Zombie cookie
Encyclopedia
A zombie cookie is any HTTP cookie
that is recreated after deletion from backups stored outside the web browser
's dedicated cookie storage. This makes them very difficult to remove. These cookies may be installed on a web browser that has opted to not receive cookies since they do not completely rely on traditional cookies.
collecting companies use cookies to track Internet usage and pages visited for marketing research
. Sites that want to collect user statistics will install a cookie from a traffic tracking site that will collect data on the user. As that user surfs around the web the cookie will add more information for each site that uses the traffic tracking cookie and sends it back to the main tracking server.
Zombie cookies allow the web traffic
tracking companies to retrieve information such as previous unique user
ID and continue tracking personal browsing habits. Zombie cookies work across browsers on the same machine since the data is kept in folders that are common to all browsers.
Zombie cookies are also used to remember unique ID's used for logging in to websites. This means that for a user that deletes all his cookies regularly, a site using this would still be able to personalize to that specific user. This helps the site appear more consistent and professional to its users. For a site that wishes to ban a certain user a zombie cookie may be installed. This prevents the user from being able to simply delete the cookie and create a new login.
If a user is not able to remove the cookie from every one of these data stores then the cookie will be recreated to all of these stores on the next visit to the site that uses that particular cookie. Every company has their own implementation of zombie cookies and those are kept proprietary. An open-source implementation of zombie cookies, called Evercookie
, is available. This is an educational example that is intended to show the numerous possible places for zombie cookies to be hidden.
Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases. The only way to opt out of the tracking was to use the company's opt-out link which gives no confirmation. This resulted in a lawsuit against Ringleader Digital filed by Fears | Nachawati Law Firm and Wilson Trosclair & Lovins.
A lawsuit was filed in the United States District Court for the Central District of California
against Clearspring
and affiliated sites owned by Walt Disney Internet Group, Warner Bros and others. It said that Adobe Flash cookies are planted to "track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent".
Two "supercookie" mechanisms were found on Microsoft websites in 2011, including cookie syncing that respawned MUID cookies. Due to media attention, Microsoft later disabled this code.
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
that is recreated after deletion from backups stored outside the web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
's dedicated cookie storage. This makes them very difficult to remove. These cookies may be installed on a web browser that has opted to not receive cookies since they do not completely rely on traditional cookies.
Purpose
Web analyticsWeb analytics
Web analytics is the measurement, collection, analysis and reporting of internet data for purposes of understanding and optimizing web usage....
collecting companies use cookies to track Internet usage and pages visited for marketing research
Marketing research
Marketing research is "the function that links the consumer, customer, and public to the marketer through information — information used to identify and define marketing opportunities and problems; generate, refine, and evaluate marketing actions; monitor marketing performance; and improve...
. Sites that want to collect user statistics will install a cookie from a traffic tracking site that will collect data on the user. As that user surfs around the web the cookie will add more information for each site that uses the traffic tracking cookie and sends it back to the main tracking server.
Zombie cookies allow the web traffic
Web traffic
Web traffic is the amount of data sent and received by visitors to a web site. It is a large portion of Internet traffic. This is determined by the number of visitors and the number of pages they visit...
tracking companies to retrieve information such as previous unique user
Unique user
According to IFABC Global Web Standards, a unique user is "An IP address plus a further identifier. The term "unique visitor" may be used instead of "unique user" but both terms have essentially the same meaning...
ID and continue tracking personal browsing habits. Zombie cookies work across browsers on the same machine since the data is kept in folders that are common to all browsers.
Zombie cookies are also used to remember unique ID's used for logging in to websites. This means that for a user that deletes all his cookies regularly, a site using this would still be able to personalize to that specific user. This helps the site appear more consistent and professional to its users. For a site that wishes to ban a certain user a zombie cookie may be installed. This prevents the user from being able to simply delete the cookie and create a new login.
Implications
A user that doesn't want to be tracked may choose to decline 3rd party cookies or delete cookies after each browsing session. Deleting all cookies will prevent some sites from tracking a user but it may also interfere with sites that users want to remember them. Removing tracking cookies is not the same as declining cookies. If cookies are deleted this causes the data collected by tracking companies to become fragmented. For example, counting the same person as two separate unique users would falsely increase this particular site's unique user statistic. This is why some tracking companies use a type of zombie cookie.Implementation
According to TRUSTe: “You can get valuable marketing insight by tracking individual users’ movements on your site. But you must disclose your use of all personally identifiable information in order to comply with the Fair Information Practices guidelines.”. The following storage mechanisms are available:- Standard HTTP cookies
- Storing cookies in and reading out web history
- Storing cookies in HTTP ETagHTTP ETagAn ETag, or entity tag, is part of HTTP, the protocol for the World Wide Web. It is one of several mechanisms that HTTP provides for cache validation, and which allows a client to make conditional requests. This allows caches to be more efficient, and saves bandwidth, as a web server does not...
s - Internet Explorer userData storage (starting IE9, userData is no longer supported)
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Local Shared ObjectLocal Shared ObjectLocal Shared Objects , commonly called flash cookies are pieces of data that websites which use Adobe Flash may store on a user's computer...
s (Flash cookies) - Silverlight Isolated Storage
- Cookie syncing scripts that function as a cache cookie and respawn the MUID cookie
If a user is not able to remove the cookie from every one of these data stores then the cookie will be recreated to all of these stores on the next visit to the site that uses that particular cookie. Every company has their own implementation of zombie cookies and those are kept proprietary. An open-source implementation of zombie cookies, called Evercookie
Evercookie
Evercookie is a JavaScript-based application which produces zombie cookies in a web browser that are intentionally difficult to delete.-Background:A traditional HTTP cookie is a relatively small amount of textual data that is stored by the user's browser...
, is available. This is an educational example that is intended to show the numerous possible places for zombie cookies to be hidden.
Controversy
Zombie cookies were first documented at UC Berkeley, where it was noticed that cookies kept coming back after they were deleted over and over again. This was cited as a serious privacy breach. If you delete a cookie, it should remain deleted. Since most users are barely aware of these storage methods, it's unlikely that users will ever delete all of them. From the Berkeley report, “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe”.Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases. The only way to opt out of the tracking was to use the company's opt-out link which gives no confirmation. This resulted in a lawsuit against Ringleader Digital filed by Fears | Nachawati Law Firm and Wilson Trosclair & Lovins.
A lawsuit was filed in the United States District Court for the Central District of California
United States District Court for the Central District of California
The United States District Court for the Central District of California serves over 18 million people in southern and central California, making it the largest federal judicial district by population...
against Clearspring
Clearspring
Clearspring Technologies is a web technology company based in McLean, Virginia, USA. Clearspring's AddThis sharing platform reaches 1.2B unique visitors monthly and is used by over 10MM web publishers to virally distribute and track content across blogs, social networks and other web sites...
and affiliated sites owned by Walt Disney Internet Group, Warner Bros and others. It said that Adobe Flash cookies are planted to "track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent".
Two "supercookie" mechanisms were found on Microsoft websites in 2011, including cookie syncing that respawned MUID cookies. Due to media attention, Microsoft later disabled this code.