Will EverCookie kill the affiliate market?

Do you know what an “EverCookie” is? If you are in the affiliate market, as affiliate or merchant or network, you should really know about EverCookie! An EverCookie is simply put a cookie that can’t be deleted – a true permanent cookie. I am sure you can see the problem.

On September 20, 2010 Samy Kamkar released a document on his website that describes this new invention: The EverCookie, as he named it. It’s actually a very good name because this cookie – or cookies, are virtually impossible to delete.

This is how the EverCookie works

Normally if you set a “permanent” cookie it can relatively easy be deleted. Most browsers have a function for this or you can just go to your cookie folder and erase it manually.

But as you probably know there are many places where you can store user data today – not just regular cookies. This is what is (ab)used by the EverCookie system.

With EverCookie multiple cookies are set. Currently Sammy’s EveryCookie support 10 different types of cookies! And he even have a few more he wants to add. Not all of these cookies are as easy to remove as standard cookies. Some of them close to impossible.

These are the cookie types EverCookie currently support:

- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Storing cookies in RGB values
- Storing cookies in and reading out Web History
- Storing cookies in HTTP ETags
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

How many of them did you know? And do you know how and where to delete them all? Even if you do, I bet you that the far majority of all average web users don’t!

The real smart thing about EverCookie is not just that it sets 10 cookies. Theoretically you could go through each of them, that is if you know how, and delete them. But that won’t work with the EverCookie because as long as just one cookie is left this is used to set the other 9 cookies again. All 10 cookies can do that. So you would have to delete every single of the 10 cookies at one time to get out of the EverCookie trap. That is virtually impossible or at least very, very difficult – even for geeks like us.

If you are working in the affiliate space you can probably see the problem with this type of cookie. Basically, if I, as an affiliate of your company, can set an EverCookie on users no other affiliate will ever be able to overwrite it. The EverCookie essentially override the standard that most merchants and affiliate networks use where the last affiliate partner prior to a sale gets the commission on that sale.

Off course this will really upset all your other affiliates – their earnings will drop like a stone in water. It could potentially kill your entire affiliate program – or affiliate network. At least if you don’t deal with it – fast and efficiently!

I have not personally tested Sammy’s EverCookie but the software is open source so you are free to get it – if you want to and dare. There are still a few technical details in the use of this EverCookie system that I am not sure about how works but a qualified programmer will off course be able to see that in the supplied source files.

What can you do about the EverCookie?

Well, I am sorry to say but at this point I really don’t see any way you can automatically protect your network or affiliate program against this.

If you are a merchant or running a network what you can do is make sure you terms of agreement is updated with rules about this – and other similar tricks. Next you need to monitor if your affiliates follow the rules and then take legal and financial actions against the ones that don’t follow them. However, this may not always be that easy – not if the affiliate is really smart. And most likely he is if he – or she, is using EverCookie. 

If you are an affiliate watch out for sudden dramatic changes in your conversions. This could be a sign of EverCookie being used by another affiliate on the same program. In that case you need to have a serious chat with the network or merchant. I am sure they will want to stop this too.

As a user that want to get rid of EverCookie I am not really sure what you can do – besides using Safari in Private Browsing mode but who wants to do that on a daily basis?. I don’t have a simple way to guide you. If you have one, please post a comment below.

Is the EverCookie evil?

No, I don’t think code can be evil in itself but some people and actions definitely can be.

From a technical point of view my first reaction to this was: WOW … this is way cool! It is. But when you look close at the problems this may create for the whole affiliate market I don’t think it’s so cool. I don’t like the damage it may create if used as described above.

However, there might be more legitimate uses for this too. For example if you want to keep specific people out of a forum such as stalkers and child molesters. There may also be other good use of the EverCookie. If you have some good ideas please make a comment below.

Skrevet af:

Mikkel deMib Svendsen er grundlægger af og fungerer i det daglige som kreativ direktør.

