Skip to main content

Are you a legal professional? Visit our professional site

Search for legal issues
For help near (city, ZIP code or county)
Please enter a legal issue and/or a location

Attack of the Unstoppable 'Zombie Cookie'

Article Placeholder Image
By Mark Wilson, Esq. on January 15, 2015 11:38 AM

In October, one of our "13 Legal Tech Stories Scarier Than Dracula or Wolfman" was the news that Verizon and AT&T were injecting a unique identifying number into the Internet traffic of subscribers who used Verizon Wireless cell data to surf the Web. This number could be used to tailor advertising to a particular device.

In a terrifying confluence of puns, that story has risen from the dead in the form of "zombie cookies" that can't be killed.

Must ... Eat ... Demographics

Marketing company Turn is among the first to exploit the unique ID, called a Unique Identifier Header (UIDH), ProPublica reported Wednesday. By linking the unique tracking number to a cookie, Turn can use the UIDH "to respawn tracking cookies that users have deleted," allowing advertisers to track individuals across multiple websites and advertise at them, whether they like it or not.

AT&T stopped using the tracking number after the public found out about it, but Verizon just kept on keeping on. "It is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH," Verizon assured customers. That's apparently lasted all of three months.

Incredibly, notes ProPublica, Turn thinks that people really do want to be advertised at: "Turn says that when users clear their cookies, it does not consider that a signal that users want to opt out from being tracked." Turn's logic? Users clearly all know that when a cookie is deleted, it's not really deleted; therefore, deleting a cookie is not an indication that a user doesn't want to be tracked.

Your Right to (Some) Privacy

Zombie cookies have been around since 2005, when they appeared in Flash objects. A 2009 study of so-called Flash cookies at UC Berkeley showed that more than half of the sites tested used Flash cookies "to store information about the user." In 2011, security researchers discovered Microsoft using a "supercookie" to track visitors to its websites. Microsoft dipped into the old PR playbook by claiming the cookies' behavior was the result of a glitch, reported InfoWorld, which described the mechanism by which the supercookie operated. The description doesn't leave one with a deep and powerful sense that the supercookie was an accident.

The tension between increasingly targeted advertising and online privacy is as high as it's ever been, as promises of advertising tailored to each individual is about the only thing keeping websites like Facebook profitable. Websites can make nominal claims about respecting privacy, but at the end of the day, that privacy cuts into their bottom line. They make money only if users are tracked broadly enough that algorithms can generate accurate profiles that will advertise uniquely to individual users.

Related Resources:

Find a Lawyer

More Options