Your IP: Unknown · Your Status: Unprotected Protected

Blog In Depth

Super cookies: definition and removal

May 17, 2018 · 3 min read

Super cookies: definition and removal

What makes a supercookie super? Are they more delicious than regular cookies? Nope, not at all. Well, at least not for Internet users that cherish their privacy.

What are cookies?

Cookies are small packets of information left in your browser when you access certain websites. The cookie places information on your device to later identify the returning user. If you want to keep your online activity to yourself, you’re not going to like them – some types of cookies can crawl and track you to the websites you visit next, identifying your behavior patterns and more.

What are super cookies?

The name is rather misleading because supercookies are not actually cookies. Why so? Supercookies aren’t stored locally in your browser after being downloaded from websites like regular cookies are. Instead, they are injected at the network level as Unique Identifier Headers (UIDH). Simply speaking, a UIDH is a piece of information that makes your Internet connection unique.

In March 2016, the Federal Communications Commission (FCC) fined Verizon $1.35 million for using UIDH-type supercookies that let websites track Internet users without their knowledge.

In response, Access Now – a non-profit organization dedicated to an open and free Internet – launched a tool called Amibeingtracked.com where people could test whether their mobile carriers were monitoring them by injecting supercookies to their web requests. According to the study results, 15.3% of website visitors were being tracked by UIDHs.

The study also reported at least nine telecommunications providers that were using supercookies to monitor their customers’ online behavior. This type of tracking is going global – mobile carriers in 10 countries around the world, including Canada, China, India, Mexico, Morocco, Peru, the Netherlands, Spain, the United States, and Venezuela, were found to have deployed tracking headers.

Are tracking cookies bad?

Tracking cookies aren’t harmful to your computer in the way that viruses and malware are. However, cookies threaten something more important than your device – your privacy.

Internet service providers can notoriously inject supercookies to improve their advertising business. Even if they’re not using the data themselves or selling it to other companies, third parties can independently identify tracking headers themselves and use the data to serve targeted ads for users across the web.

Supercookies gather data about your browsing habits, including which websites you visited and at what time. They can also access the data that regular cookies collect: login credentials, image and file caches, and plug-in data – even after your other cookies have been deleted.

The worst part is that Internet users have no control over this threat to their privacy. Supercookies could lead to the leaking of private data, government surveillance, and exploits by cybercriminals.

Supercookie removal and prevention

Supercookies are mysterious yet powerful creatures – detecting and deleting them is close to “mission: impossible.” Supercookies aren’t stored in a web browser, so the traditional cookie clean-up won’t make them go away.

Shielding yourself from supercookies is not that easy. Simply setting ‘Do not track’ in your browser preferences doesn’t block tracking headers. Nor does browsing in private mode. Supercookies depend on HTTP connections, so making an encrypted connection with a website stops tracking headers from functioning.

Theoretically, visiting only HTTPS websites (those that use Secure Socket Layer (SSL) or Transport Layer Security (TLS) certificates) should help you avoid catching supercookies.

Are there any other options?

Because a supercookie is a unique data packet that is injected into an HTTP request made through the ISP network, rerouting your Internet traffic through a different network can help. It may sound like rocket science, but it’s actually not – all you need is a VPN. A virtual private network, such as NordVPN, encrypts your Internet connection, making it impossible for the ISP to apply tracking headers.

If Verizon is your carrier, the most elegant way to avoid supercookies is to opt out. After the FCC’s investigation, Verizon was obliged to add the option to opt out from tracking and to ask for permission to share supercookies with third parties. Nevertheless, if you’re not 100% sure whether you should trust the carrier respecting your choice, it is wise to use the methods mentioned above to avoid supercookie-based tracking.


Elle Friberg
Elle Friberg successVerified author

Elle is a content writer at NordVPN. Being ever-curious, she always finds unexpected angles in the Internet privacy and security field to turn into gripping stories.


Subscribe to NordVPN blog