Zombiecookies, Evercookies and More

Posted by: Matt Kimmel

Cookies have become a pervasive and largely transparent element of the browsing experience. Unless your browser is set to ask before storing cookies, chances are you never have to deal with cookies, although you may deal with technical difficulties stemming from not storing them if that’s the behavior you’ve selected. Their functions range from the benign, like storing session data, to the less benign, such as allowing advertisers to track your browsing habits.

The next step in the evolution of cookies was the zombie cookie. A zombie cookie is any cookie which is able to reconstruct itself even after attempts to delete it. Obviously, if you think you’ve gotten rid of a cookie, only for an advertiser, or other snooper to be able to find it at a later time, that’s a privacy risk. In September of 2010, the zombie cookie was spread far and wide when one implementation, called Evercookie, was released to the general public. Evercookie is little more than an exceptionally resilient zombie cookie, able to reproduce itself in up to 13 different locations. While cookies began as a method of remotely storing data, more and more malicious uses for them, from cookie poisoning to zombie cookies were discovered. Now, according to this post, the only difference between some cookies and some viruses is the property of being executable.

The similarities to malicious software are so close, in fact, that lawsuits have been filed against the users of zombie cookies. One of the most interesting is against a company by the name of Ringleader Digital, which uses zombie cookies to track mobile devices, and a number of the companies which used their services. The six counts include causes of action under both civil and penal codes, and the substance of which is based around Ringleader exceeding their authorized access, causing damage in excess of $5,000, and making money off it. The suit seeks to obtain class certification in order to aggregate damages of the class.

A second lawsuit, Valdez v Quantcast et al. is a very similar suit launched against Quantcast, a more traditional online advertiser (as opposed to mobile), and using similar causes of action. There has not been a final outcome in either case as of yet.

Similar lawsuits regarding tracking cookies in the early 2000s were unsuccesful, but because both the technology and the law have advanced in the intervening period, it may be possible for these suits to succeed where the others had failied. These cases are especially relevant during a time in which the FTC, according to some blogs, is mulling the creation of a Do-Not-Track list, akin to the Do-Not-Call list created to address the issues surrounding telemarketing.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s