12:49 PM

Microsoft Disables Supercookies On MSN

The online user tracking technique is drawing fire, and numerous businesses are stepping away from the firms that practice it.

Slideshow: 7 Biggest Microsoft Flops
(click image for larger view and for full slideshow)
Slideshow: 7 Biggest Microsoft Flops
(click image for larger view and for full slideshow)
Microsoft has eliminated controversial "supercookies" that were present on MSN.com, in response to research that detailed the user-tracking technique.

Unlike regular cookies, or even newer Flash cookies, the latest generation of tracking technologies can't be disabled by browser users, even with privacy add-ons. That revelation surfaced late last month, in two separate research papers.

The first paper, "Tracking the Trackers: Microsoft Advertising (cache and ETag supercookies)," written by Stanford University graduate student Jonathan R. Mayer, highlighted new, persistent-cookie techniques being used by Microsoft on its MSN.com site.

In response to that paper, released in July, Microsoft on Thursday disclosed that it had immediately investigated Mayer's assertions, identified the code in question, and disabled it. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," said Mike Hintze, associate general counsel for regulatory affairs at Microsoft, in a blog post.

"We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft," he said. "We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such 'supercookie' mechanisms."

Interestingly, the use of ETag supercookies that Mayer discovered wasn't limited to Microsoft. In fact, a separate group of researchers found similar techniques at use in a wide range of websites, as detailed in their paper, "Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning," released late last month.

That report's co-author, Ashkan Soltani, an independent privacy researcher, said in a blog post that the team discovered the new tracking techniques when recreating their 2009 study, "which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed 'respawning')." The technique is often used by online advertisers and their affiliates to track online behavior.

In the course of the new research, the team identified 5,600 HTTP cookies used on popular sites, 88% of them from third parties. Google-run cookies were present on 97 of the top 100 websites--including government websites--and Flash cookies were also present on 37 of the top 100 websites. In addition, 17 sites used HTML5, with seven also used "HTML5 local storage and HTTP cookies with matching values," said Soltani.

In addition, "we found two sites that were respawning cookies, including one site--hulu.com--where both Flash and cache cookies were employed to make identifiers more persistent," he said. "The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and 'Private Browsing Mode' is enabled."

Exactly what are ETags? According to the report, "ETags are tokens presented by a user's browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their 'km_ai' user cookies."

Wired first reported those findings, which led television streaming website Hulu.com to sever ties with one of the supercookie-using tracking firms detailed in the report, startup KISSmetrics. Spotify also suspended its relationship with the company, pending an investigation.

In a blog post, Hiten Shah, CEO of KISSmetrics, slammed the report for inaccuracies, arguing that it "significantly distorts our technology and business practices." Namely, he said, while his company employs a unique identifier for every person it tracks, even across websites, "internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers, including segregating each customer's data in a completely separate database."

According to Shah, the same day the report was released, the first of two related lawsuits were filed against his company.

Hulu's move to sever ties over controversial marketing practices isn't surprising, considering it had been named in a previous class action lawsuit that resulted from Soltani's original respawning study, released in 2009. The result of that lawsuit was a $2.4 million settlement in December 2010, and a promise by Clearspring and Quantcast to discontinue using the technology.

Meanwhile, other defendants in the suit--ABC, ESPN, Hulu, JibJab Media, MTV Networks, NBC Universal, and Scribd--agreed to warn user if Flash was being used to track them, and to detail in their website privacy policies how to block the practice.

How can users stop supercookies? While do not track capabilities in browsers have attracted much attention lately as a way to block persistent tracking, supercookies can't currently be stopped from within the browser. Accordingly, blocking supercookies might require some type of privacy legislation that compels U.S. businesses to respect users' "do not track" intentions, as well as to disclose their tracking techniques.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

Published: 2015-03-05
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.