Kommentarer (15)

Trackback URL | Comments RSS Feed

  1. rishil siger:

    Excellent Summary. There are probably some data protection issues around the use of the EverCookie, and I suspect that once widely abused, it will be pretty hard to handle…

  2. David Bullock siger:


    I think there’s some misunderstanding. Evercookie isn’t a cookie, and it doesn’t regenerate itself or automatically overwrite other cookies in your system or prevent regular cookies from being overwritten or cleared.

    Evercookie is the program/code that sets the cookies, and recreates them if some are missing. It has to be run from a website.

    In order for the cookie to be regenerated, the evercookie script has to be run again, the same situation as if the visitor revisited the Affiliate A’s site after getting a new cookie at Affiliate B and overwrote it with a regular cookie.

    The only way this would be an issue is if the MERCHANT (not a rogue affiliate) regenerated the dormant affiliate cookies and overwrote the last legitimate cookie with an old evercookie record. That would be very easy to spot since the merchant would have to be running the evercookie scripts on their site.

    What Evercookie DOES do, is make it much easier to spot a returning visitor who has cleared their regular cookies.

    - Dave

    • Mikkel deMib Svendsen siger:

      There seems to be some disagreements around on both positive and negative use of the EverCookie. As I mentioned in my post I did not play around with it yet and I see just as many potential problems as I see good use.

      The main problem, however, is that most average users won’t know how to remove it – even if you do :)

      This may be OK if you use it to protect a forum from stalkers and molestors but not in many other cases. Which ones will end up being a real problem only time will tell. But in any case I am sure most people did not know about the EverCookie so this is why I brought it up here.

      • David Bullock siger:

        I would recommend that you play with it and understand what it actually does, and does not do before you start the thought experiments.

        Evercookie MAY have some useful application. For example I could see it being used to store non personal or non uniquely identifiable to track things like repeat visitors vs new visitors or to restore preferences.

        it can certainly be used abusively to defeat the user’s desire to anonymize their experience. It can also do things like make cookies from Browser A (say chrome) show up in Browser B (say, Firefox) by restoring from the shared LSO storage.

        But as far as affiliate marketing goes, the entire concern of this blog post is moot.

        • Mikkel deMib Svendsen siger:

          I appreciate you opinion but as I said there seems to be different views on the EverCookie

          • Oscar siger:

            Hi Mikkel,

            I bet you can’t put an practical example of how an affiliate could cheat a network or other affiliates by using the Evercookie.

            I’m sorry to day it, but except for the part about the privacy issues this articles is just spreading FUD.

          • Mikkel deMib Svendsen siger:

            > I’m sorry to day it, but except for the part about the privacy issues this articles is just spreading FUD.

            That would be good. Note that the headline on this post is a question :)

            However, there are lots of other ways EverCookie can be used that may be a problem – from a usability, privacy or legal point of view. And I am sure most people are not aware that such a thing as EverCookie exist.

            There are also ways to use the EverCookie that seems like they may be good.

            The main point of this post was to inform about the EverCookie as most people don’t even know its possible. And also to pish to a debate on what the EverCookie can and should – or should not, be used for.

  3. Herve siger:

    Don’t you think that the solution could comes from the antivirus softwares ?

  4. David Bullock siger:

    There’s plenty of apps like ccleaner, and private browsing modes that can be easily extended to cover the different places that evercookie caches backups in.

  5. Robin siger:

    I agree, with bullock. I dont think “cookie stuffing” can be done by an affiliate with evercookie. Why? Because you can only control 1st party cookies. Cookies from, lets say amazon or commission junction, would be 3rd party cookies. If they were to employ evercookie, then cookie stuffing could be accomplished.

    • Jojo siger:

      As Bullock said. Your example doesn´t make sense. The affiliate network decideds which cookie it´s using. If the network uses just the “Standard HTTP Cookies” you can store whatever you want in the others, it just doesn´t change anything.

