I considered just giving up – but, I’ll be damned if I will. I take every precaution I can to guard against the invasive parasitic practices of data collectors who are persistent in their attempts to collect “anonymous” data on my personal browsing habits. But, it’s never enough.
Despite my precautions – despite the tools I use in an attempt to respond to the insidious nature of web tracking – I find myself fighting a constant rear guard action. No sooner do I reach a plateau from which I can exert a functional level of control over the “behind closed doors nature” of Internet tracking – than I’m forced to deal with an even more insidious method of personal data collection.
Let’s spin back for a moment, to the time when the so called LSO (Flash Cookie) was introduced as a response to users gaining control over standard HTTP cookies. Control which allowed for the acceptance, the rejection, and the wiping of private data – including wiping cookies.
The Flash Cookie changed all that. By design, a Flash Cookie (Super Cookie)remains active on a system even after the user has cleared cookies and privacy settings. BetterPrivacy – a free Firefox add-on, stepped into the battle to address this issue, and gave users an opportunity to identify, and delete, Super Cookies.
When a Tracking Cookie is not obvious to a casual Internet user and, when that cookie cannot be deleted without the aid of a specialty cleaner, then Internet tracking has been taken to a level that borders on deception. Hell, let’s call it what it really is – crooked, immoral, fraudulent, illegal, ……..
When I first wrote on Super Cookies in September 2009, I made the following comment –
“……….with little resistance being offered by the “sheeple”, and a failure by regulatory authorities to enact appropriate consumer protection laws, we can expect privacy intrusions , like this, to accelerate.”
It’s hardly surprising then, that we are now faced with the Evercookie (HTML5 Cookies)
From Wikipedia:
An Evercookie is not merely difficult to delete. It actively “resists” deletion by copying itself in different forms on the user’s machine and resurrecting itself if it notices that some of the copies are missing or expired. Specifically, when creating a new cookie, Evercookie uses the following storage mechanisms when available:
- Standard HTTP cookies
- Local Shared Objects (Flash cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web history
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
Hold on – there’s more:
The developer is looking to add the following features:
- Caching in HTTP Authentication
- Using Java to produce a unique key based on NIC information.
We’re not quite finished.
With this tool it is possible to have persistent identification of a specific computer, and since it is specific to an account on that computer, it links the data to an individual. It is conceivable this tool could be used to track a user and the different cookies associated with that user’s identifying data without the user’s consent. The tool has a great deal of potential to undermine browsing privacy.
I don’t know what your definition of hacking, or illegal access encompasses – but, in my view, the placement of an Evercookie steps over the line into the realm of cybercrime. I suggest to you, that if a government were to penetrate a user system to plant an Evercookie as a matter of course – the outrage would be immediate. But, private enterprise does it – and the “sheeple” happily bow to what they consider the inevitable.
The tracking industry (a multi-Billion dollar industry), has gone too far on this one. I predict the litigation lawyers, and privacy advocates, will run out the big guns in a justifiable attempt to eradicate this spyware.
Personally, I believe that criminal charges should be laid against the executives of those organizations currently using Evercookie. I see no difference between these yahoos, and Russian cybercriminals.
Additional statistics on which web sites are currently using Evercookies can be had by reading an eye opening article by one of my favorite Tech writers Ed Bott – here.
In the meantime, you might consider installing BleachBit – an open source application which will delete Evercookies from your system.
In the following screen capture I have focused on a Firefox cleanup – including wiping HTML5 cookies.
In this screen capture the focus is on deleting Flash cookies ((Super Cookies).
Lets take a look at a preview of what’s going to be deleted –
Choosing the same parameters using CCleaner (a Flash and Firefox cleanup), leads to a considerable difference.
Fast facts:
BleachBit quickly frees disk space and tirelessly guards your privacy.
Free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn’t know was there.
Designed for Linux and Windows systems, it wipes clean 90 applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari,and more.
Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster.
Better than free, BleachBit is open source.
System requirements: Window, Linux.
Languages: This application is available in 56 languages.
Download at: SourceForge
BleachBit is a powerful application; I recommend that you spend some time becoming familiar with its operation and capacity, before using for the first time.
You should consider viewing a tutorial video available here.
Bill Mullins' Weblog - Tech Thoughts 
Wow, once again Bill YOU DELIVER! Just installed and ran it for the first time. It works very well, along with being partnered with CC Cleaner. A most welcome addition to my never ending fight against personal privacy and invasion from the Private Sector. Thanks for doing the research on this.
Don
Hi Don,
So glad to hear you found this app useful.
It’s a cliche to say the enterprise has no conscience – still, if there was ever a situation that lends some truth to the cliche, the use of Evercookies qualifies, I think. It’s simply malware in disguise.
Best,
Bill
Bill, thanks, you’re energy and candor on this subject is refreshing and motivating. And, I might ad, you’re spot on when you state that these evercookies are a form of cyber crime. Sheeples…I love it!
Best,
Paul
Hi Paul,
Thanks for the support. I thought I might be striking the anvil a little hard by calling these morons cyber criminals – but, agreement from a IT Pro such as you, confirms my perspective on this.
