In the ever-evolving cat-and-mouse game of online privacy, a seemingly innocuous browser feature has emerged as a potent tracking tool. Favicons—those tiny icons that appear next to website names in browser tabs— are being exploited in a technique dubbed the ‘supercookie’ by researchers. This method, pioneered by German software designer Jonas Strehle, allows trackers to fingerprint users across sessions, even in incognito mode, raising alarm bells among privacy advocates.

Strehle’s proof-of-concept, detailed in his GitHub repository, demonstrates how favicons can be manipulated to store unique identifiers in a browser’s cache. Unlike traditional cookies, which browsers can easily delete or block, these favicon-based trackers persist because they leverage the browser’s favicon caching mechanism, which is separate from standard cookie storage.

The technique works by generating a unique set of favicons for each user, effectively creating a digital fingerprint. When a user visits a site, the server delivers custom favicons that are cached. On subsequent visits, the browser requests only missing favicons, revealing the user’s identifier without their knowledge.

The Mechanics of Favicon Fingerprinting

Delving deeper into the technology, Strehle’s repository on GitHub provides a step-by-step implementation. The system uses a cache-based approach where a 32-bit identifier is encoded into a series of favicon requests. For instance, it might involve 32 different favicons, each corresponding to a bit in the identifier.

According to a 2021 article in Gizmodo, this method circumvents privacy protections like Apple’s Intelligent Tracking Prevention. The article quotes researchers noting that favicons are fetched even in private browsing modes, making them ideal for persistent tracking.

Historical Context of Supercookies

Supercookies aren’t new; the term dates back to at least 2011 when Verizon was criticized for using them to track mobile users. A ZDNET report from that year highlighted how these ‘zombie cookies’ respawn after deletion, embedding tracking data in HTTP headers.

By 2014, concerns escalated with reports in CNET about Verizon’s supercookies potentially aiding advertisers and hackers. These identifiers, injected into web traffic, allowed precise user profiling without consent.

The favicon variant represents a modern evolution. As detailed in a 2021 TechRadar piece, Strehle’s work showed how favicons could track users across different sites, even if cookies are blocked.

Privacy Implications and User Impact

The privacy risks are profound. Unlike cookies, which users can manage via browser settings, favicon caches are harder to clear. A post on Ars Technica from 2015 explained how supercookies bypass private browsing, allowing sites to link incognito sessions to regular ones.

Recent discussions on X (formerly Twitter) echo these concerns. Privacy expert Lukasz Olejnik tweeted in 2021 about persistent tracking without user consent, calling it a ‘#GDPR #ePrivacy’ issue. Similarly, Firefox’s official account highlighted their efforts to block such supercookies.

Browser Responses and Mitigations

Browsers have started fighting back. Mozilla Firefox implemented Enhanced Tracking Protection to mitigate favicon-based tracking, as noted in their 2021 X post. Apple’s Safari has also tightened favicon handling in updates following iOS anti-tracking launches.

However, a 2021 IT Pro article warns that not all browsers are equally vigilant. Chrome, for instance, has been slower to address cache-based tracking, leaving users vulnerable.

Strehle’s demo site, supercookie.me, allows users to test the vulnerability firsthand, showing how a unique ID is reconstructed from favicon requests.

Regulatory and Industry Reactions

Regulators have taken notice. In 2011, Congressmen urged the FTC to investigate supercookies, per Ars Technica. More recently, Europe’s GDPR has implications for such tracking, with experts like Wolfie Christl warning on X about telcos planning supercookie-like IDs.

A 2022 X post from DuckDuckGo criticized similar token-based tracking by German phone companies as a ‘data grab.’ This sentiment aligns with broader industry backlash, such as GitHub’s 2022 privacy policy changes sparking outrage over tracking cookies, reported by BleepingComputer.

Latest Developments in 2025

As of 2025, favicon tracking remains a hot topic. Recent Hacker News discussions, mirrored on X, highlight ongoing exploits even in incognito mode. A November 16, 2025, post from Hacker News 50 linked to articles reiterating the persistence of this method.

Experts predict escalation. A PWV Consultants blog from 2021, still relevant, notes favicons’ role in cross-site tracking, with no major patches in sight for 2025 browsers.

Privacy-focused tools like uBlock Origin now include filters for favicon trackers, but widespread adoption lags.

Expert Insights and Future Outlook

Jonas Strehle himself, in his GitHub README, emphasizes this as a proof-of-concept to raise awareness, not for malicious use. He states, ‘This is a demonstration of browser fingerprinting via favicon!’

Lukasz Olejnik, in his 2021 X post, described it as ‘User interaction/consent not needed. Supercookie!’ underscoring the consent bypass.

Looking ahead, industry insiders expect browsers to isolate favicon caches per site, similar to cookie partitioning. Until then, users are advised to use VPNs and clear caches regularly.

Broader Ecosystem Effects

The supercookie phenomenon ties into larger debates on data privacy. With threads like Meta’s collecting vast user data—as criticized in a 2023 X post by OverDose—favicon tracking adds another layer to the surveillance economy.

Telcos’ plans for pseudonymous IDs, as tweeted by Wolfie Christl in 2022, could amplify this, enabling cross-device tracking.

Ultimately, this underscores the need for robust privacy laws, beyond current frameworks like CCPA or GDPR, to address evolving tracking tech.