A zombie cookie is a piece of
data
Data ( , ) are a collection of discrete or continuous values that convey information, describing the quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted for ...
usually used for tracking users, which is created by a
web server
A web server is computer software and underlying Computer hardware, hardware that accepts requests via Hypertext Transfer Protocol, HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, co ...
while a
user
Ancient Egyptian roles
* User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty
* Useramen, an ancient Egyptian vizier also called "User"
Other uses
* User (computing), a person (or software) using an ...
is
browsing
Browsing is a kind of orienting strategy. It is supposed to identify something of relevance for the browsing organism. In context of humans, it is a metaphor taken from the animal kingdom. It is used, for example, about people browsing open sh ...
a
website
A website (also written as a web site) is any web page whose content is identified by a common domain name and is published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, educatio ...
, and placed on the user's computer or other device by the user's
web browser
A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...
, similar to regular
HTTP cookies
HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web br ...
, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.
Purpose
Web analytics
Web analytics is the measurement, data collection, collection, analysis, and reporting of web Data (computing), data to understand and optimize web usage. Web analytics is not just a process for measuring web traffic but can be used as a tool for ...
collecting companies use cookies to track Internet usage and pages visited for
marketing research
Marketing research is the systematic gathering, recording, and analysis of qualitative data, qualitative and quantitative data, quantitative data about issues relating to marketing products and services. The goal is to identify and assess how chan ...
.
Sites that want to collect user statistics will install a cookie from a traffic tracking site that will collect data on the user. As that user surfs around the web the cookie will add more information for each site that uses the traffic tracking cookie and sends it back to the main tracking server.
Zombie cookies allow the
web traffic
Web traffic is the data sent and received by visitors to a website. Since the mid-1990s, web traffic has been the largest portion of Internet traffic. Sites monitor the incoming and outgoing traffic to see which parts or pages of their site are ...
tracking companies to retrieve information such as previous
unique user
A unique user is a term in web analytics that refers to data of a Pageview of a unique IP, whose presence is only counted once, regardless of the number of pages they visit. This definition does not count repeat or returning users for a standard pe ...
ID and continue tracking personal browsing habits. When the user ID is stored outside of a single browser's cookie storage, such as in a header injected by the network into HTTP requests, zombie cookies can track users across browsers on the same machine.
Zombie cookies are also used to remember unique IDs used for logging into websites. This means that for a user who deletes all their cookies regularly, a site using this would still be able to personalize to that specific user.
Implications
A user who does not want to be tracked may choose to decline or block third party cookies or delete cookies after each browsing session. Deleting all cookies will prevent some sites from tracking a user but it may also interfere with sites that users want to remember them. Removing tracking cookies is not the same as declining cookies. If cookies are deleted, the data collected by tracking companies becomes fragmented. For example, counting the same person as two separate unique users would falsely increase this particular site's unique user statistic. This is why some tracking companies use a type of zombie cookie.
Implementation
According to
TRUSTe
TrustArc Inc. (formerly TRUSTe) is a privacy compliance technology company based in Walnut Creek, California. The company provides software and services to help corporations update their privacy management processes so they comply with government ...
: "You can get valuable marketing insight by tracking individual users' movements on your site. But you must disclose your use of all
personally identifiable information
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
The abbreviation PII is widely used in the United States, but the phrase it abbreviates has fou ...
in order to comply with the Fair Information Practices guidelines".
Possible places in which zombie cookies may be hidden include:
* Standard HTTP cookies
* Storing cookies in and reading out web history
* Storing cookies in
HTTP ETags
* Internet Explorer userData storage (starting
IE9, userData is no longer supported)
*
HTML5
HTML5 (Hypertext Markup Language 5) is a markup language used for structuring and presenting hypertext documents on the World Wide Web. It was the fifth and final major HTML version that is now a retired World Wide Web Consortium (W3C) recommend ...
