Your IP: Unknown · Your Status: Unprotected Protected

Blog In Depth

Super cookies: definition and removal

May 17, 2018 · 3 min read

Super cookies: definition and removal

What makes a supercookie super? Are they more delicious than regular cookies? Nope, not at all. Well, at least not for Internet users that cherish their privacy.

What are cookies?

Cookies are small packets of information left in your browser once you access certain websites. The cookie places information on your device to later identify the returning user. If you wish to keep your online activity to yourself, you’re not going to like them – some types of cookies can crawl and track you to websites you visit next, identifying your behavior patterns and more.

What are super cookies?

The name is rather misleading because supercookies are not actually cookies. Why so? Supercookies aren’t stored locally in your browser after being downloaded from websites, like regular cookies. Instead, they are injected at the network level as Unique Identifier Headers (UIDH). Simply speaking, a UIDH is a piece of information that makes your Internet connection unique.

In March 2016, the Federal Communications Commission (FCC) fined Verizon $1.35 million for using UIDH-type supercookies that let websites track Internet users without their knowledge.

As a response, Access Now – a non-profit organization dedicated to an open and free Internet – launched a tool Amibeingtracked.com where people could test whether their mobile carriers were monitoring them by injecting supercookies to their web requests. According to the study results, 15.3% of website visitors were being tracked by UIDHs.

Also, the study reported at least nine telecommunications providers that were using supercookies to monitor their customers’ online behavior. And this type of tracking is going global – mobile carriers in 10 countries around the world, including Canada, China, India, Mexico, Morocco, Peru, the Netherlands, Spain, the United States, and Venezuela, were found to have deployed tracking headers.

Are tracking cookies bad?

Tracking cookies aren’t harmful to your computer in a way that viruses and malware are. However, cookies threaten something more important than your device – your privacy.

Internet service providers can notoriously inject supercookies to improve their advertising business. Even if they’re not using the data themselves or selling it to other companies, third parties can independently identify tracking headers themselves and use the data to serve targeted ads for users across the web.

Supercookies gather data about your browsing habits, including which websites you visited and at what time. Also, they can access the data that regular cookies collect: login credentials, image and files cache and plug-ins data, even after cookies have been deleted.

What is worrying, Internet users have no control over supercookies, which threaten their privacy. Potential data leaks of private data collected, government surveillance, and exploits by cybercriminals are the key issues that may arise from the notorious use of supercookies.

Supercookie removal

Supercookies are mysterious yet powerful creatures – detecting and deleting them is close to a mission impossible. Supercookies aren’t stored in a web browser, so the traditional cookie clean-up won’t make them go away.

Supercookies might be sitting on your device without your knowledge, covertly tracking you when you browse from site to site. And here’s the worst part – you can’t delete them once they’re there.
What can be done to prevent supercookies being downloaded on your device?

Shielding yourself from supercookies is not that easy. Simply setting ‘Do not track’ in browser preferences doesn’t block tracking headers. Nor does browsing in private mode. Supercookies depend on HTTP connection, so encrypted connection to websites is what stops tracking headers from functioning.

Theoretically, visiting only HTTPS websites (the ones that use Secure Socket Layer (SSL) or Transport Layer Security (TLS) certificates) should help you avoid catching supercookies.

Are there any other options?

As a supercookie is a unique data packet that is injected into an HTTP request made through the ISP network, rerouting your Internet traffic through a different network can help. It may sound like rocket science, but it’s actually not – all you need is VPN. A virtual private network, such as NordVPN, encrypts your Internet connection all the way, making it impossible for the ISP to apply tracking headers.

If Verizon is your carrier, the most elegant way to avoid supercookies is to opt-out. After FCC’ investigation, Verizon was obliged to add an option for opting out from tracking and to ask for permission to share supercookies with third parties. Nevertheless, if you’re not 100% sure whether you should trust the carrier respecting your choice, it is wise to use the methods mentioned above to avoid supercookie-based tracking.


Elle Friberg
Elle Friberg successVerified author

Elle is a content writer at NordVPN. Being ever-curious, she always finds unexpected angles in the Internet privacy and security field to turn into gripping stories.


Subscribe to NordVPN blog