51:, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.
201:, where they noticed that cookies which had been deleted, kept coming back, over and over again. They cited this as a serious privacy breach. Since most users are barely aware of the storage methods used, it's unlikely that users will ever delete them all. From the Berkeley report: "few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe."
98:
is not the same as declining cookies. If cookies are deleted, the data collected by tracking companies becomes fragmented. For example, counting the same person as two separate unique users would falsely increase this particular site's unique user statistic. This is why some tracking companies use a type of zombie cookie.
73:. Sites that want to collect user statistics will install a cookie from a traffic tracking site that will collect data on the user. As that user surfs around the web the cookie will add more information for each site that uses the traffic tracking cookie and sends it back to the main tracking server.
97:
A user who does not want to be tracked may choose to decline or block third party cookies or delete cookies after each browsing session. Deleting all cookies will prevent some sites from tracking a user but it may also interfere with sites that users want to remember them. Removing tracking cookies
181:
If a user is not able to remove the cookie from every one of these data stores then the cookie will be recreated to all of these stores on the next visit to the site that uses that particular cookie. Every company has their own implementation of zombie cookies and those are kept proprietary. An
204:
Ringleader
Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases. The only way to opt-out of the tracking, was to use the company's opt-out link, which gives no confirmation. This resulted in a lawsuit against Ringleader Digital.
84:
ID and continue tracking personal browsing habits. When the user ID is stored outside of a single browser's cookie storage, such as in a header injected by the network into HTTP requests, zombie cookies can track users across browsers on the same machine.
88:
Zombie cookies are also used to remember unique IDs used for logging into websites. This means that for a user who deletes all their cookies regularly, a site using this would still be able to personalize to that specific user.
236:
263:
are planted to "track
Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent".
232:. Blending the two ideas, he first coined the phrase Zombie Cookies within his filed Class Actions, as a means to enable the court, jury, and public understand the basis of the litigation.
506:
216:
Class
Actions in 2010. The etiology of the phrase was derived from his prior research into Apple's third-party iPhone applications. Some of these which had been criticized as being
270:" mechanisms were found on Microsoft websites in 2011, including cookie syncing that respawned MUID cookies. Due to media attention, Microsoft later disabled this code.
194:
In 2015, TURN, an online advertising clearinghouse, introduced zombie cookies based on Flash Local Shared objects. Privacy advocates quickly denounced the technology.
639:
591:
333:
677:
My Flash Cookie filings forced Adobe to stop processing flash cookies on 98% of devices + complaint first "coined" phrase: "ZOMBIE COOKIES".
111:
110:: "You can get valuable marketing insight by tracking individual users' movements on your site. But you must disclose your use of all
273:
Consumer outrage related to Flash cookies and violation of consumers' privacy caused U.S. Congressional
Hearings, led by Senators
510:
396:
155:
Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
494:
252:
707:
425:
175:
349:
292:
mobile phones, using a hidden, unremovable number by which
Verizon could track customers. After an article by
555:
Soltani, Ashkan; Canty, Shannon; Mayo, Quentin; Thomas, Lauren; Hoofnagle, Chris Jay (11 August 2009).
158:
572:
296:
revealed this fact in
January 2015, TURN claimed it had suspended usage of their zombie cookies.
70:
370:
329:
691:
564:
321:
32:
24:
318:
8th
International Conference for Internet Technology and Secured Transactions (ICITST-2013)
278:
197:
An academic study of zombie cookies was completed in 2009, by a team of researchers at
661:
404:
701:
260:
170:
66:
228:
when deleted. Attorney Malley envisioned a cookie that seemed to come back from the
596:
576:
256:
213:
55:
350:"Google Analytics Cookie Usage on Websites - Google Analytics - Google Developers"
167:
Cookie syncing scripts that function as a cache cookie and respawn the MUID cookie
325:
267:
244:
198:
81:
77:
48:
44:
313:
69:
collecting companies use cookies to track
Internet usage and pages visited for
531:
293:
282:
274:
183:
28:
285:
to stop processing flash cookies on 98% of all consumers' computing devices.
