User privacy concerns emerge over supercookies

Difficult to remove new type of cookie which can track user history and preference, giving rise to privacy concerns, note experts, but add that supercookies aren't legal issue for now.
Written by Ellyne Phneah, Contributor

The difficulty in removing supercookies and their ability to track a user's browsing history and preferences have raised privacy issues, according to security experts, who add that supercookies are not severe security risks and have no legal implications for now.

User privacy is the biggest concern surrounding the use of supercookies which secretly collect user data beyond the limitations of common industry practice, noted Jason Pearce, security director of sales engineering at M86 Security Asia-Pacific. Elaborating in an e-mail, he told ZDNet Asia that many were still unaware of supercookies and browser cookies themselves provide an avenue for "identity thieves" to find people's personal information.

Pearce cited that a likely scenario would be for someone to install a supercookie which a malicious hacker had used to commit identity theft or for a reconnaissance before the launch of a larger scale advanced persistent threat attack. Organizations that also practised the use of supercookies to track usage on their Web sites risked legal liability, he added.

"Many Web marketing firms, advertisers and other suspicious Web sites refuse to follow industry's best practices, but [they] have to be aware of the risks associated with imminent data breach or losing control of the already-collected data," he warned. "A data breach would result in not only brand damage, but also legal ramifications."

Last month, major Web sites including MSN.com and Hulu.com were found to be tracking people's online activities using supercookies, which researchers at Stanford University and University of California said could be used to re-create users' profiles after people had deleted regular cookies.

Supercookies are "a new type of cookie" designed to evade deleting capabilities in common browser cookies, said Corey Nachreiner, CISSP senior network security strategist at WatchGuard Technologies. While normal Web cookies are stored in specific locations, supercookies are stored outside the Web browser directory and "in places where your browser cannot clean", Nachreiner explained in an e-mail. This makes it hard for users to get rid of supercookies, he added.

Also known as "Flash cookies" or "zombie cookies", Pearce noted, they can track a user's activity across many sites and Web browsers have no control over supercookies as they reside in different files or plug-ins.

In addition to fulfilling purposes similar to regular cookies, supercookies also have the ability to track a user's browsing history and preferences for a particular Web site through the browser's privacy control, he said.

However, the severity of cookies posed as a privacy breach remained the view of the user, Pearce noted, adding that "some people don't mind their purchasing habits being tracked". Product recommendations on Amazon, for example, would not be possible without the ability to track what users bought on the e-commerce site, he said, adding that some consumers like having cookies that can help advertisers push targeted ads to them.

Nachreiner noted that supercookies also do not pose any new security threat to organizations compared to normal Web cookies, other than the fact that they are harder for the average user to delete. They mostly pose concerns about user privacy but are not a "severe security risk", he added.

Lim Ren Jun, an associate at law firm Baker & McKenzie.Wong & Leow, told ZDNet Asia that unlike countries such as the United Kingdom, European Union and Hong Kong, Singapore currently does not have any specific data protection legislation. "As such, the use of supercookies generally will not raise any legal concerns," he said in an e-mail, but noted that the country's Ministry of Information, Communication and the Arts (MICA) is now looking to propose data protection legislation which may potentially impact the use of supercookies and privacy concerns.

Nachreiner, however, said the crux of the issue should be about making browser cookies easy for users to remove.

"Whether [one] perceive cookies as good or bad, one thing is sure--you should have the choice to easily remove them when you want," he said. "Until a user can clean a supercookie off their computer just as easily as a normal Web cookie, I will consider them evil."

Preventive measures
According to Nachreiner, there is "little" a user can do to know or prevent a site from using supercookies because tracking happens "behind the scenes". However, he advised that users can change settings in Adobe Flash to either delete existing flash cookies, or prevent flash from storing such files.

Pearce of M86 Security said: "The best security measure is to stop entering personal information into Flash forms. The only way a cookie can store your data is if you enter it into a form, then it is written and stored onto your computer for future references."

Nachreiner added that some privacy and file-cleaning programs such as CCLeaner that are designed to remove all cookies, including supercookies, can also help.

In addition, he noted, as the use of supercookies increases, browser makers may eventually modify their browser to have the ability to to remove supercookies.

Editorial standards