Cookies, Fingerprinting & Co.: Tracking methods clearly explained

What is the difference between cookies, supercookies and evercookies? Which fingerprinting methods are used by trackers? We provide answers and tips on how you can protect yourself from being tracked online.

(Icons: Nikita Golubev, Pixel Buddha, Freepik from www.flaticon.com)

Björn GreifEditor

You have probably heard of cookies and perhaps fingerprinting in connection with online tracking. But do you also know what is behind it and what different variants there are? We introduce the most common techniques that tracker operators use to track you across the web to monitor your browsing behavior. We also explain how you can protect yourself from the different tracking methods.

Tracking can be defined as collecting data points over multiple different web pages and sites, which can be linked to individual users via a unique user identifier. The generation of these identifiers can be stateful, where the browser saves an identifier locally on your device (cookies, supercookies, evercookies), or stateless, where information about your browser and/or network is used to create a unique fingerprint (canvas fingerprinting, audio fingerprinting, JavaScript tracking). In the following we explain these methods in detail.

A cookie is a small text file that is stored on your computer or mobile device for a certain period of time when you visit a website. It contains, for example, log-in data or the current content of your shopping cart. Browser cookies are used to “mark” a visitor of a website in order to recognize them and their settings later on.

Cookies are the most common method of tracking users across multiple websites. Third-party tracking cookies store data about visited websites to log the user’s browsing history over a long period of time. They land on your device via embedded image files (advertising banners or counting pixels). Fortunately, it is pretty easy to delete or block third-party cookies in your browser settings. More information below.

Supercookies contain a unique identifier which allows trackers to link records in their data to track your browsing history and browsing behaviour (e.g., visited websites including the length of your stay). One example are Flash cookies (aka Local Share Objects or LSO) which, in contrast to standard cookies, work browser-independent and do not have an expiry date. They are stored locally and can be removed manually. To prevent them from being stored on your device at all, you should set the Flash plugin in your browser to not load flash objects at all or only with your consent. To do this, select the options “Never activate” or “Ask to activate”.

Evercookies are extremely persistent and difficult to get rid of once they got on the device. Their purpose is to identify a user even after they removed standard cookies, Flash cookies, and others. Evercookies use different storage mechanisms to store data in different formats in multiple locations on your device. If cookie data is removed, it is immediately recovered from an alternative storage location.

Fingerprinting can be used to identify individual devices or users and track them across multiple websites even when cookies are turned off. As the name implies, a “fingerprint” of the system is created, which serves as a unique identifier. For a long time, this tracking technology was only successful if the user did not use several browsers in parallel. Today fingerprinting also allows tracking of a user across multiple browsers on the same device.

The most common fingerprinting method is canvas fingerprinting. A tracking script generates a so-called canvas image, which is loaded in the background and contains a short text. The rendering of the image varies slightly depending on operating system, browser, graphics chip, graphics driver, and installed fonts. This minimal difference is sufficient to identify the device and thus, the user with a high probability of recognizing them when they visit another website which uses the same tracking method.

Besides canvas fingerprinting, other fingerprinting methods are also widespread which make use of browser APIs for sound, battery status or real-time communication (WebRTC). For example, audio fingerprinting calculates a sound sequence instead of an canvas image, which differs slightly depending on the browser version and system configuration. These differences are sufficient to uniquely identify a device or a user and to recognize them the next time they visit a website. For the same purpose, a lot of user data can also be obtained using common JavaScript functionality.

Using all these methods, tracking operators collect massive amounts of data from which they create detailed user profiles to use them for marketing purposes or resell them. They deliberately ignore the users’ desire to browse the Internet unobserved. The more the advertising industry knows about users, the more money they can earn. Highly personal information is stored in the databases of the tracking companies, from which conclusions can be drawn, not only about an individual’s financial situation, interests and shopping plans, but also about his or her sexual orientation, health, political views and religious beliefs.

How to protect yourself

Modern browsers provide basic protection against cookie tracking: In the settings you can specify that cookies are automatically removed when they expire or when you exit the browser. You may also block third party cookies in your browser settings. Setting up a new user profile in your browser is also often helpful to get rid of cookies. With Cliqz you are always on the safe side: No matter what settings you have in your browser, our anti-tracking does intelligent blocking of third-party cookies so that they cannot be used for tracking purposes.

Cliqz’s AI-powered anti-tracking technology implemented in the Cliqz Browser and Ghostery’s anti-tracking tool reliably protects users from being identified by third-party cookies or fingerprinting. It detects when a third-party tracker tries to retrieve unique identifiers or values that could be used as such and replaces the requested data with random values. This ensures that your identity and privacy on the web is always protected. Another advantage of our smart anti-tracking technology is that it protects you from trackers without breaking websites functionalities.


CLIQZ FÜR MOBILE