies are dangerous. These types of cookies are known as tracking cookies. They track your behavior online and build a comprehensive profile of yours. This was mainly used by advertisers. This became a big threat to user privacy. But web browsers and security researchers came up with solutions to minimize the risk concerning cookies.
With these new implementations, advertisers and marketers were unable to collect data about users. Without online user behavioral data, they were unable to achieve their business targets. With this hurdle in place, they started developing cookies that are far more dangerous than ordinary cookies — Supercookies. It has been a cat and mouse game all along.
What are Supercookies?
According to security researcher Bennett Cyphers, a supercookie is “anything that isn’t a traditional cookie but acts like one”. Supercookies are developed in such a way that they act like traditional cookies but without causing an alarm. Even though browsers were equipped with tools to control cookies, they were unable to control this new variant of cookies. This was mainly because these types of cookies were hard to detect.
Supercookies allow third parties to track you across websites. This was not the case with ordinary cookies as you were only able to track users within your domain website. Moreover, you cannot delete or clear the supercookies that already exist on your computer. This is because supercookies do not exist on your computer. Instead, it is a part of your network. The culprit here is not a hacker or a hardcore criminal, it is your ISP. Your ISP adds a unique identifier in your HTTP header called Unique Identifier Header(UIDH). This happens after the request leaves your browser. Since it is not within your reach, you are helpless against these kinds of supercookies. Even ad blockers are ineffective against supercookies as it happens outside your device.
A few years back, Verizon was fined $1.3 million for injecting supercookies that modified the traffic flowing through its customers’ routers. Similar implementations were also found in networks like Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Viettel Peru S.a.c., and Vodafone in the Netherlands and Spain.
Zombie Cookies
Zombie cookies are a variant of supercookies. These types of cookies are hard to kill — making them zombies. Even if you had thought you’d killed them, they can respawn back to life.
What makes zombie cookies different from other types of cookies is that they do not reside in the browser’s usual cookie storage. Instead, they target your browser’s local storage, HTML5 storage, RGB color code values, Silverlight storage, etc. Only one of the cookies stored in these different storage options is needed to respawn the rest. For you to clear out zombie cookies, you must make sure that you have deleted each and every instance where these cookies are stored in. Even if one remains, you are back to square one.
Why Are They Dangerous?
Supercookies
The reason why supercookies are dangerous is that you have almost no control over them. Your ISP is able to track each and every HTTP request you make. This includes pretty much everything from webpages, audio and video streams, etc.
Unlike traditional cookies, you cannot clear or delete supercookies. You will have to gain access to your ISP’s server and delete your unique data from that. That being legally impossible, you are left helpless. But it is suggested that you can use a connection anonymization tool such as a VPN. But you will have to make sure that your VPN is reliable as there have been several controversies surrounding VPNs.
After the UIDH controversy, Verizon allowed users to opt-out of this program. That being said, there is nothing stopping ISPs from using UIDH to collect our data. If they do so, we might not even be aware that an online profile is being created for us, based on our daily browsing.
Zombie cookies
When it comes to Zombie cookies, it is their variation that makes them dangerous. Since they target and reside in so many locations, it is very difficult for you to totally remove them. Especially with their ability to resurrect themselves with any leftovers, it is quite scary.
The issue with detecting these kinds of cookies is that they hide in plain sight. Since they use caches and other commonly used storage mechanisms, you might think it is easy to spot these out. But these cookies cleverly encode identifiers in the cached data making them very difficult to spot.
How to Stay Safe?
Cookies come in different sizes and shapes and protecting user privacy will always be a daunting task. But you can take some precautionary measures to keep yourself safe from supercookies.
Several leading browsers such as Safari, Chrome, and Firefox have released updates that rigorously crackdown supercookies. You can also use VPNs to maintain your anonymity online. Ad blockers and script blocker extensions can help you as well.
You can also visit AmIUnique or Panopticlick to check your browser fingerprint status.
“A child born today will grow up with no conception of privacy at all. They’ll never know what it means to have a private moment to themselves, an unrecorded unanalyzed thought. And that’s a problem because privacy matters. Privacy is what allows us to determine who we are and who we want to be.” –Edward Snowden.
Collaborate on independent components with Bit
Bit is an ultra-extensible tool that lets you author, version, and share independent components.
Use it to build modular design systems, author and deliver micro frontends or simply share components between applications.
Check out Bit’s latest beta version →
Thank you for reading!
Resources
FastCompany
EFF
MakeUseOf
Have We Lost The Privacy Battle To Supercookies? was originally published in Bits and Pieces on Medium, where people are continuing the conversation by highlighting and responding to this story.
This content originally appeared on Bits and Pieces - Medium and was authored by Mahdhi Rezvi
Mahdhi Rezvi | Sciencx (2021-03-22T22:06:24+00:00) Have We Lost The Privacy Battle To Supercookies?. Retrieved from https://www.scien.cx/2021/03/22/have-we-lost-the-privacy-battle-to-supercookies/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.