248:
240:
128:
568:
450:
36:
288:
The online advertising clearinghouse TURN implemented zombie cookies on
289:
40:
107:
617:
556:
281:. Reportedly, the "Zombie Cookie", aka Flash Cookie filings, forced
114:
in order to comply with the Fair
Information Practices guidelines".
237:
United States
District Court for the Central District of California
592:"Zombie cookie wars: evil tracking API meant to "raise awareness""
140:
54:
The term was used by Attorney Joseph H. Malley, who initiated the
43:, and placed on the user's computer or other device by the user's
618:"Web users sue companies claiming use of Flash cookies is a hack"
117:
Possible places in which zombie cookies may be hidden include:
507:"Company Bypasses Cookie-Deleting Consumers - InformationWeek"
134:
471:
694:- Site that demonstrates the way zombie cookies are restored
80:
tracking companies to retrieve information such as previous
212:
was created by Attorney Joseph H. Malley who initiated the
397:"Consumer Tips: How to Opt-Out of Cookies That Track You"
495:"Zombie Cookie: The Tracking Cookie That You Can't Kill"
472:"evercookie - virtually irrevocable persistent cookies"
27:
usually used for tracking users, which is created by a
182:
open-source implementation of zombie cookies, called
509:. informationweek.com. 31 March 2005. Archived from
640:"Update on the issue of 'supercookies' used on MSN"
235:The Zombie Cookie lawsuits were filed suit in the
490:
488:
451:"Tracking the Trackers: Microsoft Advertising"
124:Storing cookies in and reading out web history
314:"Zombie-cookies: Case studies and mitigation"
133:Internet Explorer userData storage (starting
8:
259:and others. According to the charges, Adobe
426:"Online Privacy Best Practices from TRUSTe"
444:
442:
304:
16:Cookie that is recreated after deletion
550:
548:
453:. The Center for Internet and Society
7:
590:Cheng, Jacqui (September 22, 2010).
369:Mayer, Jonathan (14 January 2015).
112:personally identifiable information
320:. London: IEEE. pp. 321–326.
137:, userData is no longer supported)
14:
152:HTML5 Database Storage via SQLite
371:"The Turn-Verizon Zombie Cookie"
251:, and affiliated sites owned by
1:
164:Silverlight Isolated Storage
557:"Flash Cookies and Privacy"
326:10.1109/ICITST.2013.6750214
724:
253:Walt Disney Internet Group
220:applications such as the
76:Zombie cookies allow the
532:"EPIC Flash Cookie Page"
561:SSRN Electronic Journal
58:class actions in 2010.
312:Sorensen, Ove (2013).
121:Standard HTTP cookies
47:, similar to regular
662:"(LinkedIn profile)"
569:10.2139/ssrn.1446862
159:Local shared objects
149:HTML5 Global Storage
401:World Privacy Forum
146:HTML5 Local Storage
127:Storing cookies in
692:Device Fingerprint
660:Malley, Joseph H.
283:Adobe Systems Inc.
71:marketing research
449:Mayer, Jonathan.
335:978-1-908320-20-9
715:
708:Internet privacy
680:
679:
674:
672:
657:
651:
650:
648:
646:
635:
629:
628:
626:
625:
614:
608:
607:
605:
604:
587:
581:
580:
552:
543:
542:
540:
539:
528:
522:
521:
519:
518:
503:
497:
492:
483:
482:
480:
479:
468:
462:
461:
459:
458:
446:
437:
436:
434:
433:
422:
416:
415:
413:
412:
403:. Archived from
392:
386:
385:
383:
381:
366:
360:
359:
357:
356:
346:
340:
339:
309:
279:John Rockefeller
186:, is available.