Best,
Bill
Hi Bill,
I think these people sit up at night thinking of new ways to be evil. Thanks to guys like you, we might be able to stay just far enough in front of them that we don’t get taken in by it all. My dad always says, You want to know about something, “Follow The Money”
The sad part is, there are alot of sheeple that don’t care enough to do anything about it for their own protection, but that’s a story for another rant.
Thanks for bringing up bleachbit, I actually have it installed through portable apps because the less programs I have installed on C drive, the better.
Thanks for a great article
TeX
Hey TeX,
Your Dad knows his stuff, alright. It’s all about the money. Your privacy; my privacy; means nothing to these money grubbing fools.
Good to hear that you’re already on the go with this one. Very Smart. But, I expect that from you. 🙂
Best,
Bill
Hi Bill,
This is a fantastic recommendation once again! I’ve never stuck to using a single cleaning program and have installed several products along with a heavily modified hosts file. They don’t always remove all of the junk and I regularly find myself having to add custom files to wipe to Ccleaner’s custom settings and have had to resort to manual registry cleaning at times.
I’ve just run Bleachbit and removed 235Mb of files!
Most people don’t seem too concerned about cookies for some strange reason. Currently I’ve been attempting to get my CEO to make our three company websites compliant with the European Cookie Law but non compliance is not seen as an important issue either by the CEO or other staff members. I will be sending them a link to your post!
Regards,
Chris.
Hi Chris,
We don’t often talk about host files – we should do that a little more here, I think.
Nice clean up BTW – 235Mb is a very worthwhile recovery.
I’m not surprised to hear that you’re facing an uphill battle in attempting to gain compliance. Out of sight – out of mind – seems to be the status quo. Sad.
Good to hear from you.
Best,
Bill
Hey Bill,
Recently I noticed that when I visited Youtube in Firefox, with NoScript enabled and the Flash plugin disabled, that videos still played. The reason: HTML5 cookies.
I was wondering what the ramifications of all this were. Now I know, thanks to you. Another fantastic find by you. Thankyou, I appreciate it.
Cheers
Hey Mal,
I’m very glad to get your comment. The scenario you describe is what one would expect following a malware infection. In other words, you have lost control of your machine due to the placement of an object, or series of objects, that you didn’t ask for – are/were unaware of the placement – and, have no easy method to locate and delete.
The tracking industry can sex it up by calling it whatever they like – Evercookie – the road to Nirvana – whatever. In my book, if it walks like a Duck and quacks like a Duck – it’s a goddamn Duck. And, this Duck is spyware.
As you and I both know, one of the saving graces of technology is – someone will always find a way to beat the bastards (government or enterprise) at their own game. At least for the moment, BleachBit seems to be a solution to this latest attack on our personal privacy.
Best,
Bill
Hey Bill,
Yep, it certainly had me concerned til I found the reason for it, and it pissed me off too. Just when I think I am on top of things, we have a new threat to deal with.
A quick question: I notice that HTML5 cookies are only cleaned through Firefox. What are we to do with other browsers that we use? For instance, I use Comodo Dragon to play an online game I am addicted to. Just a thought I had when running BleachBit.
Cheers
Hey Mal,
We had a sort of “round table” discussion on this last night, over a few jars of course 🙂 – and the consensus was that we all have a lot to learn on this issue. In fact, some members had never heard of this problem.
I think the best advice I can give you is this – when playing your game run Comodo in a sandbox application. Hopefully (and, I do mean hopefully), this will take care of the problem. I’m going to spend a few days on this so I may have a better solution soon.
Best,
Bill
Ok Bill, I look forward to what you come up with.
Internet Security: reminds me of a movie, the Never Ending Story lol.
Cheers
Mal
Hey Mal,
Good one. 🙂 Never Ending Story just about sums it up.
Best,
Bill
Bill is like a Knight with his sword taking on the dragon.
The Dragon has all the power, all the unscrupulousness, yet, to date, the Knight finds ways to defeat the dragon, even if just for a time.
Thanks Bill…
Hi Fred,
Gotta get that sword sharpened. 🙂
I hope this app helps out.
Best,
Bill
Pingback: Bleachbit – Bill Mullins’ review « TTC Shelbyville – Technical Blog
Thanks Steve (and the gang). 🙂
Best,
Bill
Excellent stuff Bill! I have never heard of the ever cookie, and think that you are spot on in your assessment. Evil little buggers.
On the same thought I have been trying to force myself to use DuckDuckgo instead of Google for searches. I love their no traking policy. But can’t quite shake the google habit. Lol!
Hey Dan,
I have the same problem when using alternative search engines – I always think I’m missing something. Of course I’m not, since many alternative SEs rely on Google to begin with – but still….
It’s interesting, that all of the readers who have commented on this article are either high level users, or IT Pros. I suppose that one needs the background to understand the kind of evil we’re dealing with here.
Best,
Bill
Hi Bill,
Another of your recommendations that I’ve downloaded without hesitation. Will give it a go as soon as I’ve finished checking out the tutorials.
