Food doesn’t have laws — like physics or math — but if it did, “everyone loves cookies” would surely be an indisputable truth. In fact, it’s along that line of thought that “Internet cookies” got their name, because they are all about sharing information — and cookies were made for sharing.
For example, imagine that a website asked your web browser if it would like a cookie. “I would love a cookie!,” it would likely respond, because that’s pretty much what you say whenever someone offers you a tasty treat. On a diet? Just hit the gym — it’s only a cookie, and you can burn it off whenever you want.
But now imagine another website saying, “Have a cookie.” These cookies are not optional, and even worse, you’re not able to throw them out, ever. That, essentially, is a “supercookie,” a web-tracking technology that privacy advocates want eliminated from the Internet.
Supercookies, however, operate in a completely different way than standard web cookies. Instead of being a small file that gets saved by the web browser, a supercookie is a string of code injected into the data you’re downloading. Called a “unique identifier header,” this code cannot be deleted or wiped clean, because it is not a file.
“There’s no way for you to wipe that cookie away,” says Narang, “because it’s injected into your network traffic.”
Everyday web users wouldn’t know the difference between a cookie and a supercookie until they tried (and failed) to delete their browser-based cookies — and that is what has privacy advocates so alarmed. “Even if you wipe a cookie away, the fact that your ID header (or supercookie) still exists, they’re able to correlate those two separate instances of traffic,” says Narang. “They’ve already profiled not only the cookie, but that unique identifier header.”
Even if you’re browsing in private mode, websites can still monitor the websites you visited using supercookies. “The whole purpose of using private mode is because you want to just browse the website and not have anything saved,” says Narang. “You’re saying, ‘I don’t want you to save any information about me,’ and (with supercookies) that is not being respected.”
Supercookies were first revealed in 2011, when researchers at Stanford University and the University of California at Berkeley noted that sites like MSN and Hulu were using them. At the time, Congress began looking into the technology. In November 2014, The Washington Post revealed that Verizon and AT&T had been injecting supercookie code into their network traffic. AT&T stopped using the technology shortly thereafter, providing its subscribers with this opt-out link (click on the link with your AT&T smartphone, not your computer’s web browser). But it wasn’t until Monday — and more pressure from lawmakers — that Verizon agreed to let its subscribers opt-out of the online tracking. Its opt-out solution should be made available soon.
But keep in mind, however you have used these two mobile networks to access the web, whether it has been on a smartphone, through a tablet, or with a laptop connected to a hotspot, your online activities have been tracked, and will continue to be followed with supercookies until you opt out on each device. Talk about leaving a bad taste in your mouth.