Cookie Wars

Lately the press has been on a rampage about user behavior being traced with browser cookies. Most of this attention ignored Flash cookies, until now. Not yet mentioned in the press are the other ways to leave cookies on your machine, including plug-ins, HTML5 or even (gasp) browser history.

I myself am not a fan of being tracked, so I do my best to control cookies. But cookies are a wonderful thing, so you can’t just turn them off. They are what enable your browser to remember your login information and preferences when you revisit a web page. We love these cookies. They are also used by site owners to track your settings while you are engaging with their site. We love these cookies too, but we don’t mind if they are deleted when you’ve left the site. Then there are the cookies from 3rd parties that a site allows onto their web pages, which are for the tracking your behavior but not helping you use the site. These cookies we don’t need.

Controlling Cookies and Flash Local Shared Objects

How do we support yet control cookies at the same time? The default cookie management tools across all browsers are poor. They either allow everything, block everything, or ask you to approve every new cookie as it flys by. The later is a tedious exercise at best.

On Firefox the answer is a pair of add-ons called CookieCuller and BetterPrivacy. These two add-ons conspire to give you a system clean of tracking cookies and Flash Local Shared Objects (LSO) every time you shut down your browser.

CookieCuller allows free reign to browser cookies but then deletes all but those that you have protected. How does this work? I want my browser to remember my Posterous login, so I use CookieCuller to protect my Posterous cookie. The rest of the cookies are deleted when I shut down my browser. I repeat this by manually protected all the sites I care about and I am golden. Actually, I’m not quite golden because sites tend to mix it up with cookies and start using cookies with new signatures, so you end up having to go in and protect a new cookie once in awhile (but not too often).

BetterPrivacy does a similar trick for Flash cookies, called Local Shared Objects (or LSO). Except in the case of Flash cookies I find there aren’t many that are actually needed, so I just let them all be deleted on browser shutdown.

Unfortunately other browsers do not have these add-ons, and the cookie management tools they do provide are simply inadequate to protect your privacy. These add-ons are the primary reason I am still on Firefox, as Google Chrome would otherwise look tempting.

Update (May 2011): Google Chrome now has an extension called Vanilla Cookie Manager that is even better then CookieCuller.

Other Ways of Tracking Users

Unfortunately there are a number of other techniques, aside from cookies and Flash LSOs, to deposit tracking turds on your machine. To start, any browser plug-in on your system theoretically has hooks to persist data. For example, Microsoft’s me-too answer to Flash called SilverLight mirrors Flash’s LSOs. In addition HTML5 introduces several different ways to persist data, including several HTML5 storage techniques and a local SQLite database.

A more inventive technique to persist data is to use your browser history. A site can pump your history with URLs by attempting to access various sites, then later make queries on URLs to see if they are in the history stack. By setting a specific set of URLs, then brute force querying the history, data can be reconstituted.

If this isn’t enough, you can use PNGs stored in the local cache to persist data. The technique involves encoding data into a PNG, at the server, and sending this to the client where it it cached. On a subsequent attempt to access page, the site returns a forged 403 Not Modified response, thus causing your browser to access its local cache. The cached image is retrieved and then applied to an HTML5 Canvas tag. Here you can read each pixel of the Canvas tag and extract any data that is encoded in the PNG.

What next?

The newer tracking techniques have, to my knowledge, not seen widespread use. However that may be about to change as libraries become available that encapsulate all of the above tricks into one, easy to use package. That’s a bit scary, or an opportunity, depending on which side of the fence you sit.

I hope we will see more effort on the part of the invidual browser developers to plug the privacy gaps. My money is on Mozilla to lead the way in this regard. They have a few interesting initiatives, including the Account Manager Project. There are others efforts such as xAuth that give users more control of how social is managed across sites. More is still needed on this front.