Evercookie

There are three commonly used data storages, including HTTP cookies, flash cookies, HTML5 Storage, and others.{{Cite web|last1=Zhiju|first1=Yang|last2=Chuan|first2=Yue|date=2020-04-01|title=A Comparative Measurement Study of Web Tracking on Mobile and Desktop Environments|url=https://doaj.org/|access-date=2020-12-11|website=Proceedings on Privacy Enhancing Technologies|language=en}} When the user visits a website for the first time, the web server may generate a unique identifier and store it on the user's browser or local space.{{Cite journal|last1=Yue|first1=Chuan|last2=Xie|first2=Mengjun|last3=Wang|first3=Haining|date=September 2010|title=An automatic HTTP cookie management system|url=http://dx.doi.org/10.1016/j.comnet.2010.03.006|journal=Computer Networks|volume=54|issue=13|pages=2182–2198|doi=10.1016/j.comnet.2010.03.006|issn=1389-1286|url-access=subscription}} The website can read and identify the user in its future visits with the stored identifier, and the website can save user's preferences and display marketing advertisements. Due to privacy concerns, all major browsers include mechanisms for deleting and/or refusing cookies from websites.{{Cite journal|last1=fouad|first1=Imane|last2=Bielova|first2=Nataliia|last3=Legout|first3=Arnaud|last4=Sarafijanovic-Djukic|first4=Natasa|date=2020-04-01|title=Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels|journal=Proceedings on Privacy Enhancing Technologies|volume=2020|issue=2|pages=499–518|doi=10.2478/popets-2020-0038|issn=2299-0984|doi-access=free|arxiv=1812.01514}}

In response to the users' increased unwillingness to accept cookies, many websites employ methods to circumvent users' deletion of cookies.{{Cite journal|last1=Cook|first1=John|last2=Nithyanand|first2=Rishab|last3=Shafiq|first3=Zubair|date=2020-01-01|title=Inferring Tracker-Advertiser Relationships in the Online Advertising Ecosystem using Header Bidding|journal=Proceedings on Privacy Enhancing Technologies|volume=2020|issue=1|pages=65–82|doi=10.2478/popets-2020-0005|issn=2299-0984|doi-access=free|arxiv=1907.07275}} Started from 2009, many research teams found popular websites used flash cookies, ETags, and various other data storage to rebuild the deleted cookies by users, including hulu.com, foxnews.com, spotify.com, etc.{{Cite book|last1=Acar|first1=Gunes|last2=Eubank|first2=Christian|last3=Englehardt|first3=Steven|last4=Juarez|first4=Marc|last5=Narayanan|first5=Arvind|last6=Diaz|first6=Claudia|title=Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security |chapter=The Web Never Forgets |date=2014|chapter-url=http://dl.acm.org/citation.cfm?doid=2660267.2660347|language=en|location=Scottsdale, Arizona, USA|publisher=ACM Press|pages=674–689|doi=10.1145/2660267.2660347|isbn=978-1-4503-2957-6|s2cid=8127620}}{{Cite journal|last1=Soltani|first1=Ashkan|last2=Canty|first2=Shannon|last3=Mayo|first3=Quentin|last4=Thomas|first4=Lauren|last5=Hoofnagle|first5=Chris Jay|date=2009-08-10|title=Flash Cookies and Privacy|url=https://papers.ssrn.com/abstract=1446862|language=en|location=Rochester, NY|doi=10.2139/ssrn.1446862 |ssrn=1446862|s2cid=6414306 |url-access=subscription}}{{Cite journal|last1=Ayenson|first1=Mika D.|last2=Wambach|first2=Dietrich James|last3=Soltani|first3=Ashkan|last4=Good|first4=Nathan|last5=Hoofnagle|first5=Chris Jay|date=2011-07-29|title=Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning|url=https://papers.ssrn.com/abstract=1898390|language=en|location=Rochester, NY|doi=10.2139/ssrn.1898390 |ssrn=1898390|url-access=subscription}} In 2010, Samy Kamkar, a Californian programmer, built an Evercookie project to further illustrate the tracking mechanism with respawning across various storage mechanisms on browsers.

