Of all the privacy violating tracking methods on the web there are two that are particularly bad, the first one is called ‘evercookies’ for being particularly hard to get rid of, the other is called Browser Fingerprinting and is impossible to detect.
Evercookies are to regular browser cookies just as superglue is to cellotape. Evercookies work by storing cookies on your computer using a large number of different techniques and upon refresh re-creating all of the cookies if you have tried to delete them. An evercookie sent to your browser has a very high likelihood of remaining on your system until you re-install it from scratch. On a hunch, while doing the 1,000,000 homepage crawl I decided to see if anybody actually uses evercookies for their tracking rather than to just appreciate it as a neat proof-of-concept. The trigger for the evercookie detector is particularly naive, it simply checks for the presence of the word ‘evercookie’ in the URL since that’s the name of the script as originally distributed. I expected to see some activity, particularly in the lower regions of the toplist where less well known websites unconcerned with their public image and brand name damage when found out might engage in this practice.
Indeed, I found a bunch of those. But that’s not all that I found, I also found them on a couple of sites with high visibility and big brand names!
There are two main groups of evercookie using sites: those that have the evercookies on their main domain and those that have them indirectly by choosing the wrong partners to trust with their user’s browsers. Such rogue inclusions by service providers were exactly the kind of abuse I had in mind when I started the 1,000,000 homepage project in the first place, and evercookies are a particularly good example of the kind of nastiness website users can be exposed to when external resources are included in an otherwise innocent looking webpage from a party that they trust.
It is very well possible that the companies mentioned here that include the evercookies only indirectly are simply not aware of the fact that they have opened up their visitors to this danger.
Besides the expected marketeers, porn sites, scammers and advertisers (who ever expected those to have something in common?) there are also some more surprising entries.
Particularly disturbing is that I found hard evidence of indirect evercookies on the sites of many Polish newspapers including gazetawroclawska.pl, dzinniklodzki.pl (indirectly, through a site called ‘Gratka.pl’) and finally served up directly from the websites of German Newspapers allgemeine-zeitung.de and www.echo-online.de.
What reason newspapers have to attempt to track their visitors for ever is beyond me and especially in the case of the German newspapers this is quite possibly illegal. Contrary to EU law no warning or agreement was asked before these practically un-deletable cookies were placed on my computer, they - unlike the car brands and the Polish newspapers - don’t have any fig leaf to hide behind because the evercookies were served directly from their main domains.
One would expect newspapers to be at the forefront of the protection of the privacy of their users, not working as hard as possible to erode that privacy.
Finally, I think I’ve found evidence that moneyplatform.biz and all the associated domains are a filesharing honeypot. I can’t think of any other reason for having evercookies on a filesharing site unless the goal is to build up a case against uploaders/downloaders of pirated content.
The topmost offending domains that use evercookies (that I detected, there could very well be more for instance the script could be renamed) are here:
Domains using evercookies directly:
|paidviewpoint.com||paidviewpoint.com...||Marketeers||You really have to love the 'about' page on this one, pretend they are really hot on privacy.|
|k2s.cc||k2s.cc/ext/ev...||filesharing||I guess they want you to share just a little bit more about you|
|fboom.me||static2.fboom.me...||filesharing||safe, secure and 4ever|
|profittask.com||profittask.com...||Russian scam mturk clone|
|deccoria.pl||deccoria.pl/j...||Polish online pinboard|
|nbamania.com||nbamania.com/...||Chinese sports site|
|moneyplatform.biz||static1.moneyplatform.biz...||Parent of keep2s.cc, k2s.cc, keep2share.cc and fileboom.me||404's, but on other sites still there. Filesharing sites with evercookies, seems like they're either a filesharing honeypot or an accident waiting to happen|
|uduba.com||uduba.com/lib...||Russian meme site|
|grabo.bg||grabo.bg/ever...||Bulgarian groupon clone|
|existenz.se||existenz.se/e...||Swedish link sharing page|
|pornme.pm||www.pornme.pm...||German porn site||Porn sites uncareful with users privacy, what could possibly go wrong|
|ptrack1.com||www.ptrack1.com...||Survey fill-out farm|
|keep2s.cc||keep2s.cc/ext...||another keep2share url|
|person.com||person.com/ec...||adult chat site|
Domains using evercookies indirectly:
|urbangroup.ru||front.exebid.ru…||Russian real estate site|
|trial-sport.ru||front.facetz.net…||Russian sports site|
The code for the crawler and analysis is up at github.com/jacquesmattheij/remoteresources.