Cookies

Cookies are usually small text files, given ID tags that are stored on your computer's browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customization functions.The website stores a corresponding file(with same ID tag)to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as email address.^[1]

HTTP Cookies[]

HTTP cookies provide the server with a mechanism to store and retrieve state information on the client application's system. This mechanism allows {{#NewWindowLink: wikipedia:Web_application | web-based applications }} the ability to store information about selected items, user preferences, registration information, and other information that can be retrieved later.^[2]

Session cookies[]

These are temporary cookie files, which are erased when you close your browser. When you restart your browser and go back to the site that created the cookie, the website will not recognize you. You will have to log back in (if login is required) or select your preferences/themes again if the site uses these features. A new session cookie will be generated, which will store your browsing information and will be active until you leave the site and close your browser. More on session cookies.^[1]

Persistent cookies[]

These files stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie's file (more on persistent cookies).^[1]

Flash Cookies[]

Flash cookies are a new way of tracing your movement on the Internet and storing lots of information about you. Their official term is Local Shared Objects (LSOs) and their primary purpose is not to track you, but to provide Flash applications with options to save data to the local system.

This can be useful when you play games, as it is one way to save your progress. But since there is no distinction between good and bad uses, many companies have started to use Flash to save persistent information on the user system as an alternative to third-party HTTP cookies.

One major disadvantage of flash cookies is that you can't locate them in your browser easily. They are not shown in the list of cookies which you can access if you open the cookie manager of the browser, nor do they appear in databases or other browser-specific storage locations.

Normal HTTP cookies can't save more than 4 Kilobyte of data while Flash cookies can save up to 100 Kilobyte by default.^[3]

Flash Cookies and Privacy[]

Although the primary purpose of a flash cookie is unrelated to tracking users, more than half of the internet’s top websites use a little known capability of {{#NewWindowLink: wikipedia:Adobe_Flash | Adobe’s Flash plug-in }} to track users and store information about them, but only four of them mention the so-called Flash cookies in their privacy policies, {{#NewWindowLink: http://www.berkeley.edu/ | UC Berkeley }} researchers reported.

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Furthermore, several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called ‘re-spawning’ in homage to video games where zombies come back to life even after being “killed,” the report found. So even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the “backup.”

Even the Whitehouse.gov showed up in the report, with researchers reporting they found a Flash cookie with the name “userId.” The site does say in its privacy policy that it uses tracking technology but it does not mention Flash or tell users how to get rid of the Flash cookie.^[4]

Evercookies[]

Evercookie is a javascript {{#NewWindowLink: wikipedia:Application_programming_interface | API }} available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Evercookies and Privacy[]

The first persistent cookies used Adobe's Flash to store their data. Flash cookies aren't deleted when you delete the browser's normal cookie cache, and they can persist for much longer. With the right bit of code, it turned out to be possible to use Flash cookies to resurrect normal cookies that were deleted or expired in the browser's collection. Other companies then used a similar technique to store cookies in {{#NewWindowLink: wikipedia:HTML5 | HTML5's }} local databases, which worked well when Flash wasn't installed. When a site detects that a user-tracking cookie is missing, it can simply pull the ID out of HTML5 storage, and recreate the cookie with it.

How can I delete evercookies?[]

Dominic White, a security consultant in South Africa, apparently started the efforts by figuring out how to {{#NewWindowLink: http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.html#extended | purge evercookie from Safari }}. A reset and restart of Safari was enough to get rid of the standard cookies and the PNG, but that left HTML5 local stores and a Flash cookie behind. White wrote a script to kill these files—Safari puts its local storage in a user's /Library/Safari/ folder, in the "Databases" and "LocalStorage" directories.

It turns out to be not entirely necessary to hunt down Flash's local storage and kill the entire file. As the {{#NewWindowLink: http://www.monirulislam.com/general-web-desktop-application-security-news/how-to-remove-evercookie-from-firefox-3/ | subsequent instructions for Chrome and Firefox }} point out, Adobe hosts a {{#NewWindowLink: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html | webpage }} that provides access to all of Flash's cookies, and lets you delete them individually or en masse. You can right-click on any Silverlight app to do the same. Both of these browsers appear to clear local storage when reset.^[5]

Privacy & Cookies[]

Cookies, as some feel, can invade the privacy of users. It stores information about users, their preferences, their location, and more that can invade a users privacy and can make users uncomfortable. With that said, tech companies today are, more than ever, trying to relay to users that their information is safe and are trying to remain transparent when it comes to users and what is being done with their data.

"We and our partners use various technologies to collect and store information when you visit a {{#NewWindowLink: wikipedia:Google | Google }} service, and this may include sending one or more cookies or anonymous identifiers to your device. We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites. Our Google Analytics product helps businesses and site owners analyze the traffic to their websites and apps. When used in conjunction with our advertising services, such as those using the Double Click cookie, Google Analytics information is linked, using Google technology, with information about visits to multiple sites."^[6]

↑ ^1.0 ^1.1 ^1.2 Are All Cookies The Same? (n.d.). Retrieved March 24, 2015, from http://www.allaboutcookies.org/cookies/cookies-the-same.html
↑ HTTP Cookies. (n.d.). Retrieved March 24, 2015, from https://msdn.microsoft.com/en-us/library/windows/desktop/aa384321(v=vs.85).aspx
↑ Flash Cookies Explained. (n.d.). Retrieved March 24, 2015, from http://www.ghacks.net/2007/05/04/flash-cookies-explained/
↑ Mohamed, N. (2009, August 10). You Deleted Your Cookies? Think Again | WIRED. Retrieved March 26, 2015, from http://www.wired.com/2009/08/you-deleted-your-cookies-think-again/
↑ Timmer, J. (2010, October 27). It is possible to kill the evercookie. Retrieved March 26, 2015, from http://arstechnica.com/security/2010/10/it-is-possible-to-kill-the-evercookie/
↑ Privacy Policy. (n.d.). Retrieved March 26, 2015, from http://www.google.com/policies/privacy/

[:0-1] 1.0 ^1.1 ^1.2 Are All Cookies The Same? (n.d.). Retrieved March 24, 2015, from http://www.allaboutcookies.org/cookies/cookies-the-same.html

[2] HTTP Cookies. (n.d.). Retrieved March 24, 2015, from https://msdn.microsoft.com/en-us/library/windows/desktop/aa384321(v=vs.85).aspx

[3] Flash Cookies Explained. (n.d.). Retrieved March 24, 2015, from http://www.ghacks.net/2007/05/04/flash-cookies-explained/

[4] Mohamed, N. (2009, August 10). You Deleted Your Cookies? Think Again | WIRED. Retrieved March 26, 2015, from http://www.wired.com/2009/08/you-deleted-your-cookies-think-again/

[5] Timmer, J. (2010, October 27). It is possible to kill the evercookie. Retrieved March 26, 2015, from http://arstechnica.com/security/2010/10/it-is-possible-to-kill-the-evercookie/

[6] Privacy Policy. (n.d.). Retrieved March 26, 2015, from http://www.google.com/policies/privacy/

[1]

[2]

[3]

[4]

[5]

[6]