Supercookies (not too sweet…!!)

17 10 2011

“Too bored doing assignments..Let me stream and watch the latest episode of Dexter”.A thought which has  probably crossed a million minds.Little do we know that a harmless visit to an online tv streaming site could lead to us being tracked by Spotify or MSN[1][2].Anybody who has even little experience with computers and web browsing knows about the concept of cookies.They know that cookies are an unavoidable woe,albeit helpful in certain cases.Disabling cookies or flushing them out altogether does not help us much with the tracking[1].Most tracking techniques available in the market today are smarter than that.Sites like Hulu,MSN,Flixter and spotify use (or used till some time back) a method called supercookies to track user behaviour and record data without the user’s knowledge[1][2].

Supercookies,also called Flash cookies or Zombie cookies[1] collected user data which exceeded the usual extent to which data was collected in the industry thus giving rise to major privacy concerns.The challenge posed by supercookies is mainly due to the fact that these files are not stored in the usual cookie locations[1] .Thus making it extremely difficult for users to find and delete these files.For example,these files are sometimes stored in a file used by Flash.It then uses a little known technique of Flash  to save the unique ID numbers and then later reuse it to spawn traditional HTML cookies after checking its secondary stash for matching user Ids.Another potential cause of harm by these supercookies is that they are not detected by the browser’s cookie detection system.Researchers described another cache cookie method using Etags which can uniquely track users even when all the cookies are disabled and ‘Private Browsing Mode ‘ is enabled.[2]

Supercookies are usually the outcome of the fruitful relation of a site with an advertising firm which stresses and gives  a lot of importance to user behaviour analysis[1].Kissmetrics is one such data collection firm which uses the supercookies technique to gather data about the user’s website browsing preferences.For example,it tells if the user that just visited their site using a google browser is the same who visited Hulu by clicking on an ad in Facebook.It does this by storing a unique Id(associated with that user) and maintaining that trail even if the cookie history is flushed[3]. Due to the fact that supercookies track the users across multiple sites as compared to cookies whose domain was limited to that particular site which installed it,the inherent privacy concerns are large.[1]

In todays competitive day and age its understandable if a site desires to track its users and their choices while on their site ,but keeping a tab on them even when they have nevigated away from your page is ethically another ballgame altogether.The so called ‘right to track’ is definitely worded in the terms of use or user agreement which the user is made to sign when he signs up for a particular site but in all honesty who ever bothers to go through the extremely lengthy,carefully documented ‘agreement’ scripts .For the users,tracking equates to a breach of trust,a brand betrayal of sorts.Many companies ‘unknowingly’ use this technique and stop using it when it is pointed out to them,others not so. [1]

Once the data is collected companies have an added responsibility to protect that data because the consequences of losing it can be bad.Consumers may no longer trust the brand.Protection of data becomes even more important to avoid legal liability.[1]The increasing concerns about user privacy led the Federal trade Commission(FTC) to force changes and push for the formulation of regulatory policies regarding invasion of user privacy.The Internet and Marketing Industry responded by making certain self-regulatory policies which restrict them from looking into nothing other than medical records[1].Apart from privacy,these hard to find files can also be a major security threat.If  these files are infected with a trojan,detection and prevention can be tough acts[2].Hence it becomes extremely important for users to become more aware of such practices and ensure that such techniques are not used extensively.Its entirely in our hands to not become mere guinea pigs in the world of advertising and marketing strategies.

Soltani aptly summarizes this race saying,”This is yet another example of the continued arms race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless theres policy restrictions to prevent it.” [3]


[1]Christian Olsen.”Supercookies:what you need to know about the web’s latest tracking device” 2 September 2011 <>

[2]Michael Anderson .“Invasion of the supercookies” 18 august 2011<>

[3]Ryan Singel”Undeletable cookie” 29 July 2011 <>