Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Supercookie Crackdown Sought By Lawmakers

FTC urged to investigate new persistent tracking technique, per its mandate to stop unfair and deceptive business practices.

Lawmakers are urging the Federal Trade Commission to investigate how the persistent tracking technology known as "supercookies" is being used by websites. Unlike normal browser cookies, or even Flash cookies, supercookies can't be cleared from users' browsers, and thus provide marketers and advertising agencies with a persistent technique for tracking online behavior.

"We believe this new business practice raises serious privacy concerns and is unacceptable," according to a letter to the FTC from two members of Congress, Edward Markey (D-Mass.) and Joe Barton (R-Texas), co-chairmen of the House bi-partisan privacy caucus.

"We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online." Accordingly, they're calling for the FTC to investigate supercookies, based on the agency's mandate to protect people from "unfair or deceptive acts or practices."

[The federal government has proposed a code of conduct for notifying users when their PCs are infected by malware, raising privacy concerns. Should ISPs Monitor Users' PCs To Stop Botnets?]

The lawmakers said their concern stemmed from an August 18, 2011, story in the Wall Street Journal that detailed the use of the persistent tracking technologies on websites such as Hulu.com and MSN. But their use had been spotted by security researchers on those sites in July.

The same day that the Journal story came out, Microsoft released a blog post saying that in response to the researchers' findings, it had identified the supercookie code in use on its MSN website and removed it. Microsoft said the code in question had been "older," meant for deletion, and that at no time had collected information been shared outside of Microsoft.

How widespread is the use of supercookies? That's not clear. But their use would appear to have to at least be disclosed to website users, based on a new set of rules issued by the Interactive Advertising Bureau (IAB), which counts 375 media and technology companies as members, who collectively sell 86% of all online advertising in the United States.

Earlier this year, advertisers came under fire from lawmakers and the FTC for promulgating unclear policy practices, as well as for resisting do not track capabilities in browsers. In response, the IAB created a code of conduct for its members, which went into effect on August 29. Part of that code of conduct states that members "should give clear, meaningful, and prominent notice on their own websites that describes their online behavioral advertising data collection and use practices."

The code of conduct is to be enforced by the Council of Better Business Bureaus (CBBB), which is a set of private businesses which accredit companies that meet its "best practices for how businesses should treat the public in a fair and honest manner." Any IAB member found to be violating the code of conduct will be given a remediation plan by the CBBB. Businesses that fail to follow the plan will have their IAB membership canceled for six months, after which they can reapply.

What's unclear, however, is how the CBBB will spot code of conduct violators, whether the IAB will name them, and if the loss of IAB membership would have any business repercussions for a company. An IAB spokesman didn't immediately respond to a request for comment.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
9/29/2011 | 9:30:10 PM
re: Supercookie Crackdown Sought By Lawmakers
The last set of unknowns raised by the article are key for the online advertising industry to answer if they want to allay privacy concerns...
Brian Prince, InformationWeek contributor
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.