New tracking technology a 'colossal privacy gaffe,' researcher says
Microsoft said it has disabled an online tracking technology that, according to a Stanford University researcher, allowed the company to sneakily track users on MSN.com — even after they deleted their browser cookies and other identifiers.
In an emailed comment Thursday, Mike Hintze, Microsoft's associate general counsel, said the company took "immediate action" when it learned about the presence of so-called "supercookies" on its networks from Stanford University researcher Jonathan Mayer.
After Mayer identified Microsoft as one of several companies using supercookies for targeted advertising, the company investigated. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," Hintze said.
Mayer's research prompted Microsoft to move faster to disable the code, Hintze said. "At no time, did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft."
Mayer's report follows one from researchers at the University of California, Berkeley, on the practice by many websites of using tracking mechanisms that can circumvent the privacy settings on a user's browser. The Berkeley researchers also found that many sites, including Hulu, employed supercookie techniques to track users for advertising purposes.
A Hulu spokeswoman yesterday refused to comment on the UC Berkeley report. She pointed instead to a blog post from Hulu earlier this month which said the site acted "immediately" to address the issues identified by the researchers.
"This included suspending our use of the services of the outside vendor mentioned in the study," the blog post noted.
Supercookies are tracking mechanisms that do not rely on traditional browser cookies to store user browsing data. Examples of such cookies include Flash cookies in which user tracking data is stored in a little known Adobe Flash plug-in, and cache cookies in which the data is stored in the entity tags (eTags) used by browsers as a bandwidth saving mechanism.
Such cookies are hard to get rid of, don't expire on their own and can store a lot of information — making them more appealing than traditional cookies to Internet marketers and web analytics firms. For instance, while an HTTP cookie stores just 4KB of data, Flash cookies can store up to 100KB.
One of the most controversial uses of such cookies has been to recreate or to "re-spawn' cookies that have been deleted by users.
Mayer said his research showed that Microsoft has code on its Live.com, MSN.com and its Atlas third-party advertising networks that would have caused a user's cookie to be recreated — even after it had been cleared by the user.
"It is difficult to estimate the number of users affected by Microsoft's respawning without knowing more about traffic to Microsoft's web properties and the conditions under which it would set [the identifier ID]," Mayer said in his blog. But the company had the ability to easily associate a user's interactions with msn.com, live.com and the Atlas network both before and after cookie clearing.
"One of the most prolific ad networks was using technologies that are widely frowned upon for circumventing user privacy choices," Mayer told Computerworld via email. "At minimum this was a colossal privacy gaffe."
One problem with supercookies is that they are stored outside a browser, meaning they work outside browser privacy protections, said Ashkan Soltani, an independent security researcher and co-author of the UC Berkeley report. As a result, switching browsers to protect privacy doesn't help, Soltani said in a blog post.
"A Flash cookie acquired while using Firefox is also available to websites when using Internet Explorer," he said.
In many cases, such cookies are used without any user notice, opt-out or choice, Soltani said in an interview. Often, such cookies can be used by online tracking companies to peer into Web-browsing habits across multiple sites to build a highly detailed profile about users, he said.
As an example, Soltani pointed to technology from KISSmetrics, a company used by Hulu and others for online tracking purposes. According to Soltani, the respawing and tracking techniques used by KISSmetrics generates unique identifiers, even when the user blocks HTTP and Flash cookies. Soltani said that he and another researcher earlier this month identified at least 515 websites using KISSmetrics code that would allow cookie respawning.
"We are seeing this arms race between consumers who want to declare their privacy preferences and companies that that have strong motivations to track users," for advertising and analytics, he said.
Hiten Shah, the CEO of KISSmetrics, on Thursday did not comment on Soltani's findings but instead pointed to a blog post explaining the company's position.
In it, Shah insisted that KISSmetrics does not track users across different websites nor does it have the ability to do so. Shah denied that KISSmetrics uses persistent cookies and said the company has added an opt-out feature for those who do not want to be tracked.
The legality of supercookies is unclear. The Network Advertising Initiative (NAI), which sets standards for behavior by online marketers and analytics firms, officially frowns upon the use of Flash cookies and other tracking technologies that circumvent user privacy settings.
In 2009, Quantcast, an online tracking firm, was sued after Soltani and other UC Berkeley researchers showed how the company's respawning Flash cookies were being used widely by major websites. Quantcast agreed to settle the lawsuit for $2.4 million last December.
Since Soltani's latest paper was released, KISSmetrics has already been hit with two lawsuits by consumers claiming their privacy rights were violated.
"The behavior uncovered by these researchers demonstrates conclusively that industry self-regulation is a myth," said John Simpson, director of Consumer Watchdog. "Promises of responsible behavior under self-regulation have repeatedly been demonstrated to be meaningless.
"We need a law that creates a strong Do Not Track mechanism, which would enable consumers to make their desire not to be tracked clear, no matter what invasive technology might be implemented, Simpson said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is [email protected].