Microsoft Ceases Using Supercookies to Track Users

Monday, August 22, 2011



After being called out by a Stanford University computer science graduate student, Microsoft has ceased using "supercookies" on their websites to track user's web surfing behaviors.

Supercookies, also known as "zombiecookies" for their ability to regenerate even after a user has attempted to delete them from their system, are used to track user browsing histories and are considered to be a threat to user privacy.

Microsoft removed the supercookie mechanisms last week immediately after revelations that the company was actively tracking the browsing habits of visitors to their websites by way of a JavaScript code that could identify individual users.

According to an article by The Register's Dan Goodin, the code was copyrighted in 2007, but it is unclear how long Microsoft had been using the supercookies for tracking, or what the data that was collected was begin used for.

“We don't really know what they were doing with this information, but it's not obvious what this explanation would be. The burden is on Microsoft to explain how it came to be there and how they used it and what they're going to do to make sure it doesn't happen again. As we turned over this ETag mechanism, we thought long and hard about how could they be using this legitimately. We couldn't come up with anything," said Jonathan Maye, who uncovered Microsoft's use of the supercookies.

Mike Hintze, Associate General Counsel for Microsoft published a blog post on the matter late last week:

In response to recent attention on "supercookies" in the media, we wanted to share more detail on the immediate action we took to address this issue, as well as affirm our commitment to the privacy of our customers.

According to researchers, including Jonathan Mayer at Stanford University, "supercookies" are capable of re-creating users' cookies or other identifiers after people deleted regular cookies.

Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated.

We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued.  

We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.

We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such "supercookie" mechanisms.

Microsoft has strong privacy standards that govern the development and deployment of our products and services. We work hard to build privacy into products, and we also engage with government, industry, academia and public interest groups to develop more effective privacy and data protection measures.

The JavaScript code was designed to be stored in a user's browser cache file and had the ability to identify an individual in two ways, through a machine unique identifier (MUID) and through an ETag.

The code would regenerate the tracking cookie if it could not be located in the system's cookie folder, which many users delete regularly to preserve their browsing privacy.

“I really don't think that's possible to accept any more,. The fact of the matter is that we're seeing, intentionally or not, companies doing things that circumvent privacy choice in a way that suggests they need to have more of a spotlight put on them, possibly by regulators,” Mayer said.


Possibly Related Articles:
Microsoft Privacy Browser Security Javascript Supercookies Tracking Zombiecookies
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.