An Internet cookie (also called a web cookie, browser cookie, HTTP cookie, or just plain cookie) is a small data file stored on a client computer by a website. This cookie stores information specific to that user, including website preferences, user interests, and login tokens. These cookies also often contain a unique identifier, so the website can track each person individually.
Cookies enable websites to offer a richer experience to users, since certain things can be customized for the user. Also, they enable users to log in to their account (if the have one) only once per visit, or even enable the user to return to the site at a later time without logging in again. From a webmaster's view, they not only enable all of this, but can be used to track down website problems, and also reduce cheating and fraud.
Since these cookies store user information and uniquely identify the users, the user's privacy is largely lost. All of the preferences and interests of a user can be recorded and exploited through targeted marketing. This becomes especially an issue when a website has script on many other websites. For example, Facebook and other social media share buttons are offered on many different websites. This enables these companies to track which sites a particular person likes to visit, even if they never use the buttons. This is also true for advertisements. Google's Ad Sense and Google Analytics collects a large amount of information on users. This enables them to determine interests and "follow" the user from website to website with advertisements for that product type.
Even worse, cookies are sometime used by identity thieves to gather extensive information about the computer user.
As users have become increasingly aware of cookies, developers have become increasingly creative. There are several kinds of "super cookies" which through various methods, enable a website to track its users even if the user regularly deletes cookies or has disabled them outright.
HSTS Super Cookies
Servers sometimes use HTTP Strict Transport Security (HSTS) to ensure that uses connect using an encrypted connection for security. If a user tries to connect using an unencrypted protocol (usually HTTP) then HSTS will instruct the browser to connect using a secure connection, instead (HTTPS). This website is then added to the web browser's director of secure websites, so it connects properly in the future. There is nothing specifically wrong with this system—it is a very useful and convenient feature. However, some developers have found a way to abuse this system. They send an HSTS message to the connecting browser, then allow the visitor to connect. The browser, meanwhile, automatically stores an entry for that website as specified by the site itself. From this point on, the browser can be identified by how it connects based on the HSTS entry. This is not a cookie in the strictest sense, but it offers the same functionality—to uniquely identify the user to the website. Removing these "super cookies" is not easy, but can be done. Many browsers offer the option to clear this record of secure websites, so this can be used. However, some other browsers such as Safari do not. There are also software solutions to help clear these cookies.
Researchers at the Berkeley Center for Law and Technology discovered more recently that webmasters were using Adobe Flash to store unique user information. These "cookies" are not seen as such by most browsers and addons, so they can remain undetected almost indefinitely. They can store the same basic information as a traditional cookie, and can also recreate traditional cookies once they are deleted. These can be removed, but not easily. Adobe does offer a Settings Manager through which flash cookies can be viewed and deleted. They can also be disabled using the Adobe Global Storage Settings Panel.
Super cookies are considered a risk by many since they are difficult to clear. This enables websites to track many users with impunity, even if they think they are remaining safe by clearing their traditional cookies. A great number of websites also use these without mentioning them, even in their extensive privacy policies. Even the U.S. federal government uses these in many of their websites, since the use of traditional cookies on their websites is banned. This not only violates the spirit of the law, but also gives the government another method by which violate citizens' Right to Privacy.