by Bill Snyder

10 Tips for Safer Browsing: Supercookies and New Dangers

May 24, 2010
SecuritySocial Networking Apps

From what your old copier says about you to your not-so-secret web tracks, security traps just keep on coming.'s Bill Snyder guides you through the newest minefields.

Who would have thought that a digital copier wasn’t secure? And did you know that new technologies make it easier than ever to track your online trail? Keeping safe online used to be simple: Use anti-virus software. Not any more. There’s a whole new generation of threats to your online security and privacy. We’ll look at some of the newest tricks the bad guys have cooked up, and give you 10 tips to help foil them.

You wouldn’t (or at least I hope you wouldn’t) toss your bank statements or health records into the recycling bin without shredding them. But if you throw out higher-end multi-function printers without removing the hard drives, you’re asking for trouble, says Kevin Brown, a testing manager at ICSA Labs, which tests security products. That’s because some digital copiers and printers retain copies of everything they produce on a hard drive or flash storage module. If somebody finds that device, it’s no trick at all to read it.

Yes, that sounds far-fetched. But the Federal Communication Commission is concerned enough that it is investigating this issue and some copier makers are giving away software that will help you wipe a drive clean. And remember, simply deleting files doesn’t make the information disappear. It just makes it harder to find.

There’s another copier-related threat as well. If you copy personal stuff at work (and who hasn’t) it’s no trick at all for an administrator to see what you’ve copied if the copier is networked. What’s more, default passwords for networked copiers can be found on the Internet, says Brown.

Tip 1: Be sure to remove and wipe printer/copier hard drives before they go to the recycle bin.

Tip 2: Don’t copy anything personal on a networked copier in your office that you don’t the boss to see.

Defeat Flash Cookies and Supercookies

Several browsers give you the option to select a privacy option that supposedly lets you surf the Web without leaving fingerprints. Don’t believe it.

That option generally stops the browser from storing the URLs of pages you’ve visited in a pull down under the browser bar or recently visited tab. But it does nothing to conceal the pages and images you’ve viewed from advertisers who want to serve tailored ads to you, or even worse, from assorted snoops including private detectives and law enforcement agents.

The old solution, simply deleting cookies or clicking a setting that keeps your browser from accepting them, is much less effective than it used to be. That’s because many Web sites are now using something called a “Flash cookie,” which is maintained by the Adobe Flash plug-in on behalf of Flash applications embedded in Web pages, says Peter Eckersley a researcher with the Electronic Frontier Foundation.

Unlike standard cookies, flash cookies and a variation known as a supercookie are stored outside of the browser’s control and users cannot view or directly delete them and they never expire. Flash cookies can track users in all the ways traditionally HTTP cookies do, and can be stored or retrieved whenever a user accesses a page containing a Flash application, says Eckersley.

In the not-so-old days, the worst that could happen is that you’d be tracked and served ads based on your browsing habits, or maybe you’d be unlucky enough to have someone else open your browser when you were away from the computer and get and an ad that tips them off to what you’ve been doing online.

Now though, it appears that the information users voluntarily give to social networking sties, plus the data collected by the new breed of cookies can be put together to actually identify an individual. “Social networking sites like Facebook, LinkedIn and MySpace are giving the hungry cloud of tracking companies an easy way to add your name, lists of friends, and other profile information to the records they already keep on you,” says Eckersley.

Tip 3: If you use Firefox, an add-on called BetterPrivacy can bust flash cookies. It’s free, and you can find it here.

Tip 4: Pick a good cookie policy for your browser, like “only keep cookies until I close my browser”, or manual approval of all cookies.

Tip 5: Use the Firefox extensions RequestPolicy and NoScript to control when 3rd party sites can include content in your pages or run code in your browser, respectively. These tools are very effective, but be aware, says Eckersley, that they’re hard to use: lots of sites that depend on JavaScript will need to be whitelisted before they work correctly.

Tip 6: Use the Targeted Advertising Cookie Opt-Out plugin. This will automatically opt you out of any 3rd party trackers who have an opt out somewhere that requires you to accept a cookie. Be aware that not all 3rd parties will offer opt outs, or that some of them may interpret “opt out” to mean “do not show me targeted ads”, rather than “do not track my behavior online”.

Facebook Privacy Traps

A clever, and very patient, reporter for the New York Times recently found that Facebook has more than 50 privacy-related buttons leading to approximately 170 choices. I can’t guide you through that labyrinth but there are a number of commonsense steps you can take to minimize the damage if you don’t push the right button.

[For step-by-step instructions to securing Facebook in light of the company’s recent privacy flap, see’s Facebook Privacy Changes: 5 Can’t Miss Facts. ]

Tip 7: Never accept an app invitation from someone you don’t know. And if the app looks suspicious, check it out using the Facebook app search.

Tip 8: Remember that once someone has your full date of birth (day, month, year), they are only a few steps away from having enough information to do some serious damage, such as hacking your bank account. So, be smart. Don’t include it in your profile.

Tip 9: For the same reason, remove your ground address and phone number from your profile.

Tip 10: It may seem mean, but categorize people according to how well you know and trust them. Put them in groups; the better you know them, the more access they can have to your page.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at