NEW YORK — Ironically, a trusty online privacy feature can now be reworked into a “super cookie” that tracks you like a bloodhound.
Any respectable Web browser has a “privacy mode,” a clean slate without the tiny bits of information (cookies) that identify you to websites. Google Chrome has “incognito.” Mozilla’s Firefox has “private window.”
But there’s a chink in privacy mode’s armor.
A software developer in London has discovered a string of code that can carry over from your regular session into private mode, rendering privacy mode somewhat useless.
For example, let’s say you use a regular browser to shop on Amazon and use Facebook. Then you launch privacy mode to visit a website that deserves more discretion, like a controversial blog.
If that blog uses the same ad network as Amazon or includes a Facebook “like” button, the advertisers and Facebook now know “Joe the Amazon shopper” and “Joe the Facebook user” is also “Joe the controversial blog reader.”
There is a workaround, albeit annoying: You can either delete all your cookies before launching privacy mode, or you can dedicate a separate browser for privacy mode use only.
The problem, explained
The great irony is that the bug is caused by a feature designed to increase your privacy.
Some Web browsers remember if you used the prefix https:// in the address bar to secure your communication on a given website. It saves a super cookie that ensures the next time you connect, your browser defaults to the more secure https channel. It remembers that even if you launch private mode.
But that super cookie lets third-party Web programs — like advertisements or social media buttons — remember you too.
Sam Greenhalgh, the independent researcher who revealed this, said in a blog post that he hasn’t seen them used by companies yet. But now that this method is public knowledge, there’s nothing stopping them.
Eugene Kuznetsov, co-founder of the online privacy software company Abine, sees super cookies as the next wave of intrusive trackers. It started with cookies and has grown more complex. Now, there’s unique device IDs (on smartphones and tablets) and unique browser fingerprints, which are harder to shake off.
Super cookies just make it even trickier to stay anonymous online.
“What we have here is a privacy arms race,” Kuznetsov said. “This desire to track Internet users is like a parasite. Anything you put in a browser is constantly being examined by websites and advertisers to implement more tracking.”
Mozilla has issued a fix for the latest version of Firefox. But Google has opted to leave Chrome vulnerable. Google had known about the super cookie issue, but chose to keep Chrome’s https-remembering function alive, choosing security over privacy.
And Microsoft’s Internet Explorer isn’t vulnerable to this, because it doesn’t even have the https-remembering security feature built in.
You cannot escape “super cookies” on iOS devices, though, Greenhalgh said.