In March 2016, the FCC hit Verizon with a $1.35 million fine for tracking customers with a unique identifier header (UIDH), also known as a “supercookie.” It was big news when the FCC forced Verizon to allow customers to opt-out of the tracking. But what is a supercookie? Why is a supercookie worse than a regular cookie?
Here’s what you need to know about supercookies—and how to remove them.
What Is a Cookie?
To understand supercookies, you need to understand what regular cookies are. An HTTP cookie, usually just known as a cookie, is a small piece of code that’s downloaded to a user’s browser when they visit a website. The cookie stores small pieces of information useful to the website, the user, and interactions between the two.
For example, when you put items in your Amazon shopping cart, those items store in a cookie. If you leave Amazon, when you return, your items remain in your cart. The cookie sends that information back to Amazon when you return to the site.
Regular cookies serve other functions too, like telling a website you are already logged in, so you don’t have to log in again when you return. More controversially, third-party tracking cookies follow you around the internet, reporting back to marketing and other companies about what you’re up to online.
What Is a Supercookie?
A supercookie is a tracking cookie but has a more sinister use. Supercookies also have different functionality to a regular cookie, too.
With a regular cookie, if you don’t want it to follow you around the internet, you can clear your browsing data, your cookies, and more. You can block cookies and third-party cookies from your browser, and auto-delete cookies after your browser session ends. You have to log into each site again, and your shopping cart items won’t store, but it also means tracking cookies are tracking you anymore.
A supercookie is different. Clearing your browsing data doesn’t help. This is because a supercookie isn’t really a cookie; it is not stored in your browser.
Instead, an ISP inserts a piece of information unique to a user’s connection into the HTTP header. The information uniquely identifies any device. In the case of Verizon, it allowed the tracking of every website visited.
Because the ISP injects the supercookie between the device and the server it is connecting too, there’s nothing the user can do about it. You cannot delete it, because it isn’t stored on your device. Ad and script blocking software cannot stop it, because it happens after the request leaves the device.
The Dangers of Supercookies
The potential for privacy violation here should be obvious — in most cases, cookies are tied to a single website, and can’t be shared with another site. The UIDH can be revealed to any website and contains a potentially vast amount of information on a user’s habits and history. Verizon was advertising this capability to its partners, too. It is highly likely this specific use of a supercookie intended to capture a lot of data to sell it.
The Electronic Frontier Foundation (EFF) also notes that a supercookie can be used by advertisers to essentially resurrect deleted cookies from a user’s device and link them to new ones, circumventing the strategies that users might take to prevent tracking:
[S]uppose an ad network assigned you a cookie with the unique value “cookie1,” and Verizon assigned you the X-UIDH header “old_uid.” When Verizon changes your X-UIDH header to a new value, say “new_uid,” the ad network can connect “new_uid” and “old_uid” to the same cookie value “cookie1” and see that they all three values represent the same person. Similarly, if you subsequently clear cookies, the ad network will assign a new cookie value “cookie2.” Since your X-UIDH value is the same (say, “new_uid”) before and after clearing cookies, the ad network can connect “cookie1” and “cookie2” to the same X-UIDH value “new_uid.” The back-and-forth bootstrapping of identity makes it impossible to truly clear your tracking history while the X-UIDH header is enabled.
In the same blog post, the EFF also notes that a UIDH can also apply to data sent from apps, which isn’t as easy to track otherwise. The combination allows the creation of a fine-grain picture of a user’s internet usage. Verizon also bypasses the “Limit ad tracking” settings on iOS and Android. Skirting this limit compounds the potential privacy violations that supercookies perpetrate.
What Data Does a Supercookie Send?
A supercookie includes information on the request made by a user, like the website that they’re trying to visit and the time that the request was made. This is known as metadata (and is very similar to the metadata collected by the NSA from cell phone records). But supercookies can include other types of data as well.
Regardless of the exact type of data, if Verizon were to suffer a data breach and these cookies were tied to specific users, it would become a privacy nightmare. The EFF already found that hashed phone numbers were in use as user identifiers, which is a worrying sign. Hackers, other companies, or government organizations would love to get their hands on this type of information.
The fact that Verizon was one of the companies taking part in the NSA’s PRISM program only makes this more worrying.
What Is a Zombie Cookie?
A zombie cookie is another type of supercookie. As the name suggests, you cannot kill the zombie cookie. And when you do think you’ve killed it off, the zombie cookie can come back to life.
A zombie cookie remains intact as it hides outside of your browser’s regular cookie storage. Zombie cookies target local storage, HTML5 storage, RGB color code values, Silverlight storage, and more. That’s why they’re known as zombie cookies. An advertiser must only find an existing cookie in one of those locations to resurrect the rest. If a user fails to delete a single zombie cookie from any of the storage locations, they’re back to square one.
How to Remove a Supercookie
Supercookies store a lot of information about you. Some can resurrect deleted normal cookies, and some aren’t stored on your device. What on earth can you do about them, then?
Unfortunately, the answer for some supercookie types is “not very much.”
Verizon allows subscribers to opt-out of UIDH tracking. If you are a Verizon user, head to www.vzw.com/myprivacy, log into your account, and go to the Relevant Mobile Advertising section. Select “No, I don’t want to participate in Relevant Mobile Advertising.” Please note that opting out doesn’t actually disable the header. It only tells Verizon not to share detailed demographic information with advertisers searching for a UIDH value. Furthermore, if you participate in the Verizon Selects program, the UIDH will remain active even after opting out.
If an ISP decides to use a UIDH-level supercookie to track you, you’re basically plum out of luck. If someone is tracking you with a supercookie, your best bet is to use a VPN to create an encrypted connection between yourself and the rest of the internet. HTTPS is almost the de facto standard for internet browsing, which also protects your internet traffic from snoopers. Where possible, always use HTTPS over a basic HTTP connection.
Otherwise, check out The Best Browser Security Tools section in the MakeUseOf guide to the best security and antivirus apps.
Online Tracking Is Dangerous
UIDHs are a serious threat to internet privacy. They’re not stored on your computer, can uniquely identify your web traffic, and are extremely difficult to detect. Using HTTPS and a VPN helps, but what internet users need is strong legislation requiring ISPs to allow us to opt-out from such tracking programs, if not to stop dangerous, invasive tracking programs altogether. Lawmakers in the US state of Maine recently passed a bill preventing ISPs from selling private internet data to advertisers.
Worried about Facebook tracking? Here’s how you stop Facebook tracking your online movements.