Flash Cookies and Supercookies

Дополнительная ссылка:
Сниффинг истории посещений через чтение ‘visited’ стиля ссылок и через Cache timing


Several browsers give you the option to select a privacy option that supposedly lets you surf the Web without leaving fingerprints. Don't believe it.

That option generally stops the browser from storing the URLs of pages you've visited in a pull down under the browser bar or recently visited tab. But it does nothing to conceal the pages and images you've viewed from advertisers who want to serve tailored ads to you, or even worse, from assorted snoops including private detectives and law enforcement agents.

The old solution, simply deleting cookies or clicking a setting that keeps your browser from accepting them, is much less effective than it used to be. That's because many Web sites are now using something called a "Flash cookie," which is maintained by the Adobe Flash plug-in on behalf of Flash applications embedded in Web pages, says Peter Eckersley a researcher with the Electronic Frontier Foundation.

Unlike standard cookies, flash cookies and a variation known as a supercookie are stored outside of the browser's control and users cannot view or directly delete them and they never expire. Flash cookies can track users in all the ways traditionally HTTP cookies do, and can be stored or retrieved whenever a user accesses a page containing a Flash application, says Eckersley. 

In the not-so-old days, the worst that could happen is that you'd be tracked and served ads based on your browsing habits, or maybe you'd be unlucky enough to have someone else open your browser when you were away from the computer and get and an ad that tips them off to what you've been doing online.
Now though, it appears that the information users voluntarily give to social networking sties, plus the data collected by the new breed of cookies can be put together to actually identify an individual. "Social networking sites like Facebook, LinkedIn and MySpace are giving the hungry cloud of tracking companies an easy way to add your name, lists of friends, and other profile information to the records they already keep on you," says Eckersley.

Tip 1: If you use Firefox, an add-on called BetterPrivacy can bust flash cookies. It's free, and you can find it here.

Tip 2: Pick a good cookie policy for your browser, like "only keep cookies until I close my browser", or manual approval of all cookies.

Tip 3: Use the Firefox extensions RequestPolicy and NoScript to control when 3rd party sites can include content in your pages or run code in your browser, respectively. These tools are very effective, but be aware, says Eckersley, that they're hard to use: lots of sites that depend on JavaScript will need to be whitelisted before they work correctly.

Tip 4: Use the Targeted Advertising Cookie Opt-Out plugin. This will automatically opt you out of any 3rd party trackers who have an opt out somewhere that requires you to accept a cookie. Be aware that not all 3rd parties will offer opt outs, or that some of them may interpret "opt out" to mean "do not show me targeted ads", rather than "do not track my behavior online"

Facebook Privacy Traps

A clever, and very patient, reporter for the New York Times recently found that Facebook has more than 50 privacy-related buttons leading to approximately 170 choices. I can't guide you through that labyrinth but there are a number of commonsense steps you can take to minimize the damage if you don't push the right button.

[For step-by-step instructions to securing Facebook in light of the company's recent privacy flap, see CIO.com's Facebook Privacy Changes: 5 Can't Miss Facts. ]

Tip 5: Never accept an app invitation from someone you don't know. And if the app looks suspicious, check it out using the Facebook app search.

Tip 7: Remember that once someone has your full date of birth (day, month, year), they are only a few steps away from having enough information to do some serious damage, such as hacking your bank account. So, be smart. Don't include it in your profile.

Tip 8: For the same reason, remove your ground address and phone number from your profile.

Tip 9: It may seem mean, but categorize people according to how well you know and trust them. Put them in groups; the better you know them, the more access they can have to your page.