Evercookie allows website authors to be able to identify users even after said users have attempted to delete cookies.{{Cite journal|last=Andrés|first=José Angel González|date=2011-07-01|title=Identity Denial in Internet|url=http://dx.doi.org/10.5211/iys.10.article6|journal=Inteligencia y Seguridad|volume=2011|issue=10|pages=75–101|doi=10.5211/iys.10.article6|issn=1887-293X|url-access=subscription}} Samy Kamkar released v0.4 beta of the evercookie on September 13, 2010, as an open source project.{{cite web|title=Samy Kamkar - Evercookie|url=http://www.samy.pl/evercookie}}{{cite web | title=Evercookie source code | website=GitHub| url=https://github.com/samyk/evercookie/commits/master| date=2010-10-13 | access-date=2010-10-28 }}{{cite web | title=Schneier on Security - Evercookies | url=http://www.schneier.com/blog/archives/2010/09/evercookies.html | date=2010-09-23 | access-date=2010-10-28 }} Evercookie is capable of respawning deleted HTTP cookies by storing the cookies on multiple different storage systems typically exposed by web browsers. When a browser visits a website with the Evercookie API on its server, the web server can generate an identifier and store it on various storage mechanisms available on that browser. If the user removes some but not all of the stored identifiers on the browser and revisits the website, the web server retrieves the identifier from storage areas that the user failed to delete. Then the web server will copy and restore this identifier to the previously cleared storage areas.{{Citation|title=Tackling Cross-Site Scripting (XSS) Attacks in Cyberspace|date=2015-10-06|url=http://dx.doi.org/10.1201/b19311-18|work=Securing Cyber-Physical Systems|pages=350–367|publisher=CRC Press|doi=10.1201/b19311-18|isbn=978-0-429-09104-9|access-date=2020-12-11|url-access=subscription}}

By abusing the various available storage mechanisms, Evercookie creates persistent data identifiers, because users are unlikely to clear all storing mechanisms.{{cite web | title=It is possible to kill the evercookie | url=https://arstechnica.com/security/news/2010/10/it-is-possible-to-kill-the-evercookie.ars | date=2010-10-27}} From the list provided by Samy Kamkar, 17 storage mechanisms could be used for the v0.4 beta Evercookie when they are available on browsers:

• Standard HTTP cookies
• HTTP Strict Transport Security (HSTS)
• Local shared objects (Flash cookies)
• Silverlight Isolated Storage
• Storing cookies encoded in RGB values of auto-generated, force-cached PNG images using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in Web history
• Storing cookies in HTTP ETags
• Storing cookies in Web cache
• window.name caching
• Internet Explorer userData storage
• HTML5 Session Web storage
• HTML5 Local Web storage
• HTML5 Global Storage
• HTML5 Web SQL Database via SQLite
• HTML5 IndexedDB
• Java JNLP PersistenceService
• Java CVE-2013-0422 exploit

Samy Kamkar claims that he did not intend to use the Evercookie project to violate internet user privacy or to sell to any parties for commercial use. However, it has served as an inspiration for other commercial websites that later implemented similar mechanisms to restore user-deleted cookies.{{citation needed|date=July 2022}} The Evercookie project is open source, meaning everyone can access and examine the code, or use the code for any purpose. The project incorporates HTML5 as one of the storage mechanisms, which was released 6 months before the project and gained public attentions due to its added persistency. Kamkar wished his project could demonstrate how users' privacy can be infiltrated by contemporary tracking tools.{{Cite news|last=Vega|first=Tanzina|author-link=Tanzina Vega|date=2010-10-11|title=New Web Code Draws Concern Over Privacy Risks (Published 2010)|language=en-US|work=The New York Times|url=https://www.nytimes.com/2010/10/11/business/media/11privacy.html|access-date=2020-12-06|issn=0362-4331}} In 2010, one way to prevent Evercookie respawning was a Firefox browser plug-in named "Anonymizer Nevercookie™".{{ cite news |last=Lennon |first=Mike |date=2010-11-10 |title=Nevercookie Eats Evercookie With New Firefox Plugin |url=https://www.securityweek.com/nevercookie-eats-evercookie-new-firefox-plugin |access-date=2022-07-25 }}

