This article is more than 1 year old
The Register Guide on how to stay anonymous (part 2)
The Evercookie: Like trying to kill Steven Seagal
In part one of this series, I explored the privacy threats presented by targeted advertising, and asked why we should care. Browser referral, social media buttons and cookies were examined as examples of basic methods used to track our movements across the internet.
I also explored why advertisers track us, and examined browser plugins that allow us to prevent it. Those plugins come in a few flavours, depending on the threat they are countering and whether or not they trust advertisers to play ball and honour our polite requests not to be tracked.
Not all advertisers play by the rules. Some legitimate websites belong to organisations that gather your personal information not for their corporate advertising use, but to sell it at a profit. These companies rarely play nice, and they certainly don’t limit themselves to the basic tracking methods discussed in part one.
This then is an examination of the internet privacy arms race: where do we stand, how bad is it, and what threats are on the horizon?
Locally Stored Objects
Locally Stored Objects (LSOs) have been around since March 2002, debuting with Adobe Flash Player 6. They have been considered a privacy concern for quite some time and their use has embroiled companies in lawsuits.
For all intents and purposes, they are cookies that are created by applications rather than the browser. While LSOs began with Flash, nearly all major multimedia browser plugins are capable of creating their own, and all require special care and configuration to manage.
These “super cookies" are often cross-browser – create an LSO while browsing in Internet Explorer and a website you browse in Firefox or Chrome could read it – and merge your browse history to obtain a more complete picture.
Java, JavaScript, Flash, Silverlight, as well as the HTML5 DOM, and more all have separate methods of creating files on your computer that they can fill with anything they like. While cookies in a browser are limited by well-defined web standards, the size and contents of LSOs is defined by the application vendor.
The existence of these LSOs leads inevitably to the existence of zombie cookies and inevitably to the frightening evercookie. Zombie cookies are cookies that come back from the dead. They do this by storing themselves in more than one location. Clear your browser cookies, but forget to clear your Flash LSO storage, and the browser cookie can be rebuilt from the Flash LSO.
I say we take off and nuke the site from orbit. It's the only way to be sure
The evercookie takes this to an extreme. In addition to browser cookies, the evercookie makes use of Flash and Silverlight LSOs, your web history, HTTP ETags, your web cache contents, window.name caching, IE user data storage, the HTML 5 session, and local, global and database storage.
The evercookie also stores a cookie hidden in the RGB values of an auto-generated force-cached PNG file. The PNG file then uses the HTML5 Canvas tag to read the pixels (thus the stored cookie information) back out.
If you miss clearing any one of these storage locations, and when you next visit a website run by the organisation that stored one of these digital horrors on your computer, the evercookie will automatically repopulate the information to all of the other storage locations.
Clearing cookies on your browser won’t clear LSOs. The standard plugins you rely on to manage your browser cookies won’t deal with LSOs. These little scumbags require special attention.
KISSmetrics – used by Hulu until just recently – is one example of a company that built a tracking network based on this nearly impossible to kill technology. They eventually climbed down from that position.