In a blog post announcing a security-focused release of the Firefox browser, Mozilla described how ingeniously-constructed ‘supercookies’ work:
[to reduce bandwidth and other overhead] if the same image is embedded on multiple websites, Firefox will load the image from the network during a visit to the first website and on subsequent websites would traditionally load the image from the browser’s local image cache…
Unfortunately, some trackers have found ways to abuse these shared resources to follow users around the web. In the case of Firefox’s image cache, a tracker can create a supercookie by “encoding” an identifier for the user in a cached image on one website, and then “retrieving” that identifier on a different website by embedding the same image.
Constructing trackers with this level of sophistication and building distribution of these shared images across websites is not a trivial effort.
For this effort to make monetary sense, advertising and tracking companies need to collect vast amounts for a vast number of people – including you and me – so that even when a tiny fraction of that is useful, it makes enough money to pay for all the engineering and distribution. That means you’re up against a machine that is as aggressive as it is technically sophisticated.
Likewise, Mozilla. How does Firefox disrupt supercookie tracking without fetching an image afresh every time, even if it’s the same image?
[Firefox] still load(s) cached images when a user revisits the same site, but we don’t share those caches across sites. We now partition network connections and caches by the website being visited. Trackers can abuse caches to create supercookies and can use connection identifiers to track users. But by isolating caches and network connections to the website they were created on, we make them useless for cross-site tracking.
Given the vast number of websites that the average person jumps through over any given week, this is not easy to pull off.
I don’t use the term ‘war’ lightly. But this is absolutely a war on your privacy.
It doesn’t matter whether you value your data or not (you should), it’s that you don’t get to choose. Supercookies show that an immense amount of know-how and engineering being deployed to strip you of your privacy. Firefox in turn put in a similar amount of counter-engineering to neutralise that threat.
Make sure you move to Firefox, an open source project whose only incentive is to protect you. And keep it updated. And donate to Mozilla.