The storage mechanisms incorporated in the Evercookie project are constantly being updated, adding to Evercookie's persistency. As it incorporates many existing tracking methods, Evercookie provides an advanced data tracking tool that reduces the redundancy of data collection methods by many commercial websites.{{Cite journal|last=Nielsen|first=Janne|date=2019-10-02|title=Experimenting with computational methods for large-scale studies of tracking technologies in web archives|url=http://dx.doi.org/10.1080/24701475.2019.1671074|journal=Internet Histories|volume=3|issue=3–4|pages=293–315|doi=10.1080/24701475.2019.1671074|s2cid=208121899|issn=2470-1475|url-access=subscription}}{{Cite journal|last1=Samarasinghe|first1=Nayanamana|last2=Mannan|first2=Mohammad|date=November 2019|title=Towards a global perspective on web tracking|url=http://dx.doi.org/10.1016/j.cose.2019.101569|journal=Computers & Security|volume=87|pages=101569|doi=10.1016/j.cose.2019.101569|s2cid=199582679|issn=0167-4048|url-access=subscription}} An increasing number of commercial websites used the idea of Evercookie, and added upon it by incorporating new storage vectors. In 2014, a research team at the Princeton University conducted a large scale study of three persistent tracking tools: Evercookie, canvas fingerprinting, and cookie syncing. The team crawled and analyzed the top 100,000 Alexa websites, and detected a new storage vector, IndexedDB, that is incorporated into an Evercookie mechanism and used by weibo.com. The team claimed this is the first detection of commercial use for IndexedDB. Moreover, the researchers discovered cookie syncing is used in conjunction with Evercookie. Cookie syncing allows data sharing between different storage mechanisms, facilitating Evercookie's respawning process in different storage locations on users' browsers. The team also discovered instances of Flash cookies respawning HTTP cookies, and HTTP cookies respawning the flash cookies on the commercial websites. Those two mechanisms are different from the Evercookie project in terms of the number of storage mechanisms employed, but they follow the same principle. Among the sites that the research team crawled, 10 out of 200 websites used flash cookies to rebuild HTTP cookies. 9 of the observed sites belonged to China (including sina.com.cn, weibo.com, hao123.com, sohu.com, ifeng.com, youku.com, 56.com, letv.com, and tudo.com). The other website identified was yandex.ru, a top search engine in Russia.{{citation needed|date=July 2022}}

A research team from the Slovak University of Technology proposed a mechanism for search engines to infer Internet users' intended search words and produce personalized search results. Often the queries from Internet users contain multiple meanings and range across different fields. As a result, the displayed search results from the search engine contain a multitude of information, many of which are not related to the searcher. The authors proposed that searchers' identity and user preference have a strong indication on the queries meaning and can greatly reduce the ambiguity of the search word. The research team built a metadata-based model to extract users' information with evercookie, and they integrated this user interest model into the search engine to enhance personalization of the search result. The team was aware that traditional cookie can be easily deleted by experiment subjects thus lead to incomplete experiment data. The research team then utilized evercookie's persistency.

On Friday July 29, 2011, a research team at the University of California, Berkeley crawled the top 100 U.S. websites based upon QuantCast. The team found KISSmetrics, a third party website that provides marketing analytical tools, used HTTP cookies, Flash cookies, ETags, and some but not all storage mechanisms employed in Samy Kamkar's Evercookie project to respawn the user's deleted information. Other popular websites, such as hulu.com and spotify.com, employed KISSmetrics to respawn HTML5 and HTTP first party cookies. The research team claimed this was the first time that Etag was observed to be used in commercial settings.

On the same day of the report's publication, Hulu and Spotify announced their suspended use of KISSmetrics for further investigation.{{Cite web|title=Researchers Call Out Websites for Tracking Users via Stealth Tactics|url=https://www.law.berkeley.edu/article/researchers-call-out-websites-for-tracking-users-via-stealth-tactics/|access-date=2020-12-06|website=Berkeley Law|date=10 August 2011 |language=en-US}} Two consumers sued KISSmetrics over its violation of user privacy.{{Cite web|title=KISSmetrics, Hulu Sued Over New Tracking Technology|url=https://www.mediapost.com/publications/article/155032/kissmetrics-hulu-sued-over-new-tracking-technolog.html|access-date=2020-12-06|website=www.mediapost.com|language=en}} KISSMetrics revised its privacy policies during the weekend, indicating the company had fully respected customers' will if they chose not to be tracked. On August 4, 2011, KISSmetrics' CEO Hiten Shah denied KISSmetrics' implementation of Evercookie and other tracking mechanisms mentioned in the report, and he claimed the company only used legitimate first party cookie trackers. On October 19, 2012, KISSmetrics agreed to pay over $500,000 to settle the accusation and promised to refrain from using Evercookie.{{Cite web|title=KISSmetrics Settles Supercookies Lawsuit|url=https://www.mediapost.com/publications/article/185581/kissmetrics-settles-supercookies-lawsuit.html|access-date=2020-12-06|website=www.mediapost.com|language=en}}{{Cite journal|last=Drury|first=Alexandra|date=2012|title=How Internet Users' Identities Are Being Tracked and Used|url=https://journals.tulane.edu/TIP/article/view/2613|journal=Tulane Journal of Technology & Intellectual Property|language=en|volume=15|issn=2169-4567}}

