In a ever pervasive attempt to get ‘at you’ with tailored online ads and web surfing preferences developers seem to be delving in the privacy area of browsing, and finding ever more persistent ways of keeping tabs on your surfing habits.
Is this an invasion of privacy? An affront to the users right to anonymous browsing, so to speak? Here’s some information on what an evercookie is, and does.
“An ‘evercookie’ is a JavaScript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies, and others.”
Samy Kamkar is the developer of the ‘evercookie’. He is also the guy that developed of the first XSS worm called the Samy Worm used to ‘infect’ over a million MySpace users in 24 hrs. Here is Samy’s description of the evercookie:
QUOTE: “Evercookie is a Javascript API that allows storing cookie data in a number of different locations when a user visits a web page. Normal sites would typically just store data (such as a session identifier) in something like a cookie.
However, Evercookie not only uses the cookie, but a number of other locations such as Flash cookies, Silverlight isolated storage, and various locations of HTML5 storage. When a user deletes their standard cookies, the other locations remain and are able to rebuild the original cookie.
I built Evercookie as a proof of concept, wanting to show how web sites are able to track users even if they delete standard cookies and LSOs. Evercookie also sheds light on the fact that there are numerous methods for storing cookies locally. Finally, Evercookie acts as a litmus test for users who want to see if they’re protected from web sites that track like this.” UNQUOTE
Tech Republic has a write up here, that has more information about it, along with a conversation with Samy Kamkar.
One thing that can kill these cookies is disabling java script or using a ‘noscript’ application or browser extension, since this cookie is java based, and there are a couple of websites that have instructions on killing the evercookie:
For Safari: Killing the Evercookie by Dominic White.
For Chrome and Firefox: Killing the Evercookie (Google Chrome w/o Restart) by Jeremiah Grossman. In the comments section of Jeremiah’s post are instructions for removing from Firefox.
Shouldn’t we have the right to allow or deny how cookies are used on our systems, in our environment? I find it disturbing the lengths ‘advertisers’ will go to get to us, and doesn’t this add another possible attack vector? We need to bring this to ‘users’ attention so that they can have the choice. Better still, one of those talented developers out there needs to devise a script or app to block these cookies. Thoughts?
