The war against persistent zombie cookies—cookies that never seem to lose your data, even when you delete them—rages on, as users learn more about the technology. While awareness is rising thanks to widespread coverage of Flash cookies and, more recently, HTML5's storage capabilities, we have a long way to go before Internet users can avoid persistent tracking. Like all zombie wars, this one will take some time to win; and if you thought things were bad now, they're about to get worse.
Case in point: evercookie, an open source JavaScript API by developer Samy Kamkar. When implemented by a website, evercookie stores a user ID and cookie data in not two, not three, but eight different places—with more on the way. Among them are your standard HTTP cookies, Flash cookies, RGB values of force-cached PNGs, your Web history, and a smattering of HTML5 storage features. In addition, Silverlight Storage and Java are apparently on the way.
So, when you delete the cookie in one, three, or five places, evercookie can dip into one of its many other repositories to poll your user ID and restore the data tracking cookies. It works cross-browser, too—if the Local Shared Object cookie is intact, evercookie can spread to whatever other browsers you choose to use on the same machine. Since most users are barely aware of these storage methods, it's unlikely that users will ever delete all of them.
"Simply think of it as cookies that just won't go away," reads the evercookie FAQ.
Sound evil? It is. But Kamkar—whose motto is "think bad, do good"—doesn't seem all that evil. In fact, Kamkar told Ars that he wrote evercookie to raise user awareness about the ways in which companies can track them.
"I hope evercookie simply demonstrates to people what types of methods are being employed to track them and to decide whether or not they want to prevent those methods," he said. "evercookie took less than a day to create for me as a security hobbyist, so I can only imagine the technology that funded developers are producing."
Kamkar says he doesn't actually use evercookie to track people—it exists largely as a proof of concept, and he's not using technologies that are particularly bleeding edge in the developer world.
"None of these are new techniques," he told Ars, "but an API like this is awesome at raising awareness."
Of course, the mere fact that evercookie exists (and exists as an open source project that anyone can use) means that there will be some evil Web developers who make use of it, but that's almost the point. We're supposed to be scared.
Kamkar sees his project as a kind of litmus test to see whether people really are up to protecting themselves from being tracked by persistent cookies that anyone could implement, but he also understands that the "average" Internet user is hardly aware of traditional cookies, much less Flash cookies and beyond. Deleting the data from all eight (or more) storage mechanisms can be a pretty daunting task even for the relatively experienced surfer.
"I hope to produce software that allows deleting data from any and all of these storage mechanisms for the average user to make use of," Kamkar said. "I also hope evercookie stems others to develop similar software."
Kamkar's API comes just days after a lawsuit was filed against a company for making use of the HTML5 Web SQL database storage capabilities that come with Safari, Chrome, and Opera. First exposed by Ars Technica, this particular company (Ringleader Digital) made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases, telling Ars that the only way to opt out of the tracking was to use the company's opt-out link (which gives the user no confirmation that they are, in fact, opted out.)
Then there are a number of previous lawsuits over zombie Flash cookies, which have the same goal when it comes to user tracking. They don't want you to delete their info, so they work around it by storing the data in multiple places and restoring it once you delete.
While Internet users wait for software to protect against such extensive tracking, Kamkar did point out that the safe browsing mode in many browsers will probably help for now. "I found that using 'Private Browsing' in Safari stops all evercookie methods," he said.
Photo illustration uses elements from Shutterstock.
reader comments
52