Clearing cookies is not enough to save your privacy

Posted on by

Through a story on Slashdot I came across this article.

Apparently it is not enough to just clear cookies, your cache can also contain some nasty tracking features:

Your browser’s cache is a valuable store of information. A JavaScript .js file resource which is generated dynamically when requested can have embedded a unique tracking ID and can live permanently in your browser’s cache when sent with the right HTTP cache-control headers. This JavaScript file can then be called by pages. The script is never re-requested, and hence keeps the unique ID, and it can call resources on the server-side to track you. They just need to associate this unique ID once with your account (when you login first time after the ID was created), and they can set cookies back again later and track you anyway. The result is that you can be tracked uniquely even past the point where you clear your cookies (i.e., as if you never cleared your cookies to generate fresh ones).

The article informs you that with Firefox you can clear the cache each time you close the browser. Their menu path is wrong, here is the correct one: “Tools -> Options -> Privacy -> Cache -> Settings”. There you can choose what you consider private data. At the bottom of the dialog, you can enable a check box to make Firefox clear this private data on exit.

The author also complains about passing on identity information from one site to another, even when their TOS (Terms of Service) forbids them to:

They say that in their TOS which you usually ignore. For example, I was contacted on August 4, 2006 by a script at Google about my Sourceforge.net project, which asked me if someone else should be allowed to create a project on Google’s project hosting service with the same name as the Sourceforge.net project. Let’s ignore the fact that this email was sent by a script and was unsolicited. How did they know my details?? They should have a database of all Sourceforge.net projects and the owner email addresses and other details. I was quite unhappy about it.

I am not sure if Sourceforge would sell project owner details to Google, a competitor for them. Google probably just used their crawling knowledge to harvest these details from the Sourceforge site.