News

Researchers Detect 'Supercookie' Tracking Code on Microsoft Sites

In response to claims from researchers that certain Microsoft Web sites contain code that could track users, Microsoft announced on Thursday that it has disabled the so-called "supercookies."

Supercookies can linger even after Web site visitors delete regular cookies from their browsers. According to a Wall Street Journal report, researchers at Stanford University and the University of California at Berkeley spotted supercookie code on two Microsoft Web sites, MSN.com and Microsoft.com, as well as on Hulu.com.

The Berkeley researchers found that Hulu's site can store tracking code in Adobe Flash-associated files. In addition, the WSJ reported, those researchers noted that Hulu.com uses code from the Kissmetrics Web traffic tracking firm for persistent tracking.

Microsoft's use of supercookie code was identified by Stanford researcher Jonathan Mayer. He also found that Time Warner's Flixster.com social-networking service uses a "history stealing" tracking service produced by the Epic Media Group. This same history stealing system is used by Charter Communications Inc. for its Charter.net portal, according to the WSJ story.

Mike Hintze, associate general counsel for regulatory affairs at Microsoft, told the WSJ that the use of the supercookie code didn't follow Microsoft's privacy policies and that the code has been removed. Hulu issued a statement to the WSJ indicating that it is investigating its use of the supercookie code.

Hintze provided further clarification about the code in a Microsoft blog post Thursday. He claimed that the code was just old and scheduled for being disabled.

"Mr. Mayer identified Microsoft as one among others that had this [supercookie] code, and when he brought his findings to our attention we promptly investigated," Hintze explained in the blog. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued.  We accelerated this process and quickly disabled this code."

Hintze further claimed that Microsoft had no plans "to develop or deploy any such 'supercookie' mechanisms" and referred people to Microsoft's privacy policies.

The Microsoft ad-tracking process is described in an October 2007 whitepaper, titled "Privacy Protections in Microsoft's Ad Serving System and the Process of 'De-identification'" (PDF). In that paper, Microsoft claims that Windows Live or MSN IDs are associated with anonymous IDs (ANIDs) via one-way encryption. That one-way encryption scheme makes it "extremely difficult" for Microsoft to associate a user's online click behavior with their identity, the document asserts.

"In other words, it is extremely difficult to use a given ANID (with or without knowing the hashing algorithm) to derive the original LiveID value," the document states (p. 5). "Because all personally and directly identifying information about a user is stored on servers in association with a LiveID rather than an ANID, there is no practical way to link data stored in association with an ANID back to any data on Microsoft servers that could personally and directly identify an individual user."

While Microsoft appears to have been quick to respond to the supercookie disclosure, the issue of consumer trust seems problematic going forward, given that a whole industry is devoted to tracking online consumer click behavior.

Last year, Microsoft announced a volunteer effort to limit third-party advertiser click-stream tracking with an opt-in "tracking protection" mechanism that was introduced in Internet Explorer 9. However, that method just applies to third-party advertisers. Microsoft's tracking protection approach was under consideration earlier this year by the Worldwide Web Consortium, which oversees Web standards. Google and Mozilla also have proposed their own tracking protection schemes for browsers.

Government involvement on the issue seems fairly dormant so far. The U.S. Federal Trade Commission offered up a very general exploratory document (PDF) on the issue of consumer tracking in December 2010, but apparently nothing has since emerged from that effort.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.