A zombie cookie is an HTTP cookie that is recreated after deletion. Cookies are recreated from backups stored outside the web browser's dedicated cookie storage. It may be stored online or directly onto the visitor's computer, in a breach of browser security. This makes them very difficult to remove. These cookies may be installed on a web browser that has opted to not receive cookies since they do not completely rely on traditional cookies.
Zombie cookies allow the web traffic tracking companies to retrieve information such as previous unique user ID and continue tracking personal browsing habits. When the user ID is stored outside of a single browser's cookie storage, such as in a header injected by the network into HTTP requests, zombie cookies can track users across browsers on the same machine.
Zombie cookies are also used to remember unique IDs used for logging in to websites. This means that for a user that deletes all his cookies regularly, a site using this would still be able to personalize to that specific user. This helps the site appear more consistent and professional to its users. For a site that wishes to ban a certain user a zombie cookie may be installed. This prevents the user from being able to simply delete the cookie and create a new login.
A user that doesn't want to be tracked may choose to decline 3rd party cookies or delete cookies after each browsing session. Deleting all cookies will prevent some sites from tracking a user but it may also interfere with sites that users want to remember them. Removing tracking cookies is not the same as declining cookies. If cookies are deleted this causes the data collected by tracking companies to become fragmented. For example, counting the same person as two separate unique users would falsely increase this particular site's unique user statistic. This is why some tracking companies use a type of zombie cookie.
According to TRUSTe: "You can get valuable marketing insight by tracking individual users' movements on your site. But you must disclose your use of all personally identifiable information in order to comply with the Fair Information Practices guidelines".
The following is a list, presented for the informational purpose of showing readers the numerous possible places in which zombie cookies may be hidden, of available storage mechanisms:
- Standard HTTP cookies
- Storing cookies in and reading out web history
- Storing cookies in HTTP ETags
- Internet Explorer userData storage (starting IE9, userData is no longer supported)
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Local Shared Objects (Flash cookies)
- Silverlight Isolated Storage
- Cookie syncing scripts that function as a cache cookie and respawn the MUID cookie
If a user is not able to remove the cookie from every one of these data stores then the cookie will be recreated to all of these stores on the next visit to the site that uses that particular cookie. Every company has their own implementation of zombie cookies and those are kept proprietary. An open-source implementation of zombie cookies, called Evercookie, is available.
An academic study of zombie cookies was completed in 2009, by a team of researchers at UC Berkeley, where they noticed that cookies which had been deleted, kept coming back, over and over again. They cited this as a serious privacy breach. Since most users are barely aware of the storage methods used, it's unlikely that users will ever delete them all. From the Berkeley report; “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe”.
Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases. The only way to opt-out of the tracking, was to use the company's opt-out link, which gives no confirmation. This resulted in a lawsuit against Ringleader Digital, filed by Fears & Nachawati Law Firm, and Attorneys Joseph H. Malley, Scott Kamber, and David Parisi.
Attorneys Kamber, Parisi, and Malley, also filed suit in the United States District Court for the Central District of California against Quantcast, Clearspring, VideoEgg, and affiliated sites owned by Walt Disney Internet Group, Warner Bros. and others. According to the charges, Adobe Flash cookies are planted to "track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent".
The term "zombie cookie" was first used by Attorney Joseph H. Malley who initiated the Super-Cookie Class Actions. The etiology of the phrase was derived from his prior research into Apple's third-party iPhone applications, some of which had been criticized as being "zombie-like" applications, in 2008, and a report in 2009, about "super-cookies" which "re-spawned" when deleted. Attorney Malley envisioned a cookie that seemed to come back from the "dead". Blending the two ideas, he first coined the phrase Zombie Cookies within his filed Class Actions, as a means to enable the court, jury, and public understand the basis of the litigation.
Consumer outrage related to Flash cookies and violation of consumer's privacy caused U.S. Congressional Hearings, led by Senators Al Franken and John Rockefeller. Reportedly, the "Zombie Cookie", aka Flash Cookie filings, forced Adobe Systems Inc. to stop processing flash cookies on 98% of all consumers' computing devices.
Turn implemented zombie cookies on Verizon mobile phones, using a hidden, unremovable number by which Verizon could track customers. After an article by ProPublica which revealed this fact in January 2015, Turn claimed it suspended usage of their zombie cookies
- "Google Analytics Cookie Usage on Websites - Google Analytics - Google Developers". code.google.com. Retrieved 2014-03-29.
- Mayer, Jonathan. "The Turn-Verizon Zombie Cookie". WebPolicy.org. Retrieved 22 April 2015.
- http://www.worldprivacyforum.org/cookieoptout.html[dead link]
- "Online Privacy Best Practices from TRUSTe". truste.com. Retrieved 2014-03-29.
- Mayer, Jonathan. "Tracking the Trackers: Microsoft Advertising". The Center for Internet and Society. Retrieved 28 September 2011.
- "evercookie - virtually irrevocable persistent cookies". samy.pl. Retrieved 2014-03-29.
- "Zombie Cookie: The Tracking Cookie That You Can’t Kill"
- "Company Bypasses Cookie-Deleting Consumers - InformationWeek". informationweek.com. Retrieved 2014-03-29.
- "EPIC Flash Cookie Page". epic.org. Retrieved 2014-03-29.
- Soltani, Ashkan, Canty, Shannon, Mayo, Quentin, Thomas, Lauren and Hoofnagle, Chris Jay, Flash Cookies and Privacy (August 10, 2009). Available at SSRN: http://ssrn.com/abstract=1446862
- "Zombie cookie wars: evil tracking API meant to “raise awareness” | Ars Technica". arstechnica.com. Retrieved 2014-03-29.
- "Web users sue companies claiming use of Flash cookies is a hack". out-law.com. Retrieved 2014-03-29.
- Burt, David. "Update on the issue of 'supercookies' used on MSN". Retrieved 28 September 2011.
- Device Fingerprint - Site that demonstrates the way zombie cookies are restored