What Are Supercookies, and Why Are They Dangerous?
Whatsapp Pinterest

In March 2016, Verizon was hit with a $1.35 million fine for tracking customers with a unique identifier header (UIDH) Two Ways Your ISP Is Spying on You and How to Be Safe [10 x SurfEasy Total VPN + BlackBerry Z10 Giveaway] Two Ways Your ISP Is Spying on You and How to Be Safe [10 x SurfEasy Total VPN + BlackBerry Z10 Giveaway] It's a bad time to be a Verizon customer. Read More , also known as a “supercookie.” It was big news when Verizon was forced to make this tracking known and allow customers to opt out of it. But what is a supercookie? And why is it so much worse than a regular cookie? Here’s what you need to know.

Cookies and Supercookies

To understand supercookies, it’s important that you know what regular cookies are. An HTTP cookie What's A Cookie & What Does It Have To Do With My Privacy? [MakeUseOf Explains] What's A Cookie & What Does It Have To Do With My Privacy? [MakeUseOf Explains] Most people know that there are cookies scattered all over the Internet, ready and willing to be eaten up by whoever can find them first. Wait, what? That can’t be right. Yes, there are cookies... Read More , usually just known as a cookie, is a small piece of code that’s downloaded to a user’s browser when they visit a website. The cookie stores small pieces of information that might be useful to the website, the user, and interactions between the two.

For example, when you put some items in your shopping cart at Amazon, those items are stored in a cookie, so you can leave Amazon and come back without emptying your cart. The cookie sends that information back to Amazon when you return to the site.


Cookies can serve other functions too, like telling a website that you’re already logged in so you don’t have to log in again when you return. More controversially, third-party tracking cookies follow users around the Internet and report back to marketing and other companies telling them where you’ve been online.

A supercookie is a kind of tracking cookie, but it’s much more pernicious.

Untrashable Cookies

If you don’t want cookies tracking you around the Web, you can always just clear your browsing data How to Manually & Automatically Clear Your Browser History How to Manually & Automatically Clear Your Browser History The websites you visit leave tracks on your computer. We show you how to delete your browsing history in Firefox, Chrome, Edge, and Internet Explorer. Read More . This gets rid of all the cookies that are stored on your computer, which means you’ll need to put your items back in your cart and log in to your websites again. But it also means those tracking cookies won’t be doing any more tracking.

A supercookie is different — clearing your browsing data won’t help. This is because a supercookie isn’t really a cookie; it’s not stored in your browser.


Instead, a piece of information that’s unique to a user’s connection is inserted into the HTTP header by an Internet service provider (ISP). This information uniquely identifies a device Canvas Fingerprinting Will Track You Everywhere You Go. Here's Why You Should Be Worried Canvas Fingerprinting Will Track You Everywhere You Go. Here's Why You Should Be Worried Read More or, in the case of Verizon, a data plan, to the website being visited.

Because this information is injected between the device and the server that it’s connecting to, there’s nothing that a user can do about it. It can’t be deleted, because it’s not stored on the device. Ad-blocking software can’t do anything about it, because it happens after the request leaves the device.

The Dangers of Supercookies

The potential for privacy violation here should be obvious — in most cases, cookies are tied to a single website, and can’t be shared with other site. The UIDH can be revealed to any website and contains a potentially vast amount of information on a user’s habits and history. And we know that Verizon was advertising this capability to their partners, so it’s likely that this specific use of supercookies was intended to collect a lot of data for the purposes of selling it.

The Electronic Frontier Foundation (EFF) also notes that a supercookie can be used by advertisers to essentially resurrect deleted cookies from a user’s device and link them to new ones, circumventing the strategies that users might take to prevent tracking:

[S]uppose an ad network assigned you a cookie with the unique value “cookie1,” and Verizon assigned you the X-UIDH header “old_uid.” When Verizon changes your X-UIDH header to a new value, say “new_uid,” the ad network can connect “new_uid” and “old_uid” to the same cookie value “cookie1” and see that they all three values represent the same person. Similarly, if you subsequently clear cookies, the ad network will assign a new cookie value “cookie2.” Since your X-UIDH value is the same (say, “new_uid”) before and after clearing cookies, the ad network can connect “cookie1” and “cookie2” to the same X-UIDH value “new_uid.” The back-and-forth bootstrapping of identity makes it impossible to truly clear your tracking history while the X-UIDH header is enabled.

