What Exactly Are Supercookies?

Most of us are aware of standard web cookies, which are small pieces of data that websites store in your browser to recognize you during future visits. Users have the option to manage these cookies by opting out or deleting them. However, supercookies operate differently, allowing advertisers to monitor your online activity without your consent, bypassing the privacy measures implemented by browsers.

As consumers become increasingly aware of how cookies facilitate online tracking, advertisers have resorted to innovative technologies to evade these protections. These technologies, collectively known as supercookies, are described by Bennett Cyphers from the Electronic Frontier Foundation as “anything that isn’t a traditional cookie but functions similarly.”

Supercookies are designed to perform the functions of traditional cookies while remaining undetected by browser privacy settings. They enable third parties to track users across various websites, regardless of where they are browsing. Unlike regular cookies, users cannot disable or delete supercookies that may already be present on their devices. Advertisers frequently combine supercookie data with other tracking methods to create comprehensive profiles of users’ interests and online behaviors.

The Advertising Arms Race

Advertisers continuously seek new supercookie methods to monitor users, especially as existing strategies face restrictions. For instance, Verizon faced a $1.3 million penalty for inserting supercookies that altered internet traffic for its customers.

“Over the years, there has been a cat-and-mouse game between browsers and trackers, where browsers will eliminate one tracking method, and researchers or inventive advertising companies will devise another to replace it,” Cyphers explains.

Cache Exploitation

One recent focus for tech companies is the misuse of browser cache spaces to create supercookies. Browsers typically store cached resources like images or fonts to enhance loading speeds and conserve bandwidth. While this feature is beneficial for users, it has also been exploited to embed supercookies, particularly in shared cache partitions.

For example, if you visit a webpage that displays Image A, your browser saves that image for future use. If you later visit a different site that also uses Image A, your browser retrieves it from the cache instead of downloading it again. Unfortunately, malicious trackers can embed identifiers within cached data, enabling them to trace your activity across various sites by recognizing shared resources.

This approach allows advertisers to infer your interests based on your browsing behavior. For instance, if both sites using Image A are related to parenting, advertisers might deduce that you're likely in the market for baby products.

Browser Countermeasures

The prevalence of supercookies highlights the lengths advertisers will go to invade user privacy. However, the rapid adoption of these techniques may soon face significant challenges.

In 2019, Apple updated its browsers to block supercookies, followed by Google’s Chrome 86 update late last year, which also affected Microsoft’s Chromium-based Edge browser. In January, Mozilla released Firefox 85, which aims to limit supercookie-based tracking methods.

These browsers are now implementing a distinct cache for each website, meaning that a cached version of Image A will only be retrieved when revisiting the original site. This adjustment won't noticeably slow down browsing speeds, as there will still be caches available—just more of them. Since browser caches are refreshed periodically, users need not worry about consuming excessive storage space.

Despite these advancements, the threat of supercookies remains. Given their various forms, maintaining user privacy will always be a dynamic challenge for browser developers. Furthermore, major tech companies like Google and Apple are actively working to eliminate or restrict numerous technologies, such as cross-site trackers and third-party cookies, that have historically been misused by advertisers.

Estelle Massé, a senior analyst at Access Now, a global human rights organization, emphasizes the need for a fundamental redesign of the web focused on privacy.

“We need to have a conversation about tracking and the delivery of online ads that goes beyond cookies as companies keep developing new techniques to follow users online,” she states. “It's crucial to remember that the internet was not created on a ‘creepy ad’ business model and to take steps toward restoring user privacy.”

In conclusion, as supercookies evolve, so too must the strategies employed by browsers and users to protect online privacy.

This video explores the hidden dangers of browser cookies and how they can compromise your online privacy.

This video illustrates how Google Chrome utilizes cookies to track users, with real-life scenarios demonstrating their impact.