In 2013, an internal National Security Agency (NSA)'s presentation was revealed by Edward Snowden, suggesting Evercookie's use in government surveillance to track Tor users.{{Cite web|title=Tor stinks|url=https://www.aclu.org/sites/default/files/assets/tor_stinks.pdf|website=edwardsnowden.com}} The TOR Blog responded to this leaked document in one post, assuring that TOR Browser Bundles and Tails operating system provide strong protections against evercookie.{{Cite journal|date=August 2013|title=TOR attacked – possibly by the NSA|url=http://dx.doi.org/10.1016/s1353-4858(13)70086-2|journal=Network Security|volume=2013|issue=8|pages=1–2|doi=10.1016/s1353-4858(13)70086-2|issn=1353-4858|url-access=subscription}}{{Cite journal|last1=Vlajic|first1=Natalija|last2=Madani|first2=Pooria|last3=Nguyen|first3=Ethan|date=2018-04-03|title=Clickstream tracking of TOR users: may be easier than you think|url=http://dx.doi.org/10.1080/23742917.2018.1518060|journal=Journal of Cyber Security Technology|volume=2|issue=2|pages=92–108|doi=10.1080/23742917.2018.1518060|s2cid=169615236|issn=2374-2917|url-access=subscription}}

Evercookie, and many other emerged new technologies in persistent data tracking, is a response to internet users' tendency of deleting cookie storage. In this system of information exchange, some consumers believe they are being compensated with greater personalization information, or sometimes even financial compensation from the related companies.{{Cite journal|last1=Martin|first1=Kelly D.|last2=Murphy|first2=Patrick E.|date=2016-09-22|title=The role of data privacy in marketing|url=http://dx.doi.org/10.1007/s11747-016-0495-4|journal=Journal of the Academy of Marketing Science|volume=45|issue=2|pages=135–155|doi=10.1007/s11747-016-0495-4|s2cid=168554897|issn=0092-0703|url-access=subscription}} Recent related research, however, shows a gap between the expectations of the consumer and marketers.{{Cite journal|last1=Chen|first1=G.|last2=Cox|first2=J. H.|last3=Uluagac|first3=A. S.|last4=Copeland|first4=J. A.|date=Third Quarter 2016|title=In-Depth Survey of Digital Advertising Technologies|url=https://ieeexplore.ieee.org/document/7390161|journal=IEEE Communications Surveys and Tutorials|volume=18|issue=3|pages=2124–2148|doi=10.1109/COMST.2016.2519912|s2cid=32263374|issn=1553-877X|url-access=subscription}} A Wall Street Journal survey showed 72% felt offended when they saw targeted advertisements while browsing the internet. Another survey showed 66% of Americans felt negative about how marketers track their data to generate individualized information. In another survey, 52% of respondents said they would like to turn off behavioral advertising.{{Cite book|last=Korolova|first=A.|title=2010 IEEE International Conference on Data Mining Workshops |chapter=Privacy Violations Using Microtargeted Ads: A Case Study |date=December 2010|chapter-url=https://ieeexplore.ieee.org/document/5693335|pages=474–482|doi=10.1109/ICDMW.2010.137|isbn=978-1-4244-9244-2|s2cid=206785467|url=http://repository.cmu.edu/jpc/vol3/iss1/3 }} Data tracking persists, however.{{Cite journal|last1=Mellet|first1=Kevin|last2=Beauvisage|first2=Thomas|date=2019-09-02|title=Cookie monsters. Anatomy of a digital market infrastructure|url=http://dx.doi.org/10.1080/10253866.2019.1661246|journal=Consumption Markets & Culture|volume=23|issue=2|pages=110–129|doi=10.1080/10253866.2019.1661246|s2cid=203058303|issn=1025-3866|url-access=subscription}}{{Citation|title=Dataveillance and Countervailance|date=2013|url=https://escholarship.org/content/qt2b12683k/qt2b12683k.pdf?t=pv72tb|work="Raw Data" Is an Oxymoron|publisher=The MIT Press|doi=10.7551/mitpress/9302.003.0009|isbn=978-0-262-31232-5|s2cid=199828237 |access-date=2020-12-11 |last1=Raley |first1=Rita |pages=121–146 }}

• {{annotated link|Zombie cookie}}
• {{annotated link|Device fingerprint}}
• {{annotated link|Canvas fingerprinting}}
• {{annotated link|HTTP cookie}}
• {{annotated link|Local shared object|Flash cookie (Local shared object)}}
• {{annotated link|Web storage}}
• {{annotated link|Indexed Database API}}
• {{annotated link|Web SQL Database}}
• {{annotated link|Google Gears}}
• {{annotated link|Web tracking}}
• {{annotated link|Real-time bidding}}
• {{annotated link|Web browser}}
• {{annotated link|Internet privacy}}
• {{annotated link|HTML5}}
• {{annotated link|JavaScript}}
• {{annotated link|API}}
• {{annotated link|Cache (computing)}}
• {{annotated link|Browser security}}
• {{annotated link|Browser extension}}

{{reflist|30em}}

{{Hacking in the 2010s}}

Category:Internet privacy software

Category:Malware