176:TLS's Session ID
723:
722:
718:
717:
716:
714:
713:
712:
698:
697:
688:
683:
670:
668:
659:
658:
654:
644:
642:
637:
636:
632:
623:
621:
616:
615:
611:
602:
600:
589:
588:
584:
554:
553:
546:
537:
535:
530:
529:
525:
516:
514:
505:
504:
500:
493:
486:
477:
475:
470:
469:
465:
456:
454:
448:
447:
440:
431:
429:
424:
423:
419:
410:
408:
394:
393:
389:
379:
377:
368:
367:
363:
354:
352:
348:
347:
343:
336:
311:
310:
306:
302:
222:"super-cookies"
210:"zombie cookie"
192:
161:(Flash cookies)
143:Session Storage
104:
95:
64:
17:
12:
11:
5:
721:
719:
711:
710:
700:
699:
696:
695:
687:
686:External links
684:
682:
681:
652:
630:
609:
582:
544:
523:
498:
484:
463:
438:
417:
387:
361:
341:
334:
303:
301:
298:
191:
188:
179:
178:
173:
168:
165:
162:
156:
153:
150:
147:
144:
138:
131:
125:
122:
103:
102:Implementation
100:
94:
91:
63:
60:
23:is a piece of
15:
13:
10:
9:
6:
4:
3:
2:
720:
709:
706:
705:
703:
693:
690:
689:
685:
678:
667:
663:
656:
653:
641:
638:Burt, David.
634:
631:
620:. out-law.com
619:
613:
610:
599:
598:
593:
586:
583:
578:
574:
570:
566:
562:
558:
551:
549:
545:
533:
527:
524:
513:on 2014-04-30
512:
508:
502:
499:
496:
491:
489:
485:
473:
467:
464:
452:
445:
443:
439:
427:
421:
418:
407:on 2013-01-13
406:
402:
398:
391:
388:
376:
375:WebPolicy.org
372:
365:
362:
351:
345:
342:
337:
331:
327:
323:
319:
315:
308:
305:
299:
297:
295:
291:
286:
284:
280:
276:
271:
269:
264:
262:
261:Flash cookies
258:
254:
250:
246:
242:
238:
233:
231:
227:
223:
219:
218:"zombie-like"
215:
211:
206:
202:
200:
195:
190:Controversies
189:
187:
185:
177:
174:
172:
171:TCP Fast Open
169:
166:
163:
160:
157:
154:
151:
148:
145:
142:
139:
136:
132:
130:
126:
123:
120:
119:
118:
115:
113:
109:
106:According to
101:
99:
92:
90:
86:
83:
79:
74:
72:
68:
67:Web analytics
61:
59:
57:
52:
50:
46:
42:
38:
34:
30:
26:
22:
21:zombie cookie
676:
669:. Retrieved
665:
655:
645:28 September
643:. Retrieved
633:
622:. Retrieved
612:
601:. Retrieved
597:Ars Technica
595:
585:
560:
536:. Retrieved
526:
515:. Retrieved
511:the original
501:
476:. Retrieved
466:
455:. Retrieved
430:. Retrieved
428:. truste.com
420:
409:. Retrieved
405:the original
400:
395:Dixon, Pam.
390:
378:. Retrieved
374:
364:
353:. Retrieved
344:
317:
307:
287:
272:
265:
257:Warner Bros.
234:
229:
226:"re-spawned"
225:
221:
217:
214:Super-cookie
209:
207:
203:
196:
193:
180:
116:
105:
96:
93:Implications
87:
75:
65:
56:super-cookie
53:
49:HTTP cookies
20:
18:
268:supercookie
245:Clearspring
199:UC Berkeley
82:unique user
78:web traffic
45:web browser
624:2014-03-29
603:2014-03-29
538:2014-03-29
534:. epic.org
517:2017-04-10
478:2014-03-29
457:2011-09-28
432:2014-03-29
411:2010-11-10
355:2014-03-29
300:References
294:ProPublica
275:Al Franken
184:Evercookie
129:HTTP ETags
29:web server
474:. samy.pl
241:Quantcast
208:The term
702:Category
671:10 April
666:LinkedIn
380:22 April
249:VideoEgg
239:against
37:browsing
31:while a
577:6414306
290:Verizon
62:Purpose
41:website
575:
332:
230:"dead"
224:which
108:TRUSTe
573:S2CID
266:Two "
141:HTML5
673:2017
647:2011
382:2015
330:ISBN
277:and
33:user
25:data
565:doi
322:doi
135:IE9
35:is
704::
675:.
664:.
594:.
571:.
563:.
559:.
547:^
487:^
441:^
399:.
373:.
328:.
316:.
255:,
247:,
243:,
39:a
19:A
649:.
627:.
606:.
579:.
567::
541:.
520:.
481:.
460:.
435:.
414:.
384:.
358:.
338:.
324::
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.