Zombie cookie

Last updated

A zombie cookie is a piece of data usually used for tracking users, which is created by a web server while a user is browsing a website, and placed on the user's computer or other device by the user's web browser, similar to regular HTTP cookies, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. [1] Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.

Contents

The term was used by Attorney Joseph H. Malley, who initiated the super-cookie class actions in 2010.

Purpose

Web analytics collecting companies use cookies to track Internet usage and pages visited for marketing research. [2] Sites that want to collect user statistics will install a cookie from a traffic tracking site that will collect data on the user. As that user surfs around the web the cookie will add more information for each site that uses the traffic tracking cookie and sends it back to the main tracking server.

Zombie cookies allow the web traffic tracking companies to retrieve information such as previous unique user ID and continue tracking personal browsing habits. When the user ID is stored outside of a single browser's cookie storage, such as in a header injected by the network into HTTP requests, zombie cookies can track users across browsers on the same machine. [3]

Zombie cookies are also used to remember unique IDs used for logging into websites. This means that for a user who deletes all their cookies regularly, a site using this would still be able to personalize to that specific user.

Implications

A user who does not want to be tracked may choose to decline or block third party cookies or delete cookies after each browsing session. [4] Deleting all cookies will prevent some sites from tracking a user but it may also interfere with sites that users want to remember them. Removing tracking cookies is not the same as declining cookies. If cookies are deleted, the data collected by tracking companies becomes fragmented. For example, counting the same person as two separate unique users would falsely increase this particular site's unique user statistic. This is why some tracking companies use a type of zombie cookie.

Implementation

According to TRUSTe: "You can get valuable marketing insight by tracking individual users' movements on your site. But you must disclose your use of all personally identifiable information in order to comply with the Fair Information Practices guidelines". [5]

Possible places in which zombie cookies may be hidden include:

If a user is not able to remove the cookie from every one of these data stores then the cookie will be recreated to all of these stores on the next visit to the site that uses that particular cookie. Every company has their own implementation of zombie cookies and those are kept proprietary. An open-source implementation of zombie cookies, called Evercookie, [7] is available.

Controversies

In 2015, TURN, an online advertising clearinghouse, [8] introduced zombie cookies based on Flash Local Shared objects. [9] Privacy advocates quickly denounced the technology. [10]

An academic study of zombie cookies was completed in 2009, by a team of researchers at UC Berkeley, [11] where they noticed that cookies which had been deleted, kept coming back, over and over again. They cited this as a serious privacy breach. Since most users are barely aware of the storage methods used, it's unlikely that users will ever delete them all. From the Berkeley report: "few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe." [11]

Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases. The only way to opt-out of the tracking, was to use the company's opt-out link, which gives no confirmation. [12] This resulted in a lawsuit against Ringleader Digital.

The term "zombie cookie" was created by Attorney Joseph H. Malley who initiated the Super-cookie Class Actions in 2010. [ promotion? ] The etiology of the phrase was derived from his prior research into Apple's third-party iPhone applications. Some of these which had been criticized as being "zombie-like" applications such as the "super-cookies" which "re-spawned" when deleted. Attorney Malley envisioned a cookie that seemed to come back from the "dead". Blending the two ideas, he first coined the phrase Zombie Cookies within his filed Class Actions, as a means to enable the court, jury, and public understand the basis of the litigation.[ citation needed ]

The Zombie Cookie lawsuits were filed suit in the United States District Court for the Central District of California against Quantcast, Clearspring, VideoEgg, and affiliated sites owned by Walt Disney Internet Group, Warner Bros. and others. According to the charges, Adobe Flash cookies are planted to "track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent". [13]

Two "supercookie" mechanisms were found on Microsoft websites in 2011, including cookie syncing that respawned MUID cookies. [6] Due to media attention, Microsoft later disabled this code. [14]

Consumer outrage related to Flash cookies and violation of consumers' privacy caused U.S. Congressional Hearings, led by Senators Al Franken and John Rockefeller. Reportedly, the "Zombie Cookie", aka Flash Cookie filings, forced Adobe Systems Inc. to stop processing flash cookies on 98% of all consumers' computing devices. [15]

The online advertising clearinghouse TURN implemented zombie cookies on Verizon mobile phones, using a hidden, unremovable number by which Verizon could track customers. After an article by ProPublica revealed this fact in January 2015, TURN claimed it had suspended usage of their zombie cookies. [8]

Related Research Articles

<span class="mw-page-title-main">Adobe Flash</span> Deprecated multimedia platform used to add animation and interactivity to websites

Adobe Flash is, except in China, a discontinued multimedia software platform used for production of animations, rich internet applications, desktop applications, mobile apps, mobile games, and embedded web browser video players.

<span class="mw-page-title-main">Web browser</span> Software used to navigate the internet

A web browser is an application for accessing websites and the Internet. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on a range of devices, including desktops, laptops, tablets, and smartphones. In 2020, an estimated 4.9 billion people have used a browser. The most used browser is Google Chrome, with a 65% global market share on all devices, followed by Safari with 18%.

Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.

