Microsoft's Hand Caught in 'Supercookie' Jar

Microsoft claimed today that it has disabled code used on its Web sites that allegedly could track users as part of a "supercookie" tracking scheme.

Supercookies apparently persist even after visitors to Web sites have deleted cookies from their browsers. Microsoft's Web sites, and, as well as's TV entertainment portal site, were identified by researchers at Stanford University and the University of California at Berkeley as using such supercookie code, according to an account published today by The Wall Street Journal.

The Berkeley researchers found that Hulu's site can store tracking code in Adobe Flash-associated files. In addition, those researchers noted that uses code from the Kissmetrics Web traffic tracking firm for persistent tracking, the WSJ reported.

Microsoft's use of supercookie code was identified by Stanford researcher Jonathan Mayer. He also found that Time Warner's social-networking service uses a "history stealing" tracking service produced by the Epic Media Group. This same history stealing system is used by Charter Communications Inc. for its portal, according to the WSJ story.

Mike Hintze, associate general counsel for regulatory affairs at Microsoft, told the WSJ that the use of the supercookie code didn't follow Microsoft's privacy policies and that the code has been removed. Hulu issued a statement to the WSJ indicating that it is investigating its use of the supercookie code.

Hintze provided further clarification about the code in a Microsoft blog post today. He claimed that the code was just old and scheduled for being disabled.

"Mr. Mayer identified Microsoft as one among others that had this [supercookie] code, and when he brought his findings to our attention we promptly investigated," Hintze explained in the blog. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued.  We accelerated this process and quickly disabled this code."

Hintze further claimed that Microsoft had no plans "to develop or deploy any such 'supercookie' mechanisms" and referred people to Microsoft's privacy policies.

The Microsoft ad-tracking process is described in an October 2007 white paper, titled "Privacy Protections in Microsoft's Ad Serving System and the Process of 'De-identification'" (PDF). In that paper, Microsoft claims that Windows Live or MSN IDs are associated with anonymous IDs (ANIDs) via one-way encryption. That one-way encryption scheme makes it "extremely difficult" for Microsoft to associate a user's online click behavior with their identity, the document asserts.

"In other words, it is extremely difficult to use a given ANID (with or without knowing the hashing algorithm) to derive the original LiveID value," the document states (p. 5). "Because all personally and directly identifying information about a user is stored on servers in association with a LiveID rather than an ANID, there is no practical way to link data stored in association with an ANID back to any data on Microsoft servers that could personally and directly identify an individual user."

While Microsoft appears to have been quick to respond to the supercookie disclosure, the issue of consumer trust seems problematic going forward, given that a whole industry is devoted to tracking online consumer click behavior.

Last year, Microsoft announced a volunteer effort to limit third-party advertiser click-stream tracking with an opt-in "tracking protection" mechanism that was introduced in Internet Explorer 9. However, that method just applies to third-party advertisers. Microsoft's tracking protection approach was under consideration earlier this year by the Worldwide Web Consortium, which oversees Web standards. Google and Mozilla also have proposed their own tracking protection schemes for browsers.

Government involvement on the issue seems fairly dormant so far. The U.S. Federal Trade Commission offered up a very general exploratory document (PDF) on the issue of consumer tracking in December of 2010, but apparently nothing has since emerged from that effort.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Dynamics 365: Why It May Not Be What You Think

    For starters, the cloud-based CRM/ERP software has some surprising integrations with PowerApps, Microsoft's low-code developer environment.

  • Microsoft 365 Insider Test Program Emerges for Organizations

    Microsoft has started a new Microsoft 365 Insider Program for organizations to test its software, but the program's name and scope could be changing.

  • IT Pros: Don't Forget To Protect Your Personal Security

    Don't be the IT pro who spends way too many hours each day keeping their users secure only to neglect their own home networks. Brien describes the two steps he took to avoid this trap.

  • Microsoft Edge Browser Shifting to Open Source Chromium Platform

    Microsoft plans to align its Microsoft Edge browser production efforts with the open source Chromium Web platform for the desktop version of the browser, the company announced on Thursday.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.