Microsoft disables 'supercookies' used on MSN.com visitors
New tracking technology a 'colossal privacy gaffe,' researcher says
Computerworld - Microsoft said it has disabled an online tracking technology that, according to a Stanford University researcher, allowed the company to sneakily track users on MSN.com -- even after they deleted their browser cookies and other identifiers.
In an emailed comment Thursday, Mike Hintze, Microsoft's associate general counsel, said the company took "immediate action" when it learned about the presence of so-called "supercookies" on its networks from Stanford University researcher Jonathan Mayer.
After Mayer identified Microsoft as one of several companies using supercookies for targeted advertising, the company investigated. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," Hintze said.
Mayer's research prompted Microsoft to move faster to disable the code, Hintze said. "At no time, did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft."
Mayer's report follows one from researchers at the University of California, Berkeley, on the practice by many websites of using tracking mechanisms that can circumvent the privacy settings on a user's browser. The Berkeley researchers also found that many sites, including Hulu, employed supercookie techniques to track users for advertising purposes.
A Hulu spokeswoman yesterday refused to comment on the UC Berkeley report. She pointed instead to a blog post from Hulu earlier this month which said the site acted "immediately" to address the issues identified by the researchers.
"This included suspending our use of the services of the outside vendor mentioned in the study," the blog post noted.
Supercookies are tracking mechanisms that do not rely on traditional browser cookies to store user browsing data. Examples of such cookies include Flash cookies in which user tracking data is stored in a little known Adobe Flash plug-in, and cache cookies in which the data is stored in the entity tags (eTags) used by browsers as a bandwidth saving mechanism.
Such cookies are hard to get rid of, don't expire on their own and can store a lot of information -- making them more appealing than traditional cookies to Internet marketers and web analytics firms. For instance, while an HTTP cookie stores just 4KB of data, Flash cookies can store up to 100KB.
One of the most controversial uses of such cookies has been to recreate or to "re-spawn' cookies that have been deleted by users.
Mayer said his research showed that Microsoft has code on its Live.com, MSN.com and its Atlas third-party advertising networks that would have caused a user's cookie to be recreated -- even after it had been cleared by the user.
"It is difficult to estimate the number of users affected by Microsoft's respawning without knowing more about traffic to Microsoft's web properties and the conditions under which it would set [the identifier ID]," Mayer said in his blog. But the company had the ability to easily associate a user's interactions with msn.com, live.com and the Atlas network both before and after cookie clearing.
"One of the most prolific ad networks was using technologies that are widely frowned upon for circumventing user privacy choices," Mayer told Computerworld via email. "At minimum this was a colossal privacy gaffe."
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
- Combating Identity Theft in a Mobile, Social World Offering identity theft protection and remediation allows businesses to give their workforce the confidence to efficiently engage while bringing financial reward to the...
- After a Breach: Managing Identity Theft Effectively This white paper from LifeLock Business Solutions notes that FIs in addition to managing fraud should strive to turn a negative event for...
- Combating Identity Fraud in a Virtual World This slide presentation reveals findings from the Javelin Strategy & Research 2012 Identity Fraud Report about mobile and social trends, the real risks...
- Cloud Computing Drives IT and Business Agility Hybrid Cloud Accelerates Time to Value What is the main focus for IT in your organization - cost or agility? Many IT discussions today focus on cost controls rather...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Cloud BI in Action: Recorded Webinar of Customer, Kony, Inc. See how Kony, Inc., a leading enterprise mobility company, is using TIBCO Jaspersoft for Amazon Web Services and Redshift to achieve embedded analytics... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!