In the same blog post, the EFF noted that a UIDH can also be applied to data sent from apps, which isn’t easy to track otherwise, and so provides an even more finely detailed picture of a user’s Internet usage. Verizon also bypasses the “Limit ad tracking Smartphone Privacy Settings You Need To Activate Today Smartphone Privacy Settings You Need To Activate Today Smartphones ship with plenty of default settings that could be leaking your info. Let's dive in and tweak them. Read More ” settings on iOS and Android, compounding the potential privacy violations that supercookies perpetrate in a browser.

A supercookie includes information on the request made by a user, like the website that they’re trying to visit and the time that the request was made. This is known as metadata (and is very similar to the metadata collected by the NSA What Can Government Security Agencies Tell From Your Phone's Metadata? What Can Government Security Agencies Tell From Your Phone's Metadata? Read More from cell phone records). But supercookies can include other types of data as well.

Regardless of exactly what type of data they contain, however, if Verizon were to suffer a data breach and these cookies were tied back to specific users, that would be a huge privacy debacle, as the EFF stated that hashed phone numbers What All This MD5 Hash Stuff Actually Means [Technology Explained] What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More (which really aren’t very secure) were being used to identify users. Hackers, other companies, or government organizations would be very happy to get hold of this information.

The fact the Verizon was one of the companies taking part in the NSA’s PRISM program What Is PRISM? Everything You Need to Know What Is PRISM? Everything You Need to Know The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the... Read More only makes this more worrying.

What Can You Do about Supercookies?

So supercookies store a lot of information about you, resurrect deleted normal cookies, and aren’t stored on your device. What can you do about them?

Unfortunately, the answer is “not very much.” Verizon now allows subscribers to opt out of their UIDH tracking, which is a big improvement over the secrecy that they kept around this type of tracking in the past. To opt out of this program, go to www.vzw.com/myprivacy, log into your account, and go to the Relevant Mobile Advertising section. Select “No, I don’t want to participate in Relevant Mobile Advertising.”


If you’re not a Verizon customer, you’re pretty much out of luck. If someone else is tracking you with a supercookie and you don’t know about it, your best bet is to use an encrypted connection over HTTPS What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More or a virtual private network (VPN) to mask your traffic. These two methods aren’t susceptible to supercookie tracking.

Beyond that, you just have to hope that the names of other companies using this technology come to light sooner rather than later. Though with Verizon getting hit by a fine (albeit a very small one), that doesn’t seem likely to happen anytime soon.

The Next Generation of Online Tracking

Because they’re not stored on your computer, can uniquely identify your web traffic, and are extremely difficult to detect, UIDHs are a serious threat to privacy across the web. Using HTTPS and a VPN helps a lot, but what we really need is legislation that requires ISPs to allow us to opt out from these programs (and enforces these opt-outs). We’ll keep an eye on this very interesting threat to online anonymity and keep you posted!

What do you think about Verizon’s supercookie program? Do you think other providers are using it as well? Does this signal the end of online privacy? Share your thoughts below!

Image credits: opening closed blinds by ptnphoto via Shutterstock, Tizio via Wikimedia Commons, Michael Courtney via Shutterstock, ktsdesign via Shutterstock.

Explore more about: Browser Cookies, Online Advertising, Online Shopping.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Travis
    April 20, 2016 at 3:42 am


    Long Term Binary Objects are exactly these "supercookies."

    Use firefox, and an ad on called Better Privacy to eliminate them.

    • Dann Albright
      April 20, 2016 at 5:40 pm

      I looked at Better Privacy, but from what I understand, it gets rid of a different kind of cookie. It specifically mentions Flash cookies, which are stored on your computer. The kind of supercookie that we're talking about here isn't stored on your computer, and can't be subverted by an extension, because it's applied after the data leaves your computer.

