Back to blog

What Is Evercookie and Why You Should Avoid It for Privacy’s Sake

Data privacy & security

Written by

Published July 19, 2018 · Updated June 29, 2021

What Is Evercookie and Why You Should Avoid It for Privacy’s Sake

Browser cookies are nothing new in the digital world. In fact, they’re omnipresent, but nevertheless we can get more than a bit confused when discussing:

  • Evercookie
  • super cookies
  • cookie forever
  • persistent cookies
  • and so on…

Are these things you really need to grasp thoroughly? Well, if customer data privacy is one of your priorities, then the answer is definitely yes.

The bits of the digital ecosystem we’re talking about have earned a bad reputation for disrespecting users’ rights to their data. They’re used for some shady practices and they threaten user privacy. If you’re getting lost in all this cookie business, don’t worry.

We’ll explain in this post exactly what Evercookie is and provide you with key aspects of its use so you can keep your tracking safe.

What are cookies and why do we need them?

cookie on the keyboard

Before we go into the details of Evercookie, let’s start with some basics. Traditional HTTP cookies were invented out of necessity, so browsers could read pages at the web server and maintain a current session.

These are small text files created by an Internet browser and then saved on the user’s computer. Cookies are a very convenient and efficient tracking solution.

First of all, they’re used to identify you (the user). When you finish visiting a website and then close the browser, after you return to that site it recognizes you because of the info stored in cookies.

They’re a mechanism for recording and using information and settings about a user’s browsing behaviors. Whether you leave items in your shopping cart, log in to social media, or set browser preferences, cookies impact your user experience by making it faster and more personalized.

Besides cookies that save preferences and information about login sessions, there are also tracking cookies, referred to as third-party cookies, that track users as a marketing tool.

Are cookies safe?

Cookies aren’t inherently bad or harmful.

They’re not like malware or viruses that interfere with your computer’s proper functioning. Typically, they contain a string of text with information about the browser.

While they can store more personal data about users, this data has to be provided by those users themselves. Cookies can also retain information already on the web server. What can make cookies a threat is when they’re employed for questionable purposes.

If a user provides you with personal information, that’s one thing. But matters get complicated when this data becomes available to third-party websites. Also keep in mind that the user needs to be made aware of tracking and storing mechanisms being used.

Here’s where the trouble comes in. Although many browsers have mechanisms for deleting or even refusing to accept cookies, many websites still don’t honor Do Not Track options. There are also technologies like Evercookie that recreate cookies after they’ve been deleted. We’ll go into detail later in this post.

Customer Data Platform vs. Data Management Platform

Learn over 25 key differences between Customer Data and Data Management platforms and decide which of them will be a better fit for your business

Download FREE Comparison

These concerns have led to a lot of debate about how to protect users’ privacy and keep data safe. The result is legislation and regulations to guard users data and their confidentiality. The most prominent ones in the European Union are GDPR and the Privacy and Electronic Communications Regulation, also called the ePrivacy Directive.

GDPR requires that users consent to cookies being placed on their computer. That also applies to other similar technologies that store and access data on a user’s device. What’s more, such storage is only legal if users are informed about what happens with their data, and they should have the option to refuse storage of their data.

If you would like to know more about consent to process user data, have a look at our blog posts:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users

What is Evercookie and how does it work?

To recap, both of the regulations discussed above allow for the use of cookies, but the user must have the choice to opt out or remove cookies at any time. Seems fair and logical. But in reality things aren’t so rosy. There are shady mechanisms for tracking.

To be precise, there are tools that circumvent the user’s privacy choices and install permanent cookies that can be recovered after deletion.

But how is that possible? This is what Evercookie does. Don’t get misled by the name, it’s not an actual cookie. It’s a JavaScript programming library that produces cookies allowing you to identify users even after they’ve deleted their standard cookies, Flash cookies (Local Shared Objects or LSOs), and other ones. Even when a user erases cookies, those files are recreated and continue to perform their task.

According to the creator of Evercookie, programmer Samy Kamkar, Evercookie is designed to make persistent data just that – persistent. The process isn’t complicated. He explains that since the same data is stored in different browser storage locations, if any of the data is lost it can simply be recovered and stored for re-use.

Evercookie is producing those super cookies – persistent cookies – you’ve probably heard about. They rely on tricky techniques and are really hard to delete.

The API we’ve mentioned just stores cookie data in different places in the local browser. If Evercookie learns that the user has removed some cookies hiding in a dark corner of the browser, it creates them again. It uses JavaScript to re-spawn cookies. And it does so without the user’s knowledge, never mind consent.

To be precise, when Evercookie creates a new cookie, it applies storage mechanisms such as:

  • standard HTTP Cookies
  • HTTP Strict Transport Security (HSTS) Pinning
  • Local Shared Objects (Flash Cookies)
  • Silverlight Isolated Storage
  • storing cookies in Web History
  • storing cookies in HTTP ETags
  • storing cookies in Web cache
  • Internet Explorer userData storage
  • HTML5 Session, Local and Global Storage
  • HTML5 Database Storage via SQLite
  • Java JNLP PersistenceService

Kamkar developed Evercookie to spread awareness of privacy risks and bring to light how easily companies can track users while disrespecting their preferences.

Customer Data Platform vs. Data Management Platform

Learn over 25 key differences between Customer Data and Data Management platforms and decide which of them will be a better fit for your business

Download FREE Comparison

Evercookie and compromises to user privacy

It’s no surprise that the process of re-spawning cookies has been widely condemned. It definitely violates users privacy rights. It tramples on users’ explicit wishes. When a user erases a cookie, this is a deliberate action that needs to be respected.

What’s more, Evercookie can exploit user’s browser history or hidden properties of browser windows (the window’s label, invisible to the user, which is transmitted during every transaction).

Furthermore, dealing with persistent cookies is a futile undertaking. Routinely deleting caches can be helpful, but users may not be able to remove all elements. Using private mode browsing can be a good solution in certain circumstances. However, it’s not always convenient as you often need to rely on persistent logins. And one last tip: keep your browser up-to-date.

Users are becoming increasingly aware of and concerned with shady tracking practices. One way they take care of online privacy is by adjusting browser settings.

The trouble is that each browser can have different settings, and not all of them offer a clear settings allowing users to remove all data stored by trackers. This means that deleting data like permanent cookies is getting tougher and tougher, involving a lot more steps.

What’s more, the increasing number of ways to store this data is making it even harder for browser manufacturers to keep up and provide better pro-privacy solutions.

Evercookie – Final thoughts

Digital technology is a rapidly evolving field which brings both benefits and perils. As to the perils, knowledge and awareness are your best defense. There are diverse legal frameworks, like GDPR and ePrivacy, that help protect users’ privacy and respect their choices in the digital landscape.

Bear in mind that Evercookie is just one technology out there, but there are others that play fair and steer clear of questionable and shady practices like re-spawning cookies. It’s crucial to choose a reliable partner with an ethical compass that supports your marketing endeavors and helps you remain legally compliant.

We hope that this post has answered some of your burning questions about Evercookie. But this is a complex issue and you may have some more questions, so reach out to our Piwik PRO team for fast answers.

Contact us

Author

Karolina Matuszewska

Senior Content Marketer

Writer and content marketer. Transforms technical jargon into engaging and informative articles.

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free