The term super cookies has become a popular one in recent weeks. They have seen browsers adding updates in an attempt to avoid the super cookies from infringing on users’ privacy while also protecting themselves from potential regulatory fines. Robert Meyers, channel solutions architect and fellow of information privacy from One Identity, explains more about the issue.
What are super cookies and why are internet browsers keen to stop them?
Normal web cookies act as little pieces of information that websites can save and remember things about you. Crucially though, for privacy’s sake, users can opt out of them, block them or flat out delete them. Super cookies, however, respawn via scripts or maintain locations outside of the normal locations for normal web cookies.
Additionally, they may constantly track the browser and normally users would need a VPN to avoid them. Note that there is no specific single-use for these (good or bad). At some points, super cookies have been part of malware, and others used by legitimate parties such as individual Internet Service Providers (ISPs) for tracking users.
Browsers are concerned about the potential security, privacy and legal challenges linked to them
Super cookies track whatever they are designed to track to enable other parties to gather a profile on you. They can be connected to other services; some that people will like and some they will not. In the end, however, they really should not exist. Since super cookies are designed to quietly track a user, they are a privacy violation if undisclosed in many geographical areas – think GDPR, LGPD, CCPA/CPRA, etc. This could land browsers in hot water if they don’t take action. In fact, several browsers such as Firefox, Chrome and Safari have released updates to help combat super cookies, though it’s a constantly moving target. And what makes them worse is that they are designed to be hard to get rid of, by way of being hidden or being able to respawn.
What can users do?
This is why, when it comes down to it, super cookies should be treated as malware. When possible, use a VPN, activate private browsing sessions, or when accessing privileged business accounts, use a privileged browsing session tool. You need to protect your privacy and your company’s data. Never believe that your browsing is 100% secure, sadly – unless you are always in private mode over a VPN. Even then… if it’s the ISP tracking you, it could be problematic at best.