  2. Anonymous
    March 28, 2016 at 7:50 am

    When I registered to use this website, I was not asked about my preferences-- perhaps because my own preferences as a visitor are not important to MakeUseOf.com.

    Now, I know why I was not asked. While I composed the last message, this site played a loud American Express video commercial without first asking my preferences about having video played.

    This is the same anti-consumer abuse which the web industry likes to call "customer experience" but which shows little, if any, concern about what customers actually experience.

    Consider this comment an early indication visitors will not frequent MakeUseOf.com until it adds an "Opt-Out" option, and/or stops the practice of barraging visitors with video commercials.

    • Bruce Epper
      March 28, 2016 at 6:24 pm

      We do block those types of ads from appearing on the site, but when an ad network slips one in, we need to have details about it in order to block it. A screenshot can help. So does knowing where it appeared on the page so we can isolate what ad network served it.

      Because the same ads are not served to everyone, MakeUseOf staff may never end up seeing them so if you don't want to see it again on the site, drop a line with details and we will set about removing it from the rotation.

      • Dann Albright
        March 29, 2016 at 5:10 pm

        Thanks for responding to this, Bruce. And yes, please provide screenshots or any more useful information that you can get so we can take care of this as soon as possible!

  3. Anonymous
    March 28, 2016 at 7:42 am

    Notice the UIDH tracking devices were fielded among consumers before anyone in our congress expressed the slightest concern about privacy violations.

    This is the same congress which pliantly grants NSA or CIA permission to download American consumer "metadata", and is even less interested in closely monitoring how they do it, or what they do with it.

    • Dann Albright
      March 29, 2016 at 5:09 pm

      Unfortunately, it doesn't seem like congress is overly concerned with this sort of thing. In fact, it wouldn't surprise me if intelligence services are currently looking for ways to use this tech to their advantage.

  4. Anonymous
    March 26, 2016 at 8:35 pm

    "what we really need is legislation that requires ISPs to allow us to opt out from these programs (and enforces these opt-outs)."
    What we REALLY need is punishment severe enough to make make companies think twice about using supercookies, maybe $1 million per supercookie per user, or in case of an ISP the loss of access to the EM spectrum.

    • Onk
      March 29, 2016 at 3:28 am

      "What we really need is legislation that requires any provider "you are paying" to not track anything unless you opt-in"

      If they want to give me my service for free, and I accept that then feel free to do what you will, If I am paying for a service they should not be doing anything.

      We need legislation that puts the control back into the population's hands.
      It should not be assumed it is ok!!
      By default it should be not ok unless explicit permission is given, and not in some huge ULA that no one reads.

      • Dann Albright
        March 29, 2016 at 5:08 pm

        The requirement for opt-in would be fantastic, and would probably help a whole lot when it comes to privacy. With the amount of legislative power that ISPs have, though, I can't see this becoming a reality. I sincerely hope that we come up with something that helps get rid of supercookies, but I'm not super confident at the moment.

  5. Anonymous
    March 25, 2016 at 6:37 pm

    Are super cookies common? Can't imagine it's just Verizon. How about a name & shame list? Or provide a link to a website listing somewhere?

    • Dann Albright
      March 29, 2016 at 5:06 pm

      You know, I'm not totally sure. I'm sure other companies are using it as well, but I haven't seen a list anywhere. I'll keep an eye out for one and post a link if I see anything, but I'm not sure how many companies are going to want to reveal their use of this tech, considering that Verizon's been slapped with a fine now.

      • Anonymous
        March 29, 2016 at 5:09 pm

        Thanks for the reply, Dann! Last question (I promise) - how do I know if I have super cookies lurking in my computer?

        • Dann Albright
          April 5, 2016 at 2:32 pm

          Haha - I'm always happy to answer questions. :-)

          The thing about supercookies is that they DON'T lurk on your computer. That's what makes them so insidious. It's information that inserted into the data you send over a network, so it's never actually stored. Which means you can't get rid of them. Doesn't seem fair, does it?