Sponsored By

Super Cookies, A Threat to Security?Super Cookies, A Threat to Security?

What if the cookie could be in the computer or cell phone and not be detectable, therefore not removable, or it could re-spawn itself after deletion?

Gary Audin

November 5, 2010

4 Min Read
No Jitter logo in a gray background | No Jitter

What if the cookie could be in the computer or cell phone and not be detectable, therefore not removable, or it could re-spawn itself after deletion?

We know what cookies are. They may be annoying, useful or ignorable. What if the cookie could be in the computer or cell phone and not be detectable, therefore not removable, or it could re-spawn itself after deletion?

So far there are six class action lawsuits filed in the U.S. District Court for the central District of California that claim these new kind of cookies are really hacking the computer or cell phone without the users' knowledge or permission. Think about the consequences for the ICT staff and user if this is allowed to continue. With more devices supporting more functions of UC, what data could be gathered from the users' devices? Could this prove harmful to the employee and employer? If not stopped, what else could be deemed legal that future cookies may accomplish?

According Wikipedia

A cookie is a piece of text stored by a user's web browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data.

A cookie consists of one or more name-value pairs containing bits of information, which may be encrypted for information privacy and data security purposes. Cookies can be cleared to restore file storage space. If not manually deleted by the user, cookies [should] usually have an expiration date associated with them.

Once that date has passed, the cookies stored by the client will automatically be deleted. Due to the browser mechanism to set and read cookies, they can be used as spyware.

A cookie consists of one or more name-value pairs containing bits of information, which may be encrypted for information privacy and data security purposes. Cookies can be cleared to restore file storage space. If not manually deleted by the user, cookies [should] usually have an expiration date associated with them.

Once that date has passed, the cookies stored by the client will automatically be deleted. Due to the browser mechanism to set and read cookies, they can be used as spyware.

A Wall Street Journal article of September 27, 2010, "Cookies Cause Bitter Backlash" stimulated this blog. The article points out that court decisions in 2001 and 2003 made inserting small text files (cookies) in a computer-based device legal.

The tracking industry is now a $23 billion business. So there are many interested parties that do not want these new cookie types banned. Adobe has a technology called "Flash cookies". Flash is a common way to show video online. Marketers can use the Flash cookie to track users online. Flash cookies can be used to re-spawn deleted cookies, a practice that Adobe condemns.

Mobile tracking is another case where the cookie can be used to help the user but could also be used to track the user's movements. One of the lawsuits contends that it is difficult to block the cookie. One company, Ringleader Digital Inc. assigns a unique ID number for iPhones, like a cookie. The ID number is re-spawned moments after the user deletes it. You can't get rid of the ID number which can be used for mobile tracking purposes.

The Congress and regulators are considering what to do about this issue. Is this new cookie legal? So far, yes. Can regulations be created to stop this cookie distribution? The House of Representatives has two bills pending on this issue that would limit the use of these cookies. This assumes that with the contentious political climate, that something will be done in Congress.

New privacy guidelines are expected from the Federal Trade Commission by the end of 2010. A do-not-track registry may be one of the FTC solutions. Considering how often I receive calls that I don't want—and I am on the do-not-call list--I hope this no tracking idea is better enforced. The do-not-call list applies to consumer phone number not business numbers. Does this mean the new cookies would be legal on business devices? I hope not.

Two other Wall Street Journal articles of interest on this subject are "Sites Feed Personal Details to the New Tracking Industry" and "The Web's Gold Mine: Your Secrets". Both articles were published July 30, 2010 and provide additional information on this issue.

About the Author

Gary Audin

Gary Audin is the President of Delphi, Inc. He has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks as well as VoIP and IP convergent networks in the U.S., Canada, Europe, Australia, Asia and Caribbean. He has advised domestic and international venture capital and investment bankers in communications, VoIP, and microprocessor technologies.

For 30+ years, Gary has been an independent communications and security consultant. Beginning his career in the USAF as an R&D officer in military intelligence and data communications, Gary was decorated for his accomplishments in these areas.

Mr. Audin has been published extensively in the Business Communications Review, ACUTA Journal, Computer Weekly, Telecom Reseller, Data Communications Magazine, Infosystems, Computerworld, Computer Business News, Auerbach Publications and other magazines. He has been Keynote speaker at many user conferences and delivered many webcasts on VoIP and IP communications technologies from 2004 through 2009. He is a founder of the ANSI X.9 committee, a senior member of the IEEE, and is on the steering committee for the VoiceCon conference. Most of his articles can be found on www.webtorials.com and www.acuta.org. In addition to www.nojitter.com, he publishes technical tips at www.Searchvoip.com.