Heidi Duran
Nov 30, 2011

Super cookies are NOT something we should consume

Most people know about cookies, the funny name for a very prevalent tool used by websites on a user’s computer.  More specifically, cookies are basically small files stored on a user’s computer that contain user data specific to that particular computer and website.


Cookies can be accessed by the website whenever the user logs onto the site at a future time.  Standard browser cookies are meant to be helpful to both the site and the user.  For the user, it is convenient because the website will have retained particular information and preferences so that the user does not have to re-enter everything. It also makes for faster loading times. For the website and/or advertising partners involved, cookies allow the site to gather user information and browsing histories to determine how to better cater to the user through the browsing experience or through the ads displayed. Standard browser cookies seem pretty harmless for the most part, especially if you delete them after your browsing experience. 


Yet, despite the usefulness of cookies, some websites have now gone overboard with the introduction of “super cookies”.  Super cookies, also known as Flash cookies, serve the same purpose as standard browser cookies but they are not stored like standard cookies and they collect information way beyond the scope of what most people would consider reasonable.


Usually, a user can clear their computer of website cookies by using the browser-enabled cookie deletion program if they decide they do not want these files stored on their computer.  The problem with super cookies is that they are stored in different places on your computer and are therefore very hard to detect.  In addition, some super cookies will regenerate regular cookies even when they have been removed previously by the browser.  The browser’s normal cookie removal settings simply cannot remove super cookies and most people are unaware of this.


Super cookies can be removed manually or by using a third party program.  Yet, super cookies are a relatively new development and most people do not even know if a website is using super cookies.


Super cookies definitely raise red flags about privacy concerns.  Some argue that most tracking is not done on an individual level and websites tend to collect and use the information of a large sampling of users. But the fact that these cookies remain on a user’s computer even though the user thinks he has deleted them is of huge concern.  In addition, super cookies are tracking user’s movements to various other websites way beyond the scope of what might be useful information for the original website that placed the super cookie.


Some websites have no idea that they are using super cookies because oftentimes the internet advertising or marketing agency is responsible for them.  However, when brought to the attention of the websites, some will immediately stop using them.  For example, a Facebook user recently caught the company using super cookies and brought the matter to the attention of the FTC.  Facebook was accused of making certain private information public.  In a settlement with the FTC, Facebook must now undergo privacy audits every 2 years, notify consumers and get consent before changing privacy settings. 


While this is enforcement is a great step in the right direction, others continue to use super cookies intentionally and without consequence.  Though the FTC is aware of the potential threat of super cookies, the internet advertising and marketing industry is allowed to use “self-regulatory” practices, thereby creating a very broad leeway that is ripe for abuse.


The main uncertainty that needs to be addressed is what these companies are doing with the information they gather from super cookies and where they are storing this information.  A security breach would release a lot of personal web browsing habits that should be private information. Since most people are not aware of super cookies, even if a website discloses its tracking policies in a terms of use or user agreement shown prior to entering the site, usually the scope is not fully disclosed or people do not read the “fine print” as they mindlessly click through the pile of legalese.


What can users do to protect themselves from the websites that use super cookies and may be hiding this information? As mentioned above, the FTC could enforce some type of regulation such as privacy audits. Watchdog groups should definitely be active in bringing guilty websites to the attention of the FTC and a list of these offending sites should be made publicly available.  It would also be helpful to know what information these sites are actually collecting so a user could determine whether or not they still want to visit the site. 


Eventually, new browser features and add-ons will have to be developed in order to handle super cookies, as well as third party applications that can crack down on similar tracking devices.  Additionally, websites should offer full disclosure and grant users the ability to choose whether super cookies can be enabled or disabled.  In the end, it all boils down to user awareness and how much we want to protect our privacy. Like the treatment of any virus, software antibodies must evolve to match the increasingly sneaky and resistant strains of privacy invading software bacteria.