Microsoft Drops Respawning Cookies From MSN

Microsoft has removed the tracking cookie from MSN.com that could stealthily track users on the site even after the user deleted all cookies from the web browser.

The code used on MSN.com that was responsible for the “supercookies” had already been slated for removal, Mike Hintze, Microsoft’s associate general counsel for regulatory affairs, said on 19 August in a blog post on Microsoft Privacy & Safety. The company accelerated the removal process after being alerted by Jonathan Mayer, a Stanford University researcher who claimed Microsoft used the powerful cookies on Live.com, MSN.com and on Atlas third-party advertising networks, which places ads for other companies on the Internet.

Cookie onslaught

The cookie onslaught was “occurring under certain circumstances as a result of older code that was used only on our own sites”, Hintze said. None of the cookie identifiers or data associated with them were ever “shared outside of Microsoft”, according to Hintze.

People could have had the supercookie installed on their machines without visiting Microsoft websites directly, Mayer said. Even if they deleted regular cookies, Microsoft could have retained information about their web browsing.

“It is difficult to estimate the number of users affected by Microsoft’s respawning without knowing more about traffic to Microsoft’s web properties and the conditions under which it would set [the identifier ID],” Mayer said in his blog.

Mayer’s report followed a study from researchers at the University of California, Berkeley, who found many websites used tracking mechanisms that circumvented the privacy settings users set up on the web browser. Many sites, including Hulu.com, were saving “supercookies” on user computers to track users for advertising purposes. Many of these cookies are designed to re-enable themselves even