Thanks to your tireless efforts we can all sleep a little sounder knowing we have a champion in the battle against evil.
As for the cyber criminals, let’s hope their next crap’s a hedgehog.
Kind regards,
John
Hi John,
It’s not often that I worry about the neighbours having to put up with my laughter. I’m sure though, that I could be heard down the street and around the corner this morning. A hedgehog crap, indeed. lol
Best,
Bill
Hello again Bill,
I now feel fully educated about evercookies thanks to you. I use a few other browsers other than the ones that BleachBit is capable of cleaning so I decided to check for evercookies. SlimBoat (portable version) had evercookies present in a couple of locations and I confirmed this by running the test here using SlimBoat and several different user agents:
https://labs.isecpartners.com/breadcrumbs/breadcrumbs.html
It will show if DOM Storage is enabled in the browser.
I simply added the location of the folders/ subfolders containing the evercookies to be cleaned by other software.
I would have never have known of their existence, let alone how to clean them up if I hadn’t read this article – so thanks!
Chris A.
Hi Chris,
A very interesting link. Had to chuckle though – the only LSO set was at this site. 🙂 That was expected though.
I’ll write this up in the coming week.
Thanks for this.
Best,
Bill
Hi Bill,
I usually check the Options/Settings/Preferences of my browser after an upgrade to make sure I haven’t lost any settings and to see what’s new. I remember when I saw an option to allow HTML5 to use local storage (and a sub-option to delete any files on close) I refused to allow any local storage. I did that for the same reason I used to have my flash storage set to zero – I didn’t know what all the storage would be used for, and if it’s optional then it’s clearly not needed for the technology to work. I eventually wound up enabling local flash storage (some sites wouldn’t work without it enabled) once I got the NirSoft program that deleted LSO’s, and I used a program that sat in the tray and let me turn the flash bit on and off so I wouldn’t get cookies when I was just surfing, only when I actually wanted to see some particular flash content. My current most-used browser allows me to click on specific flash objects if I want to allow them. What a pain this all is (how inconvenient!), and here’s the kicker – just a few days ago, thanks to a link in your Tech Thoughts, I was reading about a tracking company trade group CEO telling Senators he thought the industry was doing a good job of policing itself and legislation wasn’t needed to control tracking, or protect privacy.
When mechanical gadgets first started being made it was for convenience – to benefit us by freeing up time for other things. Now, in the information age, the CON part of convenience seems to be prevalent. Corporations know we’ll make poor decisions and put convenience above things like privacy, nutrition, financial well-being, etc. Too often a gadget or technological breakthrough is a mere piece of cheese, luring the consumer into a trap – the worst kind of trap: one which they never realize they’re in. Are we mice now, destined to live our lives running around the mazes they create for us?
I’m reminded more and more of the opening of the TV series The Prisoner where Patrick McGoohan yells out, “I am not a number, I am a free man!” More and more there’s times when I feel like grabbing a CEO’s lapels and yelling, “I am not a consumer, I am a free man!” Think the message would get through?
– RedNightHawk
P.S.
Dan Tapscott has an interesting series about privacy in the digital age on The Star’s website that you and your readers might be interested in:
http://www.thestar.com/news/insight/article/1204668
Hey RedNightHawk,
I could not have said that any better. Well thought out and convincing.
Occasionally, a readers comment strikes such a note with me that I’ll take that comment and post it as a stand alone article. Your comment is a perfect example. I’m just now in the process of posting this as an article.
BTW, I am a voracious Star reader but, I missed the linked article somehow. Thanks for that.
Best,
Bill
I loved the TV series The Prisoner and Patrick McGoohan. Used to watch it on PBS.
Hopefully they will run out of superlative nicknames the same time they stop inventing new privacy invaders/trackers. Ya think?
No, I hadn’t heard of this one. I am still playing catch up so I downloaded it and deskcutted this page for reference.
Hey Delenn13,
Same here – The Prisoner was a beauty.
Nope, these airheads will continue to develop even more intrusive methods to grab personal data. The best we can hope for is the continuous development of countermeasures.
A word of caution with this one – choose which files to clean very carefully. After the first time I ran it (not really paying attention), I had to run MozBackup to get Firefox back in shape.
Best,
Bill
Bill,
I am a senior that read about zombie cookies be used by web companies like bluecava.com a couple years back and of course forgot. If I was to use Bleach, how do I securely use it as to not destroy my win32 etc.?
Hi Reaper,
It’s unlikely that an application like this would “destroy” an OS. However, should a user not carefully choose the items to be cleaned, it’s possible that user set application configurations can be changed. For example, when I first tested this app, I inadvertently wiped out my Firefox configuration and had to reinstall a backup. As well, since I wasn’t paying full attention, I wiped out Word’s recently opened Docs. Not a big deal, but annoying nevertheless.
Two things to keep in mind:
Use the developer’s help files to familiarize yourself with the settings you feel comfortable with.
Prior to running the app create a restore point so that you have a fallback in the event the cleaning process has been too ambitious.
Best,
Bill