Microsoft's Hand Caught in 'Supercookie' Jar

Microsoft claimed today that it has disabled code used on its Web sites that allegedly could track users as part of a "supercookie" tracking scheme.

Supercookies apparently persist even after visitors to Web sites have deleted cookies from their browsers. Microsoft's Web sites, and, as well as's TV entertainment portal site, were identified by researchers at Stanford University and the University of California at Berkeley as using such supercookie code, according to an account published today by The Wall Street Journal.

The Berkeley researchers found that Hulu's site can store tracking code in Adobe Flash-associated files. In addition, those researchers noted that uses code from the Kissmetrics Web traffic tracking firm for persistent tracking, the WSJ reported.

Microsoft's use of supercookie code was identified by Stanford researcher Jonathan Mayer. He also found that Time Warner's social-networking service uses a "history stealing" tracking service produced by the Epic Media Group. This same history stealing system is used by Charter Communications Inc. for its portal, according to the WSJ story.

Mike Hintze, associate general counsel for regulatory affairs at Microsoft, told the WSJ that the use of the supercookie code didn't follow Microsoft's privacy policies and that the code has been removed. Hulu issued a statement to the WSJ indicating that it is investigating its use of the supercookie code.

Hintze provided further clarification about the code in a Microsoft blog post today. He claimed that the code was just old and scheduled for being disabled.

"Mr. Mayer identified Microsoft as one among others that had this [supercookie] code, and when he brought his findings to our attention we promptly investigated," Hintze explained in the blog. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued.  We accelerated this process and quickly disabled this code."

Hintze further claimed that Microsoft had no plans "to develop or deploy any such 'supercookie' mechanisms" and referred people to Microsoft's privacy policies.

The Microsoft ad-tracking process is described in an October 2007 white paper, titled "Privacy Protections in Microsoft's Ad Serving System and the Process of 'De-identification'" (PDF). In that paper, Microsoft claims that Windows Live or MSN IDs are associated with anonymous IDs (ANIDs) via one-way encryption. That one-way encryption scheme makes it "extremely difficult" for Microsoft to associate a user's online click behavior with their identity, the document asserts.

"In other words, it is extremely difficult to use a given ANID (with or without knowing the hashing algorithm) to derive the original LiveID value," the document states (p. 5). "Because all personally and directly identifying information about a user is stored on servers in association with a LiveID rather than an ANID, there is no practical way to link data stored in association with an ANID back to any data on Microsoft servers that could personally and directly identify an individual user."

While Microsoft appears to have been quick to respond to the supercookie disclosure, the issue of consumer trust seems problematic going forward, given that a whole industry is devoted to tracking online consumer click behavior.

Last year, Microsoft announced a volunteer effort to limit third-party advertiser click-stream tracking with an opt-in "tracking protection" mechanism that was introduced in Internet Explorer 9. However, that method just applies to third-party advertisers. Microsoft's tracking protection approach was under consideration earlier this year by the Worldwide Web Consortium, which oversees Web standards. Google and Mozilla also have proposed their own tracking protection schemes for browsers.

Government involvement on the issue seems fairly dormant so far. The U.S. Federal Trade Commission offered up a very general exploratory document (PDF) on the issue of consumer tracking in December of 2010, but apparently nothing has since emerged from that effort.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.