Session Storage
* HTML5 Local Storage
* HTML5 Global Storage
* HTML5 Database Storage via SQLite
* Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
*
Local shared object
A local shared object (LSO), commonly called a Flash cookie (due to its similarity with an HTTP cookie), is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions o ...
s (Flash cookies)
* Silverlight Isolated Storage
*
Cookie syncing scripts that function as a cache cookie and respawn the MUID cookie
*
TCP Fast Open
*
TLS's Session ID
If a user is not able to remove the cookie from every one of these data stores then the cookie will be recreated to all of these stores on the next visit to the site that uses that particular cookie. Every company has their own implementation of zombie cookies and those are kept proprietary. An open-source implementation of zombie cookies, called
Evercookie
Evercookie (also known as supercookie) is an Open source, open-source JavaScript API, application programming interface (API) that identifies and reproduces intentionally deleted cookies on the clients' browser storage. This behavior is known as ...
,
is available.
Controversies
In 2015, TURN, an online advertising clearinghouse,
["Zombie Cookie: The Tracking Cookie That You Can't Kill"](_blank)
/ref> introduced zombie cookies based on Flash Local Shared objects. Privacy advocates quickly denounced the technology.
An academic study of zombie cookies was completed in 2009, by a team of researchers at UC Berkeley
The University of California, Berkeley (UC Berkeley, Berkeley, Cal, or California), is a public land-grant research university in Berkeley, California, United States. Founded in 1868 and named after the Anglo-Irish philosopher George Berkele ...
, where they noticed that cookies which had been deleted, kept coming back, over and over again. They cited this as a serious privacy breach. Since most users are barely aware of the storage methods used, it's unlikely that users will ever delete them all. From the Berkeley report: "few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe."
Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases. The only way to opt-out of the tracking, was to use the company's opt-out link, which gives no confirmation. This resulted in a lawsuit against Ringleader Digital.
The Zombie Cookie lawsuits were filed suit in the against Quantcast
Quantcast is an American technology company, founded in 2006, that specializes in AI-driven real-time advertising, audience insights and measurement. It has offices in the United States, Canada, Australia, Singapore, United Kingdom, Ireland, Fran ...
, Clearspring, VideoEgg
Say Media (formerly VideoEgg) is a technology and advertising firm. The company provides a publishing platform (Tempest) to professional publishers and sells advertising across that platform and extended network of sites. Say Media has offices ...
, and affiliated sites owned by Walt Disney Internet Group, Warner Bros.
Warner Bros. Entertainment Inc. (WBEI), commonly known as Warner Bros. (WB), is an American filmed entertainment studio headquartered at the Warner Bros. Studios complex in Burbank, California and the main namesake subsidiary of Warner Bro ...
and others. According to the charges, Adobe Flash cookies are planted to "track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent".
Two "supercookie
HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web bro ...
" mechanisms were found on Microsoft websites in 2011, including cookie syncing that respawned MUID cookies.[ Due to media attention, Microsoft later disabled this code.]
Consumer outrage related to Flash cookies and violation of consumers' privacy caused U.S. Congressional Hearings, led by Senators Al Franken
Alan Stuart Franken (born May 21, 1951) is an American politician, comedian, and actor who served from 2009 to 2018 as a United States senator from Minnesota. A member of the Democratic Party (United States), Democratic Party, he worked as an ...
and John Rockefeller. Reportedly, the "Zombie Cookie", aka Flash Cookie filings, forced Adobe Systems Inc. to stop processing flash cookies on 98% of all consumers' computing devices.
The online advertising clearinghouse TURN implemented zombie cookies on Verizon
Verizon Communications Inc. ( ), is an American telecommunications company headquartered in New York City. It is the world's second-largest telecommunications company by revenue and its mobile network is the largest wireless carrier in the ...
mobile phones, using a hidden, unremovable number by which Verizon could track customers. After an article by ProPublica
ProPublica (), legally Pro Publica, Inc., is a nonprofit investigative journalism organization based in New York City. ProPublica's investigations are conducted by its staff of full-time reporters, and the resulting stories are distributed to ne ...
revealed this fact in January 2015, TURN claimed it had suspended usage of their zombie cookies.
References
{{Reflist, 30em
External links
Device Fingerprint
- Site that demonstrates the way zombie cookies are restored
Internet privacy