A supercookie’s impact on browsing and its prevention

Edward G. | July 02, 2020

A supercookie might sound delicious, but it is not a treat in terms of digital privacy. For online businesses, traditional cookies are instrumental in managing returning users and serving personalized ads. Such aid to digital marketers often agitates netizens as unknown parties can monitor their actions across multiple sites.

Luckily, users have the right to wipe out all cookies at any time. However, supercookies are more persistent and immune to the regular clearing of browsing data. Without further ado, let’s consider the nature and purpose of this unordinary tracking practice.

What is a supercookie?

The name “supercookie” (or super cookies) is misleading because it is not the typical tracking cookie we know. Regular ones end up on users’ devices, meaning that people can remove them whenever they want. However, the imposter cookie does not use the traditional storage location. Instead, online services place a supercookie at the network layer and label it as a Unique Identifier Header (UIDH). Hence, these cookies are immune to the built-in removal options in browsers.

However, the purpose of supercookies mirrors the objectives of a regular cookie. They are both tracking scripts, designed to build consumers’ digital profiles. By accumulating data about clients, websites can display personalized offers. While the law obliges online services to inform customers about the use of cookies, supercookies are rule-breaking rebels.

Users might not even be aware that such a script affects their browsing. Besides being more persistent and invisible, they operate outside of established boundaries. Such tracking practices can track users across multiple websites, which is a questionable practice for any digital entity.

While nearly all online services use traditional cookies, what is the distribution of supercookies in the global arena? In 2016, security experts noted that such tracking scripts were the most prevalent in the US, Spain, and the Netherlands. Furthermore, the report suggested that UIDHs can leak information and allow hackers to access users’ profiles. While there is no evidence indicating hacks related to these cookies, it is a concern.

Are supercookies malicious or illegal?

Supercookies do not have the best reputation. While they are not malicious, their presence can be a privacy violation, especially when used without clients’ consent. In one of the scandals, Verizon Wireless was the one blamed for injecting supercookies without consumers’ knowledge or consent. After a thorough investigation, the company faced a $1.35 million fine for implementing such stealthy tracking. Hence, ISPs are less likely to use this practice without informing their users about it.

In fact, there are no regulations that would prevent their application. The biggest violation was the users’ inability to control and refuse them. So, such intrusive and undetectable tracking scripts are legal as long as services follow a proper opt-in consent policy.

How to stop them from invading your privacy?

Since the detection of such cookies is problematic, even technically fluent people struggle with it. Chances of you finding or preventing a supercookie from accessing your browsing activities are slim. However, here are the options for people that do not want to have their browsing monitored by a supercookie:

  • Since a supercookie depends on HTTP connections, you might evade it by visiting HTTPS only websites. However, sticking to an HTTPS-only routine is challenging even when browsers inform users when they are about to enter an HTTP site.
  • The long-lasting cure for supercookies is the use of a VPN. Such a tool can prevent websites, ISPs, marketers, and other sources from tracking users online. The combo of encapsulation and encryption of web traffic makes it impossible for external parties to accumulate consumer data. Hence, a VPN will make you invisible and stop entities from using your digital identity for monetization.
  • Some ISP providers that use supercookies allow customers to reject them. Navigate to the settings on your ISP’s website and refuse all offers related to advertising. However, your ISP can continue using them to an extent. The good news is that these cookies will no longer reach marketers scanning for the UIDH values.
Edward G.

Edward G.

Cybersecurity Researcher and Publisher at Atlas VPN. My mission is to scan the ever-evolving cybercrime landscape to inform the public about the latest threats.



© 2024 Atlas VPN. All rights reserved.