In March 2016, Verizon was hit with a $1.35 million fine for tracking customers with a unique identifier header (UIDH), also known as a “supercookie.” It was big news when Verizon was forced to make this tracking known and allow customers to opt out of it. But what is a supercookie? And why is it so much worse than a regular cookie? Here’s what you need to know.
Cookies and Supercookies
To understand supercookies, it’s important that you know what regular cookies are. An HTTP cookie, usually just known as a cookie, is a small piece of code that’s downloaded to a user’s browser when they visit a website. The cookie stores small pieces of information that might be useful to the website, the user, and interactions between the two.
For example, when you put some items in your shopping cart at Amazon, those items are stored in a cookie, so you can leave Amazon and come back without emptying your cart. The cookie sends that information back to Amazon when you return to the site.
Cookies can serve other functions too, like telling a website that you’re already logged in so you don’t have to log in again when you return. More controversially, third-party tracking cookies follow users around the Internet and report back to marketing and other companies telling them where you’ve been online.
A supercookie is a kind of tracking cookie, but it’s much more pernicious.
If you don’t want cookies tracking you around the Web, you can always just clear your browsing data. This gets rid of all the cookies that are stored on your computer, which means you’ll need to put your items back in your cart and log in to your websites again. But it also means those tracking cookies won’t be doing any more tracking.
A supercookie is different — clearing your browsing data won’t help. This is because a supercookie isn’t really a cookie; it’s not stored in your browser.
Instead, a piece of information that’s unique to a user’s connection is inserted into the HTTP header by an Internet service provider (ISP). This information uniquely identifies a device or, in the case of Verizon, a data plan, to the website being visited.
Because this information is injected between the device and the server that it’s connecting to, there’s nothing that a user can do about it. It can’t be deleted, because it’s not stored on the device. Ad-blocking software can’t do anything about it, because it happens after the request leaves the device.
The Dangers of Supercookies
The potential for privacy violation here should be obvious — in most cases, cookies are tied to a single website, and can’t be shared with other site. The UIDH can be revealed to any website and contains a potentially vast amount of information on a user’s habits and history. And we know that Verizon was advertising this capability to their partners, so it’s likely that this specific use of supercookies was intended to collect a lot of data for the purposes of selling it.
The Electronic Frontier Foundation (EFF) also notes that a supercookie can be used by advertisers to essentially resurrect deleted cookies from a user’s device and link them to new ones, circumventing the strategies that users might take to prevent tracking:
[S]uppose an ad network assigned you a cookie with the unique value “cookie1,” and Verizon assigned you the X-UIDH header “old_uid.” When Verizon changes your X-UIDH header to a new value, say “new_uid,” the ad network can connect “new_uid” and “old_uid” to the same cookie value “cookie1” and see that they all three values represent the same person. Similarly, if you subsequently clear cookies, the ad network will assign a new cookie value “cookie2.” Since your X-UIDH value is the same (say, “new_uid”) before and after clearing cookies, the ad network can connect “cookie1” and “cookie2” to the same X-UIDH value “new_uid.” The back-and-forth bootstrapping of identity makes it impossible to truly clear your tracking history while the X-UIDH header is enabled.
In the same blog post, the EFF noted that a UIDH can also be applied to data sent from apps, which isn’t easy to track otherwise, and so provides an even more finely detailed picture of a user’s Internet usage. Verizon also bypasses the “Limit ad tracking” settings on iOS and Android, compounding the potential privacy violations that supercookies perpetrate in a browser.
A supercookie includes information on the request made by a user, like the website that they’re trying to visit and the time that the request was made. This is known as metadata (and is very similar to the metadata collected by the NSA from cell phone records). But supercookies can include other types of data as well.
Regardless of exactly what type of data they contain, however, if Verizon were to suffer a data breach and these cookies were tied back to specific users, that would be a huge privacy debacle, as the EFF stated that hashed phone numbers (which really aren’t very secure) were being used to identify users. Hackers, other companies, or government organizations would be very happy to get hold of this information.
The fact the Verizon was one of the companies taking part in the NSA’s PRISM program only makes this more worrying.
What Can You Do about Supercookies?
So supercookies store a lot of information about you, resurrect deleted normal cookies, and aren’t stored on your device. What can you do about them?
Unfortunately, the answer is “not very much.” Verizon now allows subscribers to opt out of their UIDH tracking, which is a big improvement over the secrecy that they kept around this type of tracking in the past. To opt out of this program, go to www.vzw.com/myprivacy, log into your account, and go to the Relevant Mobile Advertising section. Select “No, I don’t want to participate in Relevant Mobile Advertising.”
If you’re not a Verizon customer, you’re pretty much out of luck. If someone else is tracking you with a supercookie and you don’t know about it, your best bet is to use an encrypted connection over HTTPS or a virtual private network (VPN) to mask your traffic. These two methods aren’t susceptible to supercookie tracking.
Beyond that, you just have to hope that the names of other companies using this technology come to light sooner rather than later. Though with Verizon getting hit by a fine (albeit a very small one), that doesn’t seem likely to happen anytime soon.
The Next Generation of Online Tracking
Because they’re not stored on your computer, can uniquely identify your web traffic, and are extremely difficult to detect, UIDHs are a serious threat to privacy across the web. Using HTTPS and a VPN helps a lot, but what we really need is legislation that requires ISPs to allow us to opt out from these programs (and enforces these opt-outs). We’ll keep an eye on this very interesting threat to online anonymity and keep you posted!
What do you think about Verizon’s supercookie program? Do you think other providers are using it as well? Does this signal the end of online privacy? Share your thoughts below!