"We believe this new business practice raises serious privacy concerns and is unacceptable," according to a letter to the FTC from two members of Congress, Edward Markey (D-Mass.) and Joe Barton (R-Texas), co-chairmen of the House bi-partisan privacy caucus.
"We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online." Accordingly, they're calling for the FTC to investigate supercookies, based on the agency's mandate to protect people from "unfair or deceptive acts or practices."
[The federal government has proposed a code of conduct for notifying users when their PCs are infected by malware, raising privacy concerns. Should ISPs Monitor Users' PCs To Stop Botnets?]
The lawmakers said their concern stemmed from an August 18, 2011, story in the Wall Street Journal that detailed the use of the persistent tracking technologies on websites such as Hulu.com and MSN. But their use had been spotted by security researchers on those sites in July.
The same day that the Journal story came out, Microsoft released a blog post saying that in response to the researchers' findings, it had identified the supercookie code in use on its MSN website and removed it. Microsoft said the code in question had been "older," meant for deletion, and that at no time had collected information been shared outside of Microsoft.
How widespread is the use of supercookies? That's not clear. But their use would appear to have to at least be disclosed to website users, based on a new set of rules issued by the Interactive Advertising Bureau (IAB), which counts 375 media and technology companies as members, who collectively sell 86% of all online advertising in the United States.
Earlier this year, advertisers came under fire from lawmakers and the FTC for promulgating unclear policy practices, as well as for resisting do not track capabilities in browsers. In response, the IAB created a code of conduct for its members, which went into effect on August 29. Part of that code of conduct states that members "should give clear, meaningful, and prominent notice on their own websites that describes their online behavioral advertising data collection and use practices."
The code of conduct is to be enforced by the Council of Better Business Bureaus (CBBB), which is a set of private businesses which accredit companies that meet its "best practices for how businesses should treat the public in a fair and honest manner." Any IAB member found to be violating the code of conduct will be given a remediation plan by the CBBB. Businesses that fail to follow the plan will have their IAB membership canceled for six months, after which they can reapply.
What's unclear, however, is how the CBBB will spot code of conduct violators, whether the IAB will name them, and if the loss of IAB membership would have any business repercussions for a company. An IAB spokesman didn't immediately respond to a request for comment.