There’s a new internet threat in town and browser makers are rushing to keep it from invading their users’ privacy. The latest to join the fray: Mozilla, which recently rolled out an update for its Firefox browser for combating the rise of what’s today colloquially referred to as supercookies.
So what’s a supercookie?
We’re all familiar with web cookies. They’re tiny little pieces of information that websites deposit in your browser to know it’s you the next time you visit them. You can opt out of them, block them, and wipe them off your computer. But what if you had no control over them and advertisers could track you across the web despite your browser’s built-in protections? That’s a supercookie.
As consumers have caught on to cookies’ role in online tracking, advertisers have scrambled for alternate technologies to circumvent safeguards and sneak trackers into your browsers. They’ve found that in a variety of technologies collectively referred to as supercookies. A supercookie, as Bennett Cyphers, a technologist at the Electronic Frontier Foundation puts it, is “anything that isn’t a traditional cookie but acts like one.”
Supercookies are engineered to pull off a traditional cookie’s job without ringing the browser’s privacy alarms. They allow third parties to identify and follow you when you’re surfing the internet–irrespective of which site you’re on. Unlike regular cookies, you can’t shut them off or delete the piles of supercookies that already exist on your machine. Advertisers often pair such supercookie data with other forms of tracking methods to accurately build a profile of your interests, maintain a record of the sites you frequent, and more.
Advertisers actively experiment with new types of supercookies—additional ways to keep tabs on people, in case their existing methods get taken down. Four years ago, Verizon was hit by a $1.3 million fine for injecting supercookies that modified the traffic flowing through its customers’ routers.
“Over the years, there has been a cat-and-mouse game between browsers and trackers, where browsers will shut down one method of tracking, and researchers or inventive advertising companies come up with another one to take its place,” says Cyphers.
The breed of supercookie that has especially caught tech companies’ attention of late has to do with your browser’s cache space.
All browsers come equipped with a set of caches for housing web resources you are frequently in need of. This can be an image file on a website you regularly visit or a collection of fonts. It’s a simple feature that has existed on browsers (and many other apps) for years and it’s easy to see why: local caches save trips to online servers which in turn, preserves bandwidth and helps the browser load web pages quicker. Each server trip might only take a few seconds but add them all up and you’re looking at days worth of time savings.
Unfortunately, in the last couple of years, caches have been abused to embed supercookies. In particular: cross-site shared cache partitions.
Say you visit a web page that includes Image A. Your browser saves a copy of that image file in case you soon revisit the page. Later, you go to a different web address that requests the same Image A. Instead of calling the server, your browser would simply fetch it from the cache.
The issue is trackers can encode an identifier in that cached data. This allows malicious actors to scan your history of shared resources and check if any of them are specific to particular sites. In the case of the aforementioned example, a tracker can tell that you have visited both the addresses by tracing picture A’s sources. Subsequently, advertisers can break down the website’s purpose to gauge your interests. If both the websites with image A are about parenting, the advertiser can predict that you might soon shop for baby clothes, for instance.
Browsers fight back
The rise of the supercookie is the epitome of the lengths advertisers go to bypass browser security and snoop on users. But their wide and rapid adoption may be short-lived.
Apple updated its browsers to prevent the use of supercookies in 2019. Google rolled out a similar fix late last year with the Chrome 86 release, an update that also rolled over into Microsoft’s Chromium-based Edge browser. In January, Mozilla launched Firefox 85 which cracks down on supercookie-based tracking methods.
To make sure advertisers can no longer abuse those shared resources, all these browsers have begun to maintain a separate cache for each website. That means the cached copy of Image A will be only retrieved if you revisit the first website.
Since supercookies come in all shapes and sizes, defending user privacy will always remain an ever-shifting goalpost.
The threat isn’t neutralized, however. Since supercookies come in all shapes and sizes, defending user privacy will always remain an ever-shifting goalpost for browsers. On top of that, tech companies such as Google and Apple are phasing out or blocking several technologies including cross-site trackers, third-party cookies, and more that have long held a reputation of being abused by advertisers and trackers.
Estelle Massé, a senior analyst at Access Now, a global human rights organization, believes the web needs a fundamental overhaul that’s centered around a privacy-first infrastructure.
“We need to have a conversation about tracking and the delivery of online ads that goes beyond cookies as companies keep developing new techniques to follow users online,” she says. “We need to remember that the internet was not built on a “creepy ad” business model and take steps to restore privacy.”
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Digital Trends, HuffPost, and more. You can reach out to him on Twitter.