Samy Kamkar has always been prescient. He first gained notoriety by showing how nascent social networks like MySpace could be used to spread malware rapidly among a population of millions (now billions) of users. His worm for MySpace, dubbed the ‘Samy Worm’ earned him a visit from law enforcement. But Kamkar kept up his research. More recently, he has turned his attention and considerable skills to the problem of persistent user tracking. His Evercookie, released in October, 2010, called attention to the myriad of ways that advertisers, media firms and online merchants were finding to track their customers – often despite explicit efforts by customers to prevent their online activities to be tracked. More recently, his research into suspicious geotagging was the foundation for a class action lawsuit against Microsoft.
With U.S. lawmakers pushing the Federal Trade Commission (FTC) to take a closer look a the issue of persistent cookies like Evercookie, Threatpost decided to give Kamkar a ring and ask him what he thought about Uncle Sam’s sudden interest in user tracking. His advice: tracking is bigger than cookies, and the FTC –which has taken an active role in promoting online privacy – risks missing the next big wave in online tracking in its focus on last year’s problem.
Threatpost: Remind us of the difference between a persistent cookie – an evercookie – and a typical Website tracking cookie?
Samy Kamkar: Sure. The generic web site cookie or http cookie allows a web site to track information – some small amount of data. Typically that’s a unique identifier – so that when they return to that site, they won’t have to log back in again. An evercookie does the same thing, but it stores itself in other places than the typical browser cookie store. The problem is that when Web users want to remove cookies with their browser, they just go in and delete their cookie store and remove any data those Web sites track on them. But with a supercookie, we store that data in overt and covert places that the web browser doesn’t look and in places where a user wouldn’t know to look unless they were technically savvy.
Threatpost: For example. Where might that data be stored?
Samy Kamkar: The most common example is Flash cookies. so the Flash plug-in has its own location on the system where you can store data. The problem is that most Web users don’t know how to delete Flash cookies. That became an issue about a year ago, but the practice has been around for at least five years. Once people started learning about it, they got upset. But its funny because there are so many other places where you can store this data. For example, a huge number of users have the Silverlight plugin from Microsoft and don’t even know it. Silverlight has its own local storage. So even if you’ve deleted all your Web cookies and your Flash cookies, someone can just store data in Silverlight. I found you can store info in your web cache, history, HTTP e-tags. HTML5 by itself brought in five new methods for local storage: session storage, local storage, global storage, SQL storage, application cache and maybe one more.
Threatpost: Right. These are all features that are designed really to provide more offline application functionality for Web apps?
Samy Kamkar: Yes – the HTML5 stuff in part is geared toward offline use. They’re also geared towards giving more functionality to the browser. They were never necessarily meant to be used to uniquely identify a user. The bigger issue is that the browsers never made it easy to delete all this stuff at the same time. It was around the time of Evercookie that the browser makers started to pull all this functionality together. I think – just over time – they haven’t tended to do it correctly. Until recently, for example, in (Apple’s) Safari it wasn’t possible to delete an Evercookie. I haven’t checked the latest release, though.
I personally don’t see a problem with using other methods of storage. The problem is the surreptitious tracking by respawning (a cookie) after you delete your regular Web cookie. So you delete that cookie, but then it spawns a Silverlight cookie. Then, if you delete the Silverlight cookie, it will respawn an HTTP cookie. It can make it difficult to actually remove the cookie.
Threatpost: In your experience, are the advertising firms or e-commerce firms who are doing this taking a “shotgun” approach and putting cookies in a bunch of locations at once. Or, are they hopscotching from one location to the next?
Samy Kamkar: At first you saw people using HTTP cookies and Flash cookies. In the case of (media streaming Web site) Hulu, I found HTML5 cookies in the wild – not an Evercookie, itself, which is free and open source. I made (Evercookie) to demonstrate all the methodologies that I could think of to use to track users. The idea wasn’t to use it, but to show people how this was done so they could go in and know how to stop the tracking. It immediately led to software like Nevercookie – not to stop Evercookie, but to stop all the different methods that advertisers could use to track you.
Threatpost: In your mind, is there anything for the FTC to find as it looks into persistent cookies? And, if they find practices they disapprove of, is there anything for the government to do about it?
Samy Kamkar: Today, there’s no easy way to get rid of supercookies or Evercookie. I’m not sure what the FTC investigation will find, except that ‘yeah some number of companies are doing this.’ I don’t think its a huge number of companies, from my research. Its bigger when an advertising company like KISSmetrics does it, because it will be like 40 different companies who are their customers deploying it, whether they know what they are doing it or not. Unlike Hulu, which was using KISSmetrics but also had its own implementation, so they must have known they were doing this.
I think its good (the FTC) is focusing on respawning cookies and supercookies, but I worry that they’ll miss what I believe will be the next big tracking issue which is fingerprinting devices. So the FTC may say ‘You can’t respawn a cookie or put data in these areas of the web browser.’ But if i were an advertiser, i’d go in and develop technology to fingerprint the device based on the unique properties of that computer, that user, that device. You can take a combination of where its located, the browser and operating system they’re using, screen resolution, browser plug-ins installed, etc. and create an algorithm to make the best possible guess about the user without ever installing anything on that users computer. BlueCava is a company that will do this. So I think this is something where they want to be ahead of the game, but respawning cookies seems very old. Its nothing new. They’re very reactive.
Threatpost: If you were working for the FTC, what would your advice be? Is there a holistic way to address this without playing whack-a-mole with venture capital funded startups like bluecava?
Samy Kamkar: I would ignore the technology aspect of it and look at the privacy issue. If they believe there should be a law wrapped around this, it should be a generic law that provides transparency and the ability to opt out of tracking regardless of technology. Today the problem is respawning. Tomorrow its fingerprinting and who knows what it will be one day. Maybe it will be identifying you by measuring the latency of packet flows from your computer. That’s just one possibility of things to come. So (the FTC investigation) shouldn’t have anything to do with the technology. It should have to do with the users’ wishes and the users’ understanding of what has happened.
Threatpost: So the user’s consent is the most important thin?
Samy Kamkar: Yes, that’s important and, again, I think the big issue with respawning cookies is that the user believes they have removed the cookie when, in reality, it has been respawned elsewhere. That’s wehere the issue lies.
Samy Kamkar: I personally have no problem with user tracking and geolocation and things like this. But it all comes back to transparency for the user.
Threatpost: So you think the FTC should be looking much broader than just the cookie issue, which is a dated issue? You think they should, instead, be looking at the whole category of tracking behavior and aim at that rather than getting caught up in the specific technology?
Samy Kamkar: Yes. I think they should entirely ignore the technology and look at the actual issue to consumers: ‘what’s the privacy issue for consumers,’ and address that issue.