Archives

Nevercookie vs. Evercookie

Internet cookies are at the center of various privacy protection concerns for a number of reasons, including persistent tracking. Persistent data tracking capabilities of new types of cookies have been met with various consumer protection and anonymity solutions. Discussed in this article is the recent development, Nevercookie, a new tool developed by the company Anonymizer, Inc.

Cookies that never go away…
Evercookie refers to a javascript API, which produces persistent browser cookies. Evercookie was developed by Samy Kamkar, through already existing techniques, with the goal of raising user awareness about online tracking methods. It currently remains as an opensource project for anyone to use. The objective of the Evercookie is to identify users after the cookies have been removed. It does so through storing the user ID and cookie data in thirteen different places.

Evercookies remain even after standard cookies, Flash cookies, and other types of cookies have been removed. This is done by storing cookie data in various storage mechanisms on the local browser. Such storage mechanisms include:
• Standard HTTP Cookies
• Local Shared Objects (LSOs; Flash cookies)
• Silverlight Isolated Storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite
• Storage of cookies in RGB values
• Storage of cookies in Web History
• Storage of cookies in HTTP ETags
• Storage of Cookies in Web cache
• Window.name caching
• Internet Explorer userData storage

In addition, if the user should remove any of the types of cookies, Evercookie will recreate the cookie using available mechanisms. Even if only one cookie remains, the Evercookie can use it to restore the other cookies. For instance, if the user eliminates the standard HTTP cookies, LSO data and HTML5 storage, history cookies and the PNG cookies are still there. Once detected, the other cookies can be restored. As most users are unaware of the numerous storage methods of Evercookie, it is highly unlikely that all of them will be deleted.

Private Browsing
According to Kamkar, users can avoid the negatives of Evercookies through initiating private browsing within Safari. Doing so will prevent all Evercookie methods after a browser restart.

However, within private browsing mode on Firefox, the Evercookie could not be eliminated. Although private browsing is not supposed to log data about the session, Flash stores data outside the scope of individual browsers. Private browsing mode does not prevent this from happening. Such storage takes place regardless of the web browser being used. For instance, if a user visits a web page that uses Flash storage in Internet Explorer, the user will be identified even when visiting this page in another web browser on the same computer.

Solution: The Nevercookie
On November 10, 2010, Anonymizer, Inc. announced their release of the Anonymizer Nevercookie, which is a free Firefox plugin designed to protect users against the Evercookie in ways that private browsing mode fell short. The Nevercookie plugin extends Firefox’s private browsing mode by obstructing Evercookies from identifying and tracking users.

The Nevercookie removes the need for users to manually remove all Evercookies, at the same time retaining the necessary cookies for web browsing. When users run the Nevercookie, any Evercookies are quarantined from the browser and any visited web pages. These are then removed after a browsing session has ended. Because this private browsing session operates in a sandbox, single-use environment, many web tracking methods that involve locally stored data are prevented.

Summary
This article explores the extremely persistent browser cookie, Evercookie, which was developed to increase user awareness of online tracking methods. Unlike other cookies, the Evercookie stores user data in thirteen different places. As long as one type of cookie remains, the others can be recreated. In response, Anonymizer Inc. developed the Nevercookie, which is meant to be used in conjunction with the private browsing mode in Firefox. This eliminates the need for users to manually remove Evercookies.

CIPP Exam Preparation
In preparation for the Certification Foundation exam (Foundations) and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Online Privacy – Online Identification Mechanisms – Cookies (Foundations; III.B.g.i.)
• Privacy-Enhancing Technologies – Web Cookies (CIPP/IT; III.B.c.i.)

Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>