Evercookie, Extremely Persistent Cookies
Websites and services can use several techniques to identify a specific user visiting their properties, or third party properties they are affiliated with. Among the most common ones are standard HTML cookies, but also so called Flash cookies, also known as Local Shared Objects.
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached
- PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
Why would someone want to drop data into that many locations? Easy: For a far superior user identification. When a site drops a cookie on the user's system it can identify the user for as long as the cookie is active. If the user deletes the cookie it cannot identify the user anymore. It may use algorithms to calculate probabilities but it usually cannot be sure that this is indeed a user who visited the site in the past.
Evercookies introduce a whole new level of user tracking. The website will be able to track the user, and reproduce deleted cookies, if at least one cookie or data in storage locations is not deleted by the user. And we all know that many users still have not heard about Flash cookies, the second most known form of storing cookies on a user system yet. How will those users cope with the news that there are more than ten additional ways of storing data to track a user?
Samy Kamkar has put up a demonstration page where users can set evercookies manually on their system. The same page contains options to rediscover the cookies. The suggested way of using the demonstration is to set the evercookie, delete cookies in all places known to the user to finally revisit the site to see if the evercookie is still existing on the system. The first rediscover button drops all deleted cookies in their place again, the second button does not do that. It is interesting that this method is able to track a user even if the browser is switched, at least as long as the Flash cookie is not deleted.