Samy Kamkar, an open source developer whose motto is “think bad, do good” has released an API called “evercookie.” Evercookie sets a nigh-undeletable tracking cookie in your browser, storing the information in eight separate ways; if you try to delete it but leave even one copy of the data around, it will repopulate itself using that last shred. Evercookies can even spread between browsers on the same system. The point of the project is to show that browsers are lagging behind privacy-invaders when it comes to cookie management, and to spur the organizations that publish browsers into creating better tools for privacy management.
“I hope evercookie simply demonstrates to people what types of methods are being employed to track them and to decide whether or not they want to prevent those methods,” he said. “evercookie took less than a day to create for me as a security hobbyist, so I can only imagine the technology that funded developers are producing.”Kamkar says he doesn’t actually use evercookie to track people–it exists largely as a proof of concept, and he’s not using technologies that are particularly bleeding edge in the developer world.
“None of these are new techniques,” he told Ars, “but an API like this is awesome at raising awareness.”
Of course, the mere fact that evercookie exists (and exists as an open source project that anyone can use) means that there will be some evil Web developers who make use of it, but that’s almost the point. We’re supposed to be scared.
Kamkar sees his project as a kind of litmus test to see whether people really are up to protecting themselves from being tracked by persistent cookies that anyone could implement, but he also understands that the “average” Internet user is hardly aware of traditional cookies, much less Flash cookies and beyond. Deleting the data from all eight (or more) storage mechanisms can be a pretty daunting task even for the relatively experienced surfer.