Microsoft's Hand Caught in 'Supercookie' Jar
Microsoft claimed today that it has disabled code used on its Web sites that allegedly could track users as part of a "supercookie" tracking scheme.
Supercookies apparently persist even after visitors to Web sites have deleted cookies from their browsers. Microsoft's Web sites, MSN.com and Microsoft.com, as well as Hulu.com's TV entertainment portal site, were identified by researchers at Stanford University and the University of California at Berkeley as using such supercookie code, according to an account published today by The Wall Street Journal.
The Berkeley researchers found that Hulu's site can store tracking code in Adobe Flash-associated files. In addition, those researchers noted that Hulu.com uses code from the Kissmetrics Web traffic tracking firm for persistent tracking, the WSJ reported.
Microsoft's use of supercookie code was identified by Stanford researcher Jonathan Mayer. He also found that Time Warner's Flixster.com social-networking service uses a "history stealing" tracking service produced by the Epic Media Group. This same history stealing system is used by Charter Communications Inc. for its Charter.net portal, according to the WSJ story.
Mike Hintze, associate general counsel for regulatory affairs at Microsoft, told the WSJ that the use of the supercookie code didn't follow Microsoft's privacy policies and that the code has been removed. Hulu issued a statement to the WSJ indicating that it is investigating its use of the supercookie code.
Hintze provided further clarification about the code in a Microsoft blog post today. He claimed that the code was just old and scheduled for being disabled.
"Mr. Mayer identified Microsoft as one among others that had this [supercookie] code, and when he brought his findings to our attention we promptly investigated," Hintze explained in the blog. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code."
Hintze further claimed that Microsoft had no plans "to develop or deploy any such 'supercookie' mechanisms" and referred people to Microsoft's privacy policies.
The Microsoft ad-tracking process is described in an October 2007 white paper, titled "Privacy Protections in Microsoft's Ad Serving System and the Process of 'De-identification'" (PDF). In that paper, Microsoft claims that Windows Live or MSN IDs are associated with anonymous IDs (ANIDs) via one-way encryption. That one-way encryption scheme makes it "extremely difficult" for Microsoft to associate a user's online click behavior with their identity, the document asserts.
"In other words, it is extremely difficult to use a given ANID (with or without knowing the hashing algorithm) to derive the original LiveID value," the document states (p. 5). "Because all personally and directly identifying information about a user is stored on servers in association with a LiveID rather than an ANID, there is no practical way to link data stored in association with an ANID back to any data on Microsoft servers that could personally and directly identify an individual user."
While Microsoft appears to have been quick to respond to the supercookie disclosure, the issue of consumer trust seems problematic going forward, given that a whole industry is devoted to tracking online consumer click behavior.
Last year, Microsoft announced a volunteer effort to limit third-party advertiser click-stream tracking with an opt-in "tracking protection" mechanism that was introduced in Internet Explorer 9. However, that method just applies to third-party advertisers. Microsoft's tracking protection approach was under consideration earlier this year by the Worldwide Web Consortium, which oversees Web standards. Google and Mozilla also have proposed their own tracking protection schemes for browsers.
Government involvement on the issue seems fairly dormant so far. The U.S. Federal Trade Commission offered up a very general exploratory document (PDF) on the issue of consumer tracking in December of 2010, but apparently nothing has since emerged from that effort.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.