C Is for Cookie, and Cookie Is Forever


cookies1.jpgADOTAS – The New York Times doesn’t ask developer Samy Kamkar if a million MySpace friends was worth three years of probation, the sentence he received after he unleashed the infamous Samy Worm, which infected and crashed MySpace in 2005. That’s ’cause his latest little toy, the evercookie, is far more interesting — and creepy (but of course — isn’t all Internet technology?).

Except this one is pretty creepy: the evercookie is a javascript API that produces cookies resistant to deletion through storing data in several places on a browser. Kamkar has found the only way to avoid the evercookie is to use Private Browsing in Safari.

It’s a supercookie, something equivalent to one of those monstrosities with a 10-foot circumference that some press-hungry bakery cooks up to get coverage on the local news. Hearing about either may make you vomit a bit in your mouth.

Although its freely available, Kamkar swears he doesn’t want to use it for evil, only to show how much tracking tools could permeate browsers. He tells NYTimes that the cookie should be used as “a litmus test for preventing tracking.”

It’s sort of like the “Please Rob Me” site — the media got up in arms nobody enjoys looking like a fool, but sometimes it’s hard to see how stupid we can be without getting smacked in the face. Technology facilitates many things in life, including ignorance.

Kamkar is the star of NYTimes latest technology scarefest — this time about HTML5 and this time… Well, maybe there are some legitimate concerns here. While improving the web surfing experience, the upgraded code will make data mining easier as some major browsers don’t currently offer obvious settings for deleting data delivered in HTML5. Opting out appears to be a difficult option.

If it wasn’t already — while many sites are proactive in informing users what data is being tracked and how to opt out, several lawsuits have been filed this year against big names (media companies like Disney, Fox Entertainment Group and NBC Universal, as well as tech firms like Quantcast and Clearspring Technologies) for misleading browsers by using Flash cookies. These cookies are not deleted when a user cleans out the HTML oven because… they’re not HTML. You have to go through a few more hoops to lose them. Specific Media is actually charged with secretly recreating cookies deleted by users.

However, Quantcast and Clearspring both argued that they use Flash cookies for analytics and not targeting ads. If you agree with that defense (both companies are merely accused — innocent until proven otherwise), isn’t it still a violation of privacy? The companies were secretly tracking information. Or is it just Internet business as usual?

Use of such cookies for secret targeting, however, disrespects the consumer, no-no no. 1 in marketing, and gives a bad name for all tracking. Privacy advocates are yelling at browsers to create a universal system for deleting all tracking capabilities, especially as HTML5 takes over the web. But the Electric Frontier Foundation recently noted that browsers themselves are unique and trackable, suggesting that trackers could sidestep cookie deletion and follow users regardless of consent.

It kinda makes you wonder — at what point is industry self-regulation not enough? During its privacy roundtable in January, the Federal Trade Commission discussed the trouble of Flash cookies with privacy advocates and interactive ad industry reps, with Consumer Protection Chief David Vladeck famously commenting that the agency is “currently examining practices that undermine the tools that consumers can use to opt out of behavioral advertising.”

He added: “We hope to announce law enforcement actions later this year.” Thanks for being vague, Dave. As the lawsuits poured in, Christopher Olsen, FTC assistant director in the division of privacy and identity protection, said that several companies were under investigation — who, what, when, why and how were not included in his commentary.

We’ll just have to wait for the FTC’s report on its privacy roundtables, which is due to government printing presses sometime in the coming months. Joy.


  1. One thing that I think could be useful is to use the “evercookie” as the opt-out for these networks. Probably a heck of a lot easier to get adoption than some browser plugin that few people would ever actually install…

  2. Kyle’s comment is surely valid but it’s better that the browser itself has the ability to genuinely clear it’s profile.

    The problem is that the browsers are made by companies that have their own networks and that would be like shooting themselves in the foot.

    Specific Media and all the rest knew what they were doing and knew it was ‘wrong’ in terms of protecting user privacy. Money talks and when it comes to protection of privacy on the net then be prepared for anything.

    And to all those who’ve out all their details into Facebook – wait till the revenues start to fall and watch how they trample on your privacy then…

  3. I can see a time coming when all forms of tracking will be banned under the ‘Data Protection Act’ because of abuse by some people. That will inevitably be the death of affiliate marketing.


Please enter your comment!
Please enter your name here