      The “evercookie” is a big privacy problem for users. “Regulations” are needed, but should come from the industry. God forbid if the german “privacy advocates” here about the evercookie. They will probably demand strong restrictions for all cookies …

      • Mikkel deMib Svendsen siger:

        The first impression I got of the EverCookie – from people much more technically skilled than me, was that the EverCookie COULD be a problem in the affiliate market. Weather they where wrong or if they include other techniques (such as DNS pining or binding) or if they just miss-judget it I don’t know.

        But even if the EverCookie is not a problem in the affiliate market – wich I absolutely hope, I still think it can be a problem in many other areas. Not the least general privacy, as you mention.

        • Kevin siger:

          Mate, im agree with you, if you can run a javascript using xss, and get control to the 3rd party domain, ( like Cj, amazon, Bestbuy or other ) , you could drop this evercookie, and what will happend ? :D

  6. Peter siger:

    I comment on this older article because the ignorance revolts me. many misunderstandings here.

    for easier communication with pedants, I will call the group of 13 cookies an “evercookie”.

    at first this sentence in the OP is factually wrong:
    “Basically, if I, as an affiliate of your company, can set an EverCookie on users no other affiliate will ever be able to overwrite it”
    can’t be done by an affiliate, only the merchant or affiliate network (i.e. amazon, cj, etc.)

    then this is a critical misunderstanding:
    “Cookies from, lets say amazon or commission junction, would be 3rd party cookies. If they were to employ evercookie, then cookie stuffing could be accomplished.”
    it is exactly the opposite.

    I am an expert because I have been both an affiliate AND a cookie stuffer (in affiliate programs that allow it).

    “The .impression I got of the EverCookie .was that the EverCookie COULD be a problem in the affiliate market”
    This is true. Three effects in the affiliate market:
    1- It kills competition: once a client has been acquired, he remains with the original affiliate, and a click on your site brings zero.
    2- In a way this will nearly eradicate all cookie stuffing, since cookie stuffing is done by rogue affiliates by making the merchant cookie drop via technical means without click by the user. If that cookie doesn’t drop anymore, these affiliates cannot “steal” customers anymore.
    3- If the merchants changed their policy to only remunerate affiliates for new customers but in a limited timeframe, this would potentially kill the affiliate market – which is already very hard to get into, the golden years are in the past.

    The number one losers of merchants using evercookies would be cookie stuffers, small honest affiliates and new affiliates.
    Biggest winners would be sites with big traffic, it would consolidate their position.
    And I see the danger right there, that these sites could pressure merchants to use evercookies (if you are a merchant, and the 3 biggest affiliates making up 50% of your sales want an evercookie, to “cement the fruitful cooperation”)?

    Finally – there are very useful applications for the evercookie.

    For example, banning users, spammers from websites, who come back deleting their regular cookies, using different browsers, dynamic internet addresses, using proxies, using anonymization networks like TOR, etc.

    Another application is website security.
    If you detect suspicious things in HTTP requests, such as “wget” and other unix commands or known windows server exploits, you could just drop an evercookie and deny any request coming from the same computer, but maybe from another browser or IP address.

    The biggest danger on the side of privacy comes from the government, because it has the technical means and computing power to intercept private (meaning between website and user) evercookie traffic.
    Corporations might also spy on you, but just to sell stuff.

    “God forbid if the german “privacy advocates” here about the evercookie. They will probably demand strong restrictions for all cookies”
    A court in a German state has just made the use of twitter and facebook buttons on websites illegal if users don’t explicitly accept it.

    “Don’t you think that the solution could comes from the antivirus softwares ?”
    It could, but it would be a herculean work. First I don’t see how the antivirus can distinguish in some cases between legal data and tracking data (for example the RGB value of some pixels in cached images?).
    Then the software would have to monitor the code executed inside the browser and flash on the fly… good luck with that.

    I think what most browsers will implement is a function to clear all data, with the user able to define exceptions based on domain.

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.