How to protect your computer from supercookies

October 3, 2011

You probably didn’t know it while it was happening, but until this summer popular websites including Hulu and MSN were tracking their users’ travels through the internet with the use of so-called “supercookies” — a much more invasive type of behavior-tracking program than traditional cookies that is also harder to circumvent. When privacy advocates turned up the heat, both sites said they stopped the practice.

Facebook was recently accused of using  supercookies, too, but pronounced that it does not track its users beyond their actions on the Facebook site.

It’s clear that established sites want to distance themselves from supercookies and what they represent. But what’s not clear is what firms are still using them and what they can do once installed on your computer. The difficulty with monitoring is that the bit of code dropped into your web browsers for the ”super” version of cookies is difficult to delete and can actually reappear elsewhere on your computer if you do delete them — and they track your use of other sites. The cookies most of us are used to dealing with simply tell sites you’ve been there before so they can remember your preferences and deliver behavioral advertising.

The fear of what could happen if a site does drop one of these little tracking devices into your browser has prompted a request last week from members of Congress for a  Federal Trade Commission Investigation into whether they are deceptive and invade your privacy. Representatives Edward Markey and Joe Barton, co-chairs of the Congressional Bi-Partisan Privacy Caucus asked the agency to look at the implications of supercookies. Meanwhile, a number of prestigious privacy groups want to see an investigation of Facebook’s use of them.

Tracking software raises concerns
Having your every move on the web tracked can be worrisome. If a company doesn’t like your web profile, could it drop you from qualifying for their best offers? Would your bank use them? Could your personal and financial information fall into the wrong hands? There’s precious little information about the repercussions of this tracking software.

“Supercookies are the latest attempt from companies to conquer the last frontier of privacy,” says Martin Lindstrom, author of Brandwashed: Tricks Companies Use to Manipulate Our Minds and Persuade Us to Buy. “Where cookies store a small but essential set of insights about our surfing patterns, supercookies can store up to (25 times as much) and are stored in disguised file formats in folders different from the spots where you typically would find cookies.”

Supercookies can even go back in time to report on your behavior, he says. Even when companies say they aren’t using supercookies, Lindstrom says the answer can be misleading, since they are often dispensed by third parties through advertising networks.

Security experts say there is little to fear since the cookies are marketing focused and don’t collect details of your accounts, your passwords or other specifics about your finances.

“Supercookies cannot harm your computer or steal data from your hard drive,”  says Raj Dandage, security engineer and CTO of mobile application development firm Appguppy Mobile. As persistent as supercookies might be, ultimately they’re not doing anything other than tracking what you view online and can’t acquire personal information.

“These cookies do not provide any authentication or proof to the bank… (that) you are who you say you are,” says Michael A. Davis, CEO of the IT consulting firm Savid Technologies. “They merely are used to help track you and provide better advertising while you browse.”

Typically, only the site that created the cookies can access them, says research engineer Akhil Menon  of the internet security firm Total Defense. Menon says it would probably be of no benefit to use a separate browser to perform financial transactions to avoid a hypothetical malicious supercookie since information they collect would likely be stored in the same place on your computer regardless of the browser.

However, he says for the most cautious of users, there is the ability to use software such as VMware Player, “which presents an entire virtual operating system that can be used to present an isolated and sanitary environment for online banking.”

But consumer privacy groups aren’t reassured. “The bottom line with supercookies is that companies need to respect the wishes of consumers,” says Amber Yoo, spokeswoman for the advocacy group Privacy Rights Clearinghouse. “If a consumer effectively ‘opts out’ of being tracked by deleting cookies, companies should respect that opt-out and not re-spawn previously deleted cookies. When will companies learn that the best way to gain customer loyalty is to be transparent and let users make decisions about how their data is collected and shared?”

Circumventing consumer will?
“The fact that major sites are using supercookies shows that they are deliberately trying to circumvent the user’s will in protecting his or her privacy,” Dandage says. “That, to me, is a major concern, because we don’t really know what other tactics they may be using — or what they may be planning to deploy in the future.”

Dandage suggests the following steps to avoid supercookies:

  • Turn off Flash and its plugins, even though that will disable visual elements on many sites).  Supercookies are also often known as Flash cookies since they may be created by the program Adobe Flash, which delivers visual elements on many sites.
  • Clear your browser cache — in addition to your cookies — regularly
  • If you use Firefox, download plugins such as NoScript, which allow you to tune your privacy settings
  • Use the “privacy mode” on browsers that offer it.
One comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

Unfortunately the well meaning author got many basics wrong. The only known true way to avoid super Flash cookies is to run the Add-ons “Better Privacy” and “Ghostery.” Deleting all cookies and your cache are also both only partially correct and ineffective. The only real solution to managing conventional cookies is to run “Cookie Whitelist With Buttons.” This app blocks ALL conventional cookies until the user green lights them. This way the user can log into trusted sites and block all other cookies. The conventional system allows all cookies- good, bad and lots of clutter, allows them to build up to system clogging levels, the users then only delete them on a whim and delete the good with the bad…

Turning off Flash is a partial solution( and there are apps to manage Flash as well) and another benefit to toggling Flash is it is one of the leading causes of browser crashes.

Noscript is perhaps the single best security add-on EVER!- but it has next to nothing to do with blocking Flash cookies.

Privacy mode on all browsers is oversold and irrelevant. Privacy mode( aka porn mode) only PARTIALLY hides browsing tracks on the user’s computer itself- and the browsing tracks are easily found out by others- outsiders or any savvy user can easily find the results.

I run one of the leading web app collections that puts all of these concepts together and it is 100% free. You can get it here: http://is.gd/xXyQd8

Please note that the only browser truly capable of complete privacy and security is Firefox 3.6- NO other browser comes even close- including the newer versions of Firefox. Firefox 4,5,6…. cannot run more than a few add-ons without having a meltdown and therefore are completely unsafe. All other browsers only pay lip-service to add-ons and really are nothing more than ad-delivery devices and are designed to inhibit- not enhance privacy.
Most browsers these days also include features such as advertising opt-outs which are only marginally effective. Despite their maker’s claims of privacy ALL browsers without massive modifications leave users totally to the wolves. Firefox is the only browser based upon an open sourced model making it the only browser with an effective selection of add-ons. With all other browsers being proprietary their add-on catalogs will remain miniscule and pathetically small.
You can get the good (currently 3.6.23) version of Firefox here: http://www.oldapps.com/firefox.php After downloading and installing FF it is critical to go to tools, options, advanced, update and “Ask me what I want to do.” NEVER allow any program to automatically update without your permission and refuse all updates of Firefox beyond the 3.6 series as all versions of 4,5,6… are built on badly flawed platforms that render security impossible. They badly attempt to mimic Google’s Chrome browser by achieving raw speed by making security and running add-ons virtually impossible.

Posted by Apollo702 | Report as abusive