Already Afraid to Open Your Web Browser? Meet the "Evercookie"

As security guru Bruce Schneier writes, “the arms race continues.” I do wonder if, when, or how there will be a computer users’ revolt against tracking tools like this one:

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Or maybe the revolt will occur from on high. As one of Schneier’s commenters writes:

At what point does it become criminal computer trespass for a website to take great steps to contaminate my machine when I am, by my actions, making it abundantly clear that I don’t want those things on my computer?

If I did to the server what these guys are doing to my client, I’d have the FBI at the door.

Be sure to read Schneier’s warning at the end of his post.


Sardonimous

Turn off javascript?

David

Javascript is too useful for modern web apps (required actually) to be turned off for this reason.

I agree that the law needs to step in because any attempt by the server to get around the user sounds like a hack attempt to me.

Eileen Wyatt

So if I understand the note at the bottom of the blogger's page correctly, I now have an especially persistent cookie on my work computer because I clicked on a link provided by a reputable (indeed, a quasi-scholarly) blog on a reputable newspaper site (one appropriate for me to read over lunch) -- which chose not to warn me in advance even though Dubner had clearly read the note.

It must be lovely to have such a waggish sense of humor.

Drill-Baby-Drill Drill Team

Cookies are too innocent a term for leaving nonerasable eFingerprints.

How about calling them Everlasting Electronstoppers after Willy Wonka?

Tim

Why should it be criminal for a site to do exactly what it says it will do in the privacy policy or user agreement? By the fact that you use the site, you agree to abide by their terms of use. Don't like sales tax? Don't live in a state with sales tax!

E. David Zotter

This story is 3 years old now....move along.

EverCookie is just an improved version of PersistJS.

http://pablotron.org/software/persist-js/

Clark

According to my Chrome Ghostery plugin, this blog tried to put 7 trackers of various sorts on my machine, including DoubleClick, Tacoda, WebTrends and others.

Economist, heal thyself.

assumo

@ Drill Baby Drill

I agree, the term "cookies" is too innocent, and actually makes me want some right now...

What about "disk mites"?

ndspinelli

Maybe charges should be filed under anti-stalking statutes. Evercookie seems to be akin to the Glenn Close character in Fatal Attraction.

wbfarr

Commenter #3 -- I think that update was referring to what would happen if you clicked on the link Bruce Schneier provided, not to what would happen by reading his article/post. He wasn't clear, but the latter makes no sense -- he wouldn't do what he was warning folks against. One hopes.

Laura

Can someone please rename cookies? I really hate having bad feelings towards cookies.

How about cockroaches? Or something benign, like pennies. Anything but cookies!

myron

@#5 Tim,

Clearly, there needs to be a more explicit opt-in for this kind of tracking. Really, how many people do you think would actually opt-in to having uncontrolable tracking software on their machine?

If you have to open the website to review the privacy policy, how can that me sufficient notice that doing so will infect your machine with unwanted software?

--Walter Rhett

The freakonomics blog on by Stephen J. Dubner on cookies recommends "be sure to read the warning at the end." Which underlined links to a referenced blog on a new type of super-cookie, almost impossible to eliminate.

THAT LINK takes you to a site where the cookie discussed is then apparently embedded in your computer! The suggested warning is issued as a notice after the fact rather than before!

I deliberately reject all cookies, do not visit sites that use them, and expect the New York Times with the highest standards of journalism to protect me, as a valued reader, from having cookies foisted upon my computer without consent or permission, when the author, writing for the Times, knew in advance, provides no forewarning, and intentionally entices me to click through by pointing to an "sure" warning.

The violation I feel is similar to theft or rape; I have been violated in my person / property deliberately, without forethought, with writing techniques intended to lead to that violation.

I am angry to the point of seeing red. I am deeply deeply upset. I feel totally and utterly betrayed. I have been victimized for no apparent reason than reading the Times online and trusting the posted links to other sites.

I am offended beyond measure and see such a violation as not only unethical, but possibly a criminal or civil violation of fraud or privacy.

How did such a egregious means pass editorial muster? Is this a sick joke? Other comments on the site also express the deep anger I feel. If this is not the case, Mr. Dubner should make this clear and not leave such an important matter in doubt.

Please respond directly to me in 24 hours. This has the potential to be one of the most embarassing incidents in Times history.

Read more...

Dimitris Andrakakis

@ #13 Walter Rhett :

"The violation I feel is similar to theft or rape"

No offence, but cool down and REALLY read what's written.

The whole point of evercookie is to generate thoughtful discussion, and judging from this and Bruce's blog it's quite succesful.

Read the comments in Bruce's blog; these are things everybody who is really (read : commercially) interested has known for years. Did it make the news all this time ? NO.

It's a serious problem and we need to act on it. But don't shoot the messanger.

Jango

Cookies make me insane. I have a blocker on for most sites yet I still have a lot of spyware, according to my scan. It's such an invasion of privacy. Why are these sites allowed to have my personal information?

I agree that cookies should be renamed. Those that are saved intentionally (like information for online banking) should be different from those that are slipped on to your computer when you are ägreeing to terms".

frankenduf

yeah- "cookie" here is the same usage as "apple" was to snow white

David

Was that a joke? The site you direct us to about evercookies places an evercookie? If it's a joke to make a point, it stinks. If it's not a joke, it's one of the worst violations of trust I've ever experienced online at a site I previously trusted.

Canceling my subscription isn't enough. Will be sure to pass along my offline version of an evercookie -- it's called Negative-Word-of-Mouth. It too is persistent and can't be removed by normal means.

Liz

Really, #13 Walter Rhett? Really? Having a cookie placed on your computer is just like being robbed or raped?

I'm sure victims of those crimes feel great to hear that their physical violations are now on the level of cookies. Way to keep it classy.

Jeff Daze

The evercookie javascript api is a *proof of concept* for what advertisers and other nefarious agents *might* be able to do to track information using methods provided by your web browser.

there is nothing malicious about the methods used.

the web browser clients that support the methods the api uses allow the data to be stored. many of the methods provide functionality for web based applications (such as local storage).

be glad that the use of these methods for data tracking has become public; most people don't even know that flash (a common web plug-in) creates cookies (which are actually somewhat tricky to eliminate).

this evercookie api brings to light new methods that could be used. rather than selling the technique to advertisers, we should be thanking mr. Schneier for his efforts to examine possible security issues on the web presented by new technologies.

mike

Cookies are like Free Trade.

No one who really understands it, is against it.