World Library  
Flag as Inappropriate
Email this Article

Evercookie

Article Id: WHEBN0029320801
Reproduction Date:

Title: Evercookie  
Author: World Heritage Encyclopedia
Language: English
Subject: Internet privacy, Zombie cookie
Collection:
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Evercookie

Evercookie is a JavaScript-based application created by Samy Kamkar which produces zombie cookies in a web browser that are intentionally difficult to delete.[1][2] In 2013, a top-secret NSA document was leaked[3] citing Evercookie as a method of tracking Tor users.

Background

A traditional HTTP cookie is a relatively small amount of textual data that is stored by the user's browser. Cookies can be used to save preferences and login session information; however, they can also be employed to track users for marketing purposes. Due to concerns over privacy, all major browsers include mechanisms for deleting and/or refusing to accept cookies from websites.

The size restrictions, likelihood of eventual deletion, and simple textual nature of traditional cookies motivated Adobe Systems to add the Local Shared Object (LSO) mechanism to the Adobe Flash player.[4] While Adobe has published a mechanism for deleting LSO cookies (which can store 100KB of data per website, by default),[5] it has met with some criticism from security and privacy experts.[6] Since version 4, Firefox has treated LSO cookies the same way as traditional HTTP cookies, so they can be deleted together.[7][8]

Description

Samy Kamkar released v0.4 beta of the Evercookie on September 13, 2010, as open source.[9][10][11] According to the project's website:

Evercookie is designed to make persistent data just that, persistent. By storing the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused. Simply think of it as cookies that just won't go away. Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if Evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

An Evercookie is not merely difficult to delete. It actively "resists" deletion by copying itself in different forms on the user's machine and resurrecting itself if it notices that some of the copies are missing or expired.[12] Specifically, when creating a new cookie, Evercookie uses the following storage mechanisms when available:

  • Standard HTTP cookies
  • Local Shared Objects (Flash cookies)
  • Silverlight Isolated Storage
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web history
  • Storing cookies in HTTP ETags
  • Storing cookies in Web cache
  • window.name caching
  • Internet Explorer userData storage
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite

The developer is looking to add the following features:

Usage

Evercookie is ideal for use as a marketing tool that resides on a web server, to be able to persistently collect "anonymous" data browsing habits on home computers. Though this tool could be used for various user browser data, it remains clear that its main advantage is the ability to reconstruct itself on a computer after the computer has undergone a browser cookie purge. For instance, with this tool it is possible to have persistent identification of a specific computer, and since it is specific to an account on that computer, it links the data to an individual. It is conceivable this tool could be used to track a user and the different cookies associated with that user's identifying data without the user's consent. The tool has a great deal of potential to undermine browsing privacy.

There are indications that many known websites such as Hulu, AOL and Spotify have begun using EverCookies[13] on their websites.

See also

References

  1. ^ Vega, Tanzina (2010-10-10). "New Web Code Draws Concern Over Privacy Risks". The New York Times. 
  2. ^ "Samy Kamkar - Evercookie". 
  3. ^ Tor Stinks' presentation"'". The Guardian. 
  4. ^ "What are local shared objects?". 
  5. ^ "How to manage and disable Local Shared Objects". 
  6. ^ "'"Local Shared Objects -- 'Flash Cookies. 
  7. ^ Mike Beltzner (2011-01-13). "Bugzilla entry 625495 - Clear Adobe Flash Cookies (LSOs) when Clear Cookies is selected in the Privacy > Custom > Clear History". Retrieved 2011-09-28. Change to the "on close" firefox behavior to use the new NPAPI ClearSiteData API. 
  8. ^ Mike Beltzner (2011-01-13). "Bugzilla entry 625496 - Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History". Retrieved 2011-09-28. Change to the "clear recent history" firefox behavior to use the new NPAPI ClearSiteData API. 
  9. ^ "Samy Kamkar - Evercookie". 
  10. ^ "Evercookie source code". 2010-10-13. Retrieved 2010-10-28. 
  11. ^ "Schneier on Security - Evercookies". 2010-09-23. Retrieved 2010-10-28. 
  12. ^ "It is possible to kill the evercookie". 2010-10-27. 
  13. ^ "Super Cookies, Ever Cookies, Zombie Cookies, Oh My!". 
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.