Browser cookies are nothing new in the digital world. In fact, they’re omnipresent, but nevertheless we can get more than a bit confused when discussing Evercookie, super cookies or cookie forever, persistent cookies, and so on
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
What Is Evercookie and Why You Should Avoid It for Privacy’s Sake
1. What Is Evercookie
and Why You Should Avoid It
for Privacy’s Sake
Author: Karolina Matuszewska
2. What Is Evercookie and Why You Should
Avoid It for Privacy’s Sake
Browser cookies are nothing new in the digital world. In fact, they’re omnipresent, but nevertheless we can get
more than a bit confused when discussing Evercookie, super cookies or cookie forever, persistent
cookies, and so on. Are these things you really need to grasp thoroughly? Well, if customer data privacy is one
of your priorities, then the answer is definitely yes.
The bits of the digital ecosystem we’re talking about have earned a bad reputation for disrespecting users’ rights
to their data. They’re used for some shady practices and they threaten user privacy. If you’re getting lost in all
this cookie business, don’t worry. We’ll explain in this post exactly what Evercookie is and provide you with key
aspects of its use so you can keep your tracking safe.
What are cookies and why do we need them?
Before we go into the details of Evercookie, let’s start with some basics. Traditional HTTP cookies were invented
out of necessity, so browsers could read pages at the web server and maintain a current session. These are small
text les created by an Internet browser and then saved on the user’s computer. Cookies are a very convenient
and efficient tracking solution.
First of all, they’re used to identify you (the user). When you nish visiting a website and then close the
browser, after you return to that site it recognizes you because of the info stored in cookies. They’re a
mechanism for recording and using information and settings about a user’s browsing behaviors. Whether you
leave items in your shopping cart, log in to social media, or set browser preferences, cookies impact your user
experience by making it faster and more personalized.
Besides cookies that save preferences and information about login sessions, there are also tracking cookies,
referred to as third-party cookies, that track users as a marketing tool.
Are cookies safe?
Cookies aren’t inherently bad or harmful. They’re not like malware or viruses that interfere with your
computer’s proper functioning. Typically, they contain a string of text with information about the browser.
While they can store more personal data about users, this data has to be provided by those users themselves.
Cookies can also retain information already on the web server. What can make cookies a threat is when they’re
employed for questionable purposes.
The legal framework for using cookies
If a user provides you with personal information, that’s one thing. But matters get complicated when this data
becomes available to third-party websites. Also keep in mind that the user needs to be made aware of tracking
and storing mechanisms being used. Here’s where the trouble comes in. Although many browsers have
mechanisms for deleting or even refusing to accept cookies, many websites still don’t honor Do Not Track
options. There are also technologies like Evercookie that recreate cookies after they’ve been deleted. We’ll go
into detail later in this post.
3. What Is Evercookie and Why You Should
Avoid It for Privacy’s Sake
These concerns have led to a lot of debate about how to protect users’ privacy and keep data safe. The result is
legislation and regulations to guard users data and their con dentiality. The most prominent ones in the
European Union are GDPR and the Privacy and Electronic Communications Regulation, also called the ePrivacy
Directive.
GDPR requires that users consent to cookies being placed on their computer. That also applies to other similar
technologies that store and access data on a user’s device. What’s more, such storage is only legal if users are
informed about what happens with their data, and they should have the option to refuse storage of their data.
If you would like to know more about consent to process user data, have a look at our blog posts:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users
What is Evercookie and how does it work?
To recap, both of the regulations discussed above allow for the use of cookies, but the user must have the choice
to opt out or remove cookies at any time. Seems fair and logical. But in reality things don’t aren’t so rosy. There
are shady mechanisms for tracking. To be precise, there are tools that circumvent the user’s privacy choices and
install permanent cookies that can be recovered after deletion.
But how is that possible? This is what Evercookie does. Don’t get misled by the name, it’s not an actual cookie. It’s
a JavaScript programming library that produces cookies allowing you to identify users even after they’ve deleted
their standard cookies, Flash cookies (Local Shared Objects or LSOs), and other ones. Even when a user erases
cookies, those files are recreated and continue to perform their task.
According to the creator of Evercookie, programmer Samy Kamkar,Evercookie is designed to make persistent
data just that – persistent. The process isn’t complicated. He explains that since the same data is stored in
different locations accessed by a given user, if any of the data is lost it can simply be recovered and stored for re-
use. Evercookie is producing those super cookies – persistent cookies – you’ve probably heard about.
They rely on tricky techniques and are really hard to delete.
The API we’ve mentioned just stores cookie data in different places in the local browser. If Evercookie learns
that the user has removed some cookies hiding in a dark corner of the browser, it creates them again. It uses
JavaScript to re-spawn cookies. And it does so without the user’s knowledge, never mind consent.
To be precise, when Evercookie creates a new cookie, it applies storage mechanisms such as:
4. What Is Evercookie and Why You Should
Avoid It for Privacy’s Sake
standard HTTP Cookies
HTTP Strict Transport Security (HSTS) Pinning
Local Shared Objects (Flash Cookies)
Silverlight Isolated Storage
storing cookies in Web History
storing cookies in HTTP ETags
storing cookies in Web cache
Internet Explorer userData storage
HTML5 Session, Local and Global Storage
HTML5 Database Storage via SQLite
Java JNLP PersistenceService
Kamkar developed Evercookie to spread awareness of privacy risks and bring to light how easily companies can
track users while disrespecting their preferences.
Evercookie and compromises to user privacy
It’s no surprise that the process of re-spawning cookies has been widely condemned. It definitely violates users
privacy rights. It tramples on users’ explicit wishes. When a user erases a cookie, this is a deliberate action that
needs to be respected. What’s more, Evercookie can exploit user’s browser history or hidden properties of
browser windows (the window’s label, invisible to the user, which is transmitted during every transaction).
Furthermore, dealing with persistent cookies is a futile undertaking. Routinely deleting caches can be helpful,
but users may not be able to remove all elements. Using private mode browsing can be a good solution in certain
circumstances. However, it’s not always convenient as you often need to rely on persistent logins. And one last
tip: keep your browser up-to-date.
Users are becoming increasingly aware of and concerned with shady tracking practices. One way they take care
of online privacy is by adjusting browser settings. The trouble is that each browser can have different settings,
and not all of them offer a clear settings allowing users to remove data created by new Web languages. This
means that deleting data like permanent cookies is getting tougher and tougher, involving a lot more steps.
What’s more, the increasing number of ways to store this data is making it even harder for browser
manufacturers to keep up and provide better pro-privacy solutions.
5. What Is Evercookie and Why You Should
Avoid It for Privacy’s Sake
Evercookie – Final thoughts
Digital technology is a rapidly evolving eld which brings both bene ts and perils. As to the perils, knowledge
and awareness are your best defense. There are diverse legal frameworks, like GDPR and ePrivacy, that help
protect users’ privacy and respect their choices in the digital landscape. Bear in mind that Evercookie is just one
technology out there, but there are others that play fair and steer clear of questionable and shady practices like
re-spawning cookies. It’s crucial to choose a reliable partner with an ethical compass that supports your
marketing endeavors and helps you remain legally compliant.
We hope that this post has answered some of your burning questions about Evercookie. But this is a complex
issue and you may have some more questions, so reach out to our Piwik PRO team for fast answers.
Contact us