What Are Supercookies? Here’s How to Remove Them Properly
Whatsapp Pinterest
Advertisement

In March 2016, the FCC hit Verizon with a $1.35 million fine for tracking customers with a unique identifier header (UIDH), also known as a “supercookie.” It was big news when the FCC forced Verizon to allow customers to opt-out of the tracking. But what is a supercookie? Why is a supercookie worse than a regular cookie?

Here’s what you need to know about supercookies—and how to remove them.

What Is a Cookie?

To understand supercookies, you need to understand what regular cookies are. An HTTP cookie, usually just known as a cookie, is a small piece of code that’s downloaded to a user’s browser when they visit a website. The cookie stores small pieces of information useful to the website, the user, and interactions between the two.

For example, when you put items in your Amazon shopping cart, those items store in a cookie. If you leave Amazon, when you return, your items remain in your cart. The cookie sends that information back to Amazon when you return to the site.

cookie-interaction

Regular cookies serve other functions too, like telling a website you are already logged in, so you don’t have to log in again when you return. More controversially, third-party tracking cookies follow you around the internet, reporting back to marketing and other companies about what you’re up to online.

What Is a Supercookie?

A supercookie is a tracking cookie but has a more sinister use. Supercookies also have different functionality to a regular cookie, too.

With a regular cookie, if you don’t want it to follow you around the internet, you can clear your browsing data, your cookies, and more. You can block cookies and third-party cookies from your browser, and auto-delete cookies after your browser session ends. You have to log into each site again, and your shopping cart items won’t store, but it also means tracking cookies are tracking you anymore.

A supercookie is different. Clearing your browsing data doesn’t help. This is because a supercookie isn’t really a cookie; it is not stored in your browser.

Instead, an ISP inserts a piece of information unique to a user’s connection into the HTTP header. The information uniquely identifies any device. In the case of Verizon, it allowed the tracking of every website visited.

Because the ISP injects the supercookie between the device and the server it is connecting too, there’s nothing the user can do about it. You cannot delete it, because it isn’t stored on your device. Ad and script blocking software cannot stop it, because it happens after the request leaves the device.

The Dangers of Supercookies

The potential for privacy violation here should be obvious — in most cases, cookies are tied to a single website, and can’t be shared with another site. The UIDH can be revealed to any website and contains a potentially vast amount of information on a user’s habits and history. Verizon was advertising this capability to its partners, too. It is highly likely this specific use of a supercookie intended to capture a lot of data to sell it.

The Electronic Frontier Foundation (EFF) also notes that a supercookie can be used by advertisers to essentially resurrect deleted cookies from a user’s device and link them to new ones, circumventing the strategies that users might take to prevent tracking:

[S]uppose an ad network assigned you a cookie with the unique value “cookie1,” and Verizon assigned you the X-UIDH header “old_uid.” When Verizon changes your X-UIDH header to a new value, say “new_uid,” the ad network can connect “new_uid” and “old_uid” to the same cookie value “cookie1” and see that they all three values represent the same person. Similarly, if you subsequently clear cookies, the ad network will assign a new cookie value “cookie2.” Since your X-UIDH value is the same (say, “new_uid”) before and after clearing cookies, the ad network can connect “cookie1” and “cookie2” to the same X-UIDH value “new_uid.” The back-and-forth bootstrapping of identity makes it impossible to truly clear your tracking history while the X-UIDH header is enabled.

In the same blog post, the EFF also notes that a UIDH can also apply to data sent from apps, which isn’t as easy to track otherwise. The combination allows the creation of a fine-grain picture of a user’s internet usage. Verizon also bypasses the “Limit ad tracking” settings on iOS and Android. Skirting this limit compounds the potential privacy violations that supercookies perpetrate.

What Data Does a Supercookie Send?

A supercookie includes information on the request made by a user, like the website that they’re trying to visit and the time that the request was made. This is known as metadata (and is very similar to the metadata collected by the NSA from cell phone records). But supercookies can include other types of data as well.

