News

Researchers Detect 'Supercookie' Tracking Code on Microsoft Sites

• By Kurt Mackie
• August 19, 2011

In response to claims from researchers that certain Microsoft Web sites contain code that could track users, Microsoft announced on Thursday that it has disabled the so-called "supercookies."

Supercookies can linger even after Web site visitors delete regular cookies from their browsers. According to a Wall Street Journal report, researchers at Stanford University and the University of California at Berkeley spotted supercookie code on two Microsoft Web sites, MSN.com and Microsoft.com, as well as on Hulu.com.

The Berkeley researchers found that Hulu's site can store tracking code in Adobe Flash-associated files. In addition, the WSJ reported, those researchers noted that Hulu.com uses code from the Kissmetrics Web traffic tracking firm for persistent tracking.

Microsoft's use of supercookie code was identified by Stanford researcher Jonathan Mayer. He also found that Time Warner's Flixster.com social-networking service uses a "history stealing" tracking service produced by the Epic Media Group. This same history stealing system is used by Charter Communications Inc. for its Charter.net portal, according to the WSJ story.

Mike Hintze, associate general counsel for regulatory affairs at Microsoft, told the WSJ that the use of the supercookie code didn't follow Microsoft's privacy policies and that the code has been removed. Hulu issued a statement to the WSJ indicating that it is investigating its use of the supercookie code.

Hintze provided further clarification about the code in a Microsoft blog post Thursday. He claimed that the code was just old and scheduled for being disabled.

"Mr. Mayer identified Microsoft as one among others that had this [supercookie] code, and when he brought his findings to our attention we promptly investigated," Hintze explained in the blog. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued.  We accelerated this process and quickly disabled this code."

Hintze further claimed that Microsoft had no plans "to develop or deploy any such 'supercookie' mechanisms" and referred people to Microsoft's privacy policies.

The Microsoft ad-tracking process is described in an October 2007 whitepaper, titled "Privacy Protections in Microsoft's Ad Serving System and the Process of 'De-identification'" (PDF). In that paper, Microsoft claims that Windows Live or MSN IDs are associated with anonymous IDs (ANIDs) via one-way encryption. That one-way encryption scheme makes it "extremely difficult" for Microsoft to associate a user's online click behavior with their identity, the document asserts.

"In other words, it is extremely difficult to use a given ANID (with or without knowing the hashing algorithm) to derive the original LiveID value," the document states (p. 5). "Because all personally and directly identifying information about a user is stored on servers in association with a LiveID rather than an ANID, there is no practical way to link data stored in association with an ANID back to any data on Microsoft servers that could personally and directly identify an individual user."

While Microsoft appears to have been quick to respond to the supercookie disclosure, the issue of consumer trust seems problematic going forward, given that a whole industry is devoted to tracking online consumer click behavior.

Last year, Microsoft announced a volunteer effort to limit third-party advertiser click-stream tracking with an opt-in "tracking protection" mechanism that was introduced in Internet Explorer 9. However, that method just applies to third-party advertisers. Microsoft's tracking protection approach was under consideration earlier this year by the Worldwide Web Consortium, which oversees Web standards. Google and Mozilla also have proposed their own tracking protection schemes for browsers.

Government involvement on the issue seems fairly dormant so far. The U.S. Federal Trade Commission offered up a very general exploratory document (PDF) on the issue of consumer tracking in December 2010, but apparently nothing has since emerged from that effort.