Ask the Expert: What Are Supercookies? Do They Affect My Online Privacy?

Q: I know this is something I should know, but what exactly are cookies? I’ve heard about supercookies too — how do they affect my online privacy?

A: First, don’t be embarrassed. This monthly “Ask the Expert” forum is to tackle any computer privacy issue you can think of — no question is too big or too small. And while we hear lots about “cookies” online, I’d venture to guess the majority of us can’t fully explain what they are. You’re not alone!

The easy answer is that a cookie (at least the kind found on the web) is a short line of text that a website puts on your computer’s hard drive when you visit it.

The longer explanation goes like this: when you visit a website, the website’s server automatically collects information about you, including your IP address, web browser, type of operating system, webpage visited, referring page, and the visit time. A cookie is used to keep track of you as you visit various pages on a website.

When you revisit the site, the site “remembers” you according to the information stored in the cookie.

How Websites Use Your Information

If you are like most Internet users, you probably believe that if a website has a privacy policy, it means that the site cannot share your personal information with others. Originally, website privacy policies were an attempt to create transparency so that users could make informed decisions about which sites they use based on the site’s data collection practices.

Most users believe they do not have to read privacy policies, because the mere presence of them implies a level of (often false) privacy protection.

A report released by the Annenberg Public Policy Center showed that most consumers are completely unaware of how their personal information is used by businesses, and incorrectly assume that laws prevent companies from selling their personal information.

Websites use the information they compile about you via cookies (and other means) for various purposes, such as customizing their site to your individual tastes.

However, they also sell this personal data about you to third parties. It is estimated that nearly 80% of Internet ads are based on tracking data companies compile about you. Websites share this data with marketing partners or corporate affiliates, which means that your behavior may be profiled not only by sites you have visited, but also by other entities with which these sites share this information.

HTML5 and Supercookies

Recently, Microsoft and Mozilla released new versions of their web browsers, both of which integrate HTML5 features, the fifth generation of HTML, which is used to build websites. HTML5 streamlines the process for embedding video and provides a better graphical experience for multimedia and online games.

However, some privacy advocates are concerned that HTML5 can also be used to track user information via “supercookies” or “evercookies.”

These supercookie files can store more information than a normal cookie and can sometimes be stored in different places than regular cookies, such as a file used by a plugin (such as Flash), which makes them harder to identify and remove. In addition, some supercookies have the capability of regenerating regular cookies to prevent their removal.

Supercookies track things differently from ordinary cookies. A normal cookie can be written, read and ultimately removed by the website that created it. However, the supercookie operates much more stealthily by tracking and recording user behavior across multiple sites. It’s ethically questionable that a website should be able to record a user’s actions beyond its borders. Websites that have been found to use supercookies include MSN.com, Hulu.com, and Flixster.com.

Samy Kamkar, the first person to draw attention to the hazard of supercookies, writes this about them:

“[Supercookies are] designed to make persistent data just that, persistent. By storing the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused.” If a “user gets cookied on one browser and switches to another” the cookie is capable of reproducing in both.

The widespread use of mobile devices makes this data collection even easier, because many apps track your physical location, with or without your knowledge.

“The cookie might, for example, be getting information on where you were when you sent a particular text message,” Kamkar writes. “When you first get your iPhone or Android phone, a lot of these apps say, ‘Do you mind if we record anonymous information about you, yes or no?’ You hit ‘yes’ and who knows the kind of information they are gathering.”

It’s much more difficult to remove cookies from your mobile device, even if you are well-versed in knowing how to remove cookies from your desktop computer.

Regaining Control Over Your Privacy

The new version of Internet Explorer offers a “do-not-track” tool that allows you to opt out of external tracking tools, such as supercookies. Firefox will also offer a similar tool.

For now, supercookies are legal. However, the Obama administration is pushing for Federal Trade Commission-mandated and enforced codes of conduct for advertisers and data companies. Future legislation might force advertisers to reveal what information they are collecting and how it’s being used. Just consider how far ahead things are in Europe already.

For now, though, it’s best to assume that most websites you visit are tracking you via cookies and supercookies, and selling this information to other advertisers. One thing you can do to protect your online privacy is to disable third-party cookies, which limits the types of information advertisers can collect.

If you want to block all third-party content, you can also install the Ghostery plug-in. SlimCleaner and CCleaner also clear out any supercookies hiding in your computer. SlimCleaner incorporates a feature that allows you to save cookies from trusted sites like your bank while deleting anything else. Both utilities have Mac-compatible versions available.

Hopefully that answers all your questions about cookies. If you want even more information on what you can do to disable cookies, check out these how-to posts on managing browser security.

If you have any other questions you want me to consider for upcoming “Ask the Expert” columns, leave a comment below or talk to me on Twitter.