Do you know what an “EverCookie” is? If you are in the affiliate market, as affiliate or merchant or network, you should really know about EverCookie! An EverCookie is simply put a cookie that can’t be deleted – a true permanent cookie. I am sure you can see the problem.
On September 20, 2010 Samy Kamkar released a document on his website that describes this new invention: The EverCookie, as he named it. It’s actually a very good name because this cookie – or cookies, are virtually impossible to delete.
This is how the EverCookie works
Normally if you set a “permanent” cookie it can relatively easy be deleted. Most browsers have a function for this or you can just go to your cookie folder and erase it manually.
But as you probably know there are many places where you can store user data today – not just regular cookies. This is what is (ab)used by the EverCookie system.
With EverCookie multiple cookies are set. Currently Sammy’s EveryCookie support 10 different types of cookies! And he even have a few more he wants to add. Not all of these cookies are as easy to remove as standard cookies. Some of them close to impossible.
These are the cookie types EverCookie currently support:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Storing cookies in RGB values
- Storing cookies in and reading out Web History
- Storing cookies in HTTP ETags
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
How many of them did you know? And do you know how and where to delete them all? Even if you do, I bet you that the far majority of all average web users don’t!
The real smart thing about EverCookie is not just that it sets 10 cookies. Theoretically you could go through each of them, that is if you know how, and delete them. But that won’t work with the EverCookie because as long as just one cookie is left this is used to set the other 9 cookies again. All 10 cookies can do that. So you would have to delete every single of the 10 cookies at one time to get out of the EverCookie trap. That is virtually impossible or at least very, very difficult – even for geeks like us.
If you are working in the affiliate space you can probably see the problem with this type of cookie. Basically, if I, as an affiliate of your company, can set an EverCookie on users no other affiliate will ever be able to overwrite it. The EverCookie essentially override the standard that most merchants and affiliate networks use where the last affiliate partner prior to a sale gets the commission on that sale.
Off course this will really upset all your other affiliates – their earnings will drop like a stone in water. It could potentially kill your entire affiliate program – or affiliate network. At least if you don’t deal with it – fast and efficiently!
I have not personally tested Sammy’s EverCookie but the software is open source so you are free to get it – if you want to and dare. There are still a few technical details in the use of this EverCookie system that I am not sure about how works but a qualified programmer will off course be able to see that in the supplied source files.
What can you do about the EverCookie?
Well, I am sorry to say but at this point I really don’t see any way you can automatically protect your network or affiliate program against this.
If you are a merchant or running a network what you can do is make sure you terms of agreement is updated with rules about this – and other similar tricks. Next you need to monitor if your affiliates follow the rules and then take legal and financial actions against the ones that don’t follow them. However, this may not always be that easy – not if the affiliate is really smart. And most likely he is if he – or she, is using EverCookie.
If you are an affiliate watch out for sudden dramatic changes in your conversions. This could be a sign of EverCookie being used by another affiliate on the same program. In that case you need to have a serious chat with the network or merchant. I am sure they will want to stop this too.
As a user that want to get rid of EverCookie I am not really sure what you can do – besides using Safari in Private Browsing mode but who wants to do that on a daily basis?. I don’t have a simple way to guide you. If you have one, please post a comment below.
Is the EverCookie evil?
No, I don’t think code can be evil in itself but some people and actions definitely can be.
From a technical point of view my first reaction to this was: WOW … this is way cool! It is. But when you look close at the problems this may create for the whole affiliate market I don’t think it’s so cool. I don’t like the damage it may create if used as described above.
However, there might be more legitimate uses for this too. For example if you want to keep specific people out of a forum such as stalkers and child molesters. There may also be other good use of the EverCookie. If you have some good ideas please make a comment below.