The Platform for Privacy Preferences Project (P3P) is an obsolete protocol allowing websites to declare their intended use of information they collect about web browser users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002. Development ceased shortly thereafter and there have been very few implementations of P3P. Internet Explorer and Microsoft Edge were the only major browsers to support P3P. Microsoft has ended support from Windows 10 onwards. Internet Explorer and Edge on Windows 10 no longer support P3P. The president of TRUSTe has stated that P3P has not been implemented widely due to the difficulty and lack of value.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

Behavioral retargeting is a form of online targeted advertising by which online advertising is targeted to consumers based on their previous internet behaviour. Retargeting tags online users by including a pixel within the target webpage or email, which sets a cookie in the user's browser. Once the cookie is set, the advertiser is able to show ads to that user elsewhere on the internet via an ad exchange.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

<span class="mw-page-title-main">Private browsing</span> Privacy feature in some web browsers

Private browsing, also known as incognito mode or private mode, is a feature available in web browsers that allows users to browse the internet without leaving any traces of their online activity on their device. In this mode, the browser initiates a temporary session separate from its main session and user data. The browsing history is not recorded, and local data related to the session, like Cookies and Web cache, are deleted once the session ends. The primary purpose of these modes is to ensure that data and history from a specific browsing session don't remain on the device or get accessed by another user of the same device.

Web storage, sometimes known as DOM storage, is a standard JavaScript API provided by web browsers. It enables websites to store persistent data on users' devices similar to cookies, but with much larger capacity and no information sent in HTTP headers. There are two main web storage types: local storage and session storage, behaving similarly to persistent cookies and session cookies respectively. Web Storage is standardized by the World Wide Web Consortium (W3C) and WHATWG, and is supported by all major browsers.

Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors’ activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the operator to infer their preferences and may be of interest to various parties, such as advertisers. Web tracking can be part of visitor management.

<span class="mw-page-title-main">Evercookie</span> JavaScript application programming interface

Evercookie is a JavaScript application programming interface (API) that identifies and reproduces intentionally deleted cookies on the clients' browser storage. It was created by Samy Kamkar in 2010 to demonstrate the possible infiltration from the websites that use respawning. Websites that have adopted this mechanism can identify users even if they attempt to delete the previously stored cookies.

<span class="mw-page-title-main">Web browsing history</span> List of web pages a user has visited recently

Web browsing history refers to the list of web pages a user has visited, as well as associated metadata such as page title and time of visit. It is usually stored locally by web browsers in order to provide the user with a history list to go back to previously visited pages. It can reflect the user's interests, needs, and browsing habits.

Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

<span class="mw-page-title-main">Ashkan Soltani</span> American computer scientist

Ashkan Soltani is the executive director of the California Privacy Protection Agency. He has previously been the Chief Technologist of the Federal Trade Commission and an independent privacy and security researcher based in Washington, DC.

<i>United States v. Google Inc.</i>

United States v. Google Inc., No. 3:12-cv-04177, is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history. The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser". It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc.

Canvas fingerprinting is one of a number of browser fingerprinting techniques for tracking online users that allow websites to identify and track visitors using the HTML5 canvas element instead of browser cookies or other similar means. The technique received wide media coverage in 2014 after researchers from Princeton University and KU Leuven University described it in their paper The Web never forgets.

AdChoices is a self-regulatory program for online interest-based advertising that exists in the United States, Canada and across Europe. The program calls for advertising companies to establish and enforce responsible privacy practices for interest-based advertising, aimed to give consumers enhanced transparency and control. Companies adhere to a set of principles that are enforced by accountability programs.

Cross-device tracking is technology that enables the tracking of users across multiple devices such as smartphones, television sets, smart TVs, and personal computers.

References

  1. Sorensen, Ove (2013). "Zombie-cookies: Case studies and mitigation". 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013). London: IEEE. pp. 321–326. doi:10.1109/ICITST.2013.6750214. ISBN   978-1-908320-20-9.
  2. "Google Analytics Cookie Usage on Websites - Google Analytics - Google Developers" . Retrieved 2014-03-29.
  3. Mayer, Jonathan (14 January 2015). "The Turn-Verizon Zombie Cookie". WebPolicy.org. Retrieved 22 April 2015.
  4. Dixon, Pam. "Consumer Tips: How to Opt-Out of Cookies That Track You". World Privacy Forum. Archived from the original on 2013-01-13. Retrieved 2010-11-10.
  5. "Online Privacy Best Practices from TRUSTe". truste.com. Retrieved 2014-03-29.
  6. 1 2 Mayer, Jonathan. "Tracking the Trackers: Microsoft Advertising". The Center for Internet and Society. Retrieved 2011-09-28.
  7. "evercookie - virtually irrevocable persistent cookies". samy.pl. Retrieved 2014-03-29.
  8. 1 2 "Zombie Cookie: The Tracking Cookie That You Can't Kill"
  9. "Company Bypasses Cookie-Deleting Consumers - InformationWeek". informationweek.com. 31 March 2005. Archived from the original on 2014-04-30. Retrieved 2017-04-10.
  10. "EPIC Flash Cookie Page". epic.org. Retrieved 2014-03-29.
  11. 1 2 Soltani, Ashkan; Canty, Shannon; Mayo, Quentin; Thomas, Lauren; Hoofnagle, Chris Jay (11 August 2009). "Flash Cookies and Privacy". SSRN Electronic Journal. doi:10.2139/ssrn.1446862. S2CID   6414306.
  12. Cheng, Jacqui (September 22, 2010). "Zombie cookie wars: evil tracking API meant to "raise awareness"". Ars Technica . Retrieved 2014-03-29.
  13. "Web users sue companies claiming use of Flash cookies is a hack". out-law.com. Retrieved 2014-03-29.
  14. Burt, David. "Update on the issue of 'supercookies' used on MSN" . Retrieved 28 September 2011.
  15. Malley, Joseph H. "(LinkedIn profile)". LinkedIn. Retrieved 10 April 2017. My Flash Cookie filings forced Adobe to stop processing flash cookies on 98% of devices + complaint first "coined" phrase: "ZOMBIE COOKIES".