Regardless of the exact type of data, if Verizon were to suffer a data breach and these cookies were tied to specific users, it would become a privacy nightmare. The EFF already found that hashed phone numbers were in use as user identifiers, which is a worrying sign. Hackers, other companies, or government organizations would love to get their hands on this type of information.

The fact that Verizon was one of the companies taking part in the NSA’s PRISM program only makes this more worrying.

What Is a Zombie Cookie?

A zombie cookie is another type of supercookie 7 Types of Browser Cookies You Need to Know About 7 Types of Browser Cookies You Need to Know About Browser cookies aren't all designed to reduce your online privacy---some are there to help you. Here's what you need to know. Read More . As the name suggests, you cannot kill the zombie cookie. And when you do think you’ve killed it off, the zombie cookie can come back to life.

A zombie cookie remains intact as it hides outside of your browser’s regular cookie storage. Zombie cookies target local storage, HTML5 storage, RGB color code values, Silverlight storage, and more. That’s why they’re known as zombie cookies. An advertiser must only find an existing cookie in one of those locations to resurrect the rest. If a user fails to delete a single zombie cookie from any of the storage locations, they’re back to square one.

How to Remove a Supercookie

Supercookies store a lot of information about you. Some can resurrect deleted normal cookies, and some aren’t stored on your device. What on earth can you do about them, then?

Unfortunately, the answer for some supercookie types is “not very much.”

Verizon allows subscribers to opt-out of UIDH tracking. If you are a Verizon user, head to www.vzw.com/myprivacy, log into your account, and go to the Relevant Mobile Advertising section. Select “No, I don’t want to participate in Relevant Mobile Advertising.” Please note that opting out doesn’t actually disable the header. It only tells Verizon not to share detailed demographic information with advertisers searching for a UIDH value. Furthermore, if you participate in the Verizon Selects program, the UIDH will remain active even after opting out.

If an ISP decides to use a UIDH-level supercookie to track you, you’re basically plum out of luck. If someone is tracking you with a supercookie, your best bet is to use a VPN to create an encrypted connection between yourself and the rest of the internet. HTTPS is almost the de facto standard for internet browsing, which also protects your internet traffic from snoopers. Where possible, always use HTTPS over a basic HTTP connection.

Otherwise, check out The Best Browser Security Tools section in the MakeUseOf guide to the best security and antivirus apps The Best Computer Security and Antivirus Tools The Best Computer Security and Antivirus Tools Concerned about malware, ransomware, and viruses? Here are the best security and antivirus apps you need to stay protected. Read More .

Online Tracking Is Dangerous

UIDHs are a serious threat to internet privacy. They’re not stored on your computer, can uniquely identify your web traffic, and are extremely difficult to detect. Using HTTPS and a VPN helps, but what internet users need is strong legislation requiring ISPs to allow us to opt-out from such tracking programs, if not to stop dangerous, invasive tracking programs altogether. Lawmakers in the US state of Maine recently passed a bill preventing ISPs from selling private internet data to advertisers.

Worried about Facebook tracking? Here’s how you stop Facebook tracking your online movements Facebook Is Tracking You! Here's How to Stop It Facebook Is Tracking You! Here's How to Stop It Many entities are tracking your internet activity, including social media sites like Facebook. Here's what you need to know. Read More .

Explore more about: Browser Cookies, Online Advertising, Online Privacy, Online Shopping, User Tracking.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Doug
    August 31, 2019 at 6:56 pm

    So the "Here's How To Remove Them Properly" part of the article's title boils down to - "Ask Your ISP Politely"?

  2. Travis
    April 20, 2016 at 3:42 am

    LBO's

    Long Term Binary Objects are exactly these "supercookies."

    Use firefox, and an ad on called Better Privacy to eliminate them.

    • Dann Albright
      April 20, 2016 at 5:40 pm

      I looked at Better Privacy, but from what I understand, it gets rid of a different kind of cookie. It specifically mentions Flash cookies, which are stored on your computer. The kind of supercookie that we're talking about here isn't stored on your computer, and can't be subverted by an extension, because it's applied after the data leaves your computer.

