In general, the ability to track users with cookies has been a good thing for the web. Tracking within sites allows us to maintain state, tie together a user’s page loads and data into a coherent session — without that eCommerce as we know it and most other web services would be impossible. Tracking across sites powers the targeted advertising that drives much of the online economy.
Tracking with cookies, however distasteful it may seem to some privacy advocates, gives the user a large measure of control. They can delete cookies, choose not to tracked (with varying levels of compliance from sites and browsers), and they can use an Incognito or Privacy mode that cuts sites off from cookies altogether.
As we’ve discussed on this site before, there are methods of tracking, including using the HTML5 Canvas element and ETags that do not rely on cookies, and which have caused worry for privacy campaigners because they don’t easily allow a user to opt-out, but the king of the unavoidable tracking method is the super cookie.
Super cookies are not cookies in the traditional sense, and nor does the term denote a specific tracking method. Rather, super cookies are the name given to a variety of tracking strategies that are persistent in spite of user efforts to evade them. They have the potential to allow advertisers and site owners to track users regardless of the user’s thoughts on the matter.
An example of super cookies being used for tracking was recently covered in the New York Times. The article specifically addresses Verizon, but it’s a method that can be used by any ISP, and is often used by mobile ISPs. In this case, Verizon adds a unique tracking code to HTTP headers. That unique number, much like a traditional cookie, can be used to track users. But it can also be used to overcome the traditional methods that users have to avoid being tracked. As the article details, a company that was engaged in user tracking with cookies was able to sync its normal cookies with the Verizon ID number. When users deleted the cookies, the company was able to “resurrect” them because they could tie the header IDs to their records of the user.
Another example of the super cookie depends on a technology known as HSTS (HTTP Strict Transport Security), which is used to force browsers to connect to a site with the secure HTTPS protocol. HSTS works by setting a bit in HTTP headers, and, with some fairly complex manipulation, researcher Sam Greenhalgh was able to chain together a string of sites to produce a unique identifying number. HSTS super cookies work regardless of whether the user has a browser privacy mode engaged.
No doubt, as time goes by, web service providers and marketing companies who want to track users and care little about whether those users approve will develop other super cookie methods. The “ignore the user” approach has the potential to be damaging to web service providers, as Verizon has discovered — no one wants a New York Times article discussing how you make it easy to spy on your users.
Tracking with cookies has been crucial in building the web we know today, but companies should take care not to override their user’s preferences where tracking and privacy are concerned.