  3. Anonymous
    March 28, 2016 at 7:50 am

    When I registered to use this website, I was not asked about my preferences-- perhaps because my own preferences as a visitor are not important to MakeUseOf.com.

    Now, I know why I was not asked. While I composed the last message, this site played a loud American Express video commercial without first asking my preferences about having video played.

    This is the same anti-consumer abuse which the web industry likes to call "customer experience" but which shows little, if any, concern about what customers actually experience.

    Consider this comment an early indication visitors will not frequent MakeUseOf.com until it adds an "Opt-Out" option, and/or stops the practice of barraging visitors with video commercials.

    • Bruce Epper
      March 28, 2016 at 6:24 pm

      We do block those types of ads from appearing on the site, but when an ad network slips one in, we need to have details about it in order to block it. A screenshot can help. So does knowing where it appeared on the page so we can isolate what ad network served it.

      Because the same ads are not served to everyone, MakeUseOf staff may never end up seeing them so if you don't want to see it again on the site, drop a line with details and we will set about removing it from the rotation.

      • Dann Albright
        March 29, 2016 at 5:10 pm

        Thanks for responding to this, Bruce. And yes, please provide screenshots or any more useful information that you can get so we can take care of this as soon as possible!

  4. Anonymous
    March 28, 2016 at 7:42 am

    Notice the UIDH tracking devices were fielded among consumers before anyone in our congress expressed the slightest concern about privacy violations.

    This is the same congress which pliantly grants NSA or CIA permission to download American consumer "metadata", and is even less interested in closely monitoring how they do it, or what they do with it.

    • Dann Albright
      March 29, 2016 at 5:09 pm

      Unfortunately, it doesn't seem like congress is overly concerned with this sort of thing. In fact, it wouldn't surprise me if intelligence services are currently looking for ways to use this tech to their advantage.

  5. Anonymous
    March 26, 2016 at 8:35 pm

    "what we really need is legislation that requires ISPs to allow us to opt out from these programs (and enforces these opt-outs)."
    What we REALLY need is punishment severe enough to make make companies think twice about using supercookies, maybe $1 million per supercookie per user, or in case of an ISP the loss of access to the EM spectrum.

    • Onk
      March 29, 2016 at 3:28 am

      "What we really need is legislation that requires any provider "you are paying" to not track anything unless you opt-in"

      If they want to give me my service for free, and I accept that then feel free to do what you will, If I am paying for a service they should not be doing anything.

      We need legislation that puts the control back into the population's hands.
      It should not be assumed it is ok!!
      By default it should be not ok unless explicit permission is given, and not in some huge ULA that no one reads.

      • Dann Albright
        March 29, 2016 at 5:08 pm

        The requirement for opt-in would be fantastic, and would probably help a whole lot when it comes to privacy. With the amount of legislative power that ISPs have, though, I can't see this becoming a reality. I sincerely hope that we come up with something that helps get rid of supercookies, but I'm not super confident at the moment.

  6. Anonymous
    March 25, 2016 at 6:37 pm

    Are super cookies common? Can't imagine it's just Verizon. How about a name & shame list? Or provide a link to a website listing somewhere?

    • Dann Albright
      March 29, 2016 at 5:06 pm

      You know, I'm not totally sure. I'm sure other companies are using it as well, but I haven't seen a list anywhere. I'll keep an eye out for one and post a link if I see anything, but I'm not sure how many companies are going to want to reveal their use of this tech, considering that Verizon's been slapped with a fine now.

      • Anonymous
        March 29, 2016 at 5:09 pm

        Thanks for the reply, Dann! Last question (I promise) - how do I know if I have super cookies lurking in my computer?

        • Dann Albright
          April 5, 2016 at 2:32 pm

          Haha - I'm always happy to answer questions. :-)

          The thing about supercookies is that they DON'T lurk on your computer. That's what makes them so insidious. It's information that inserted into the data you send over a network, so it's never actually stored. Which means you can't get rid of them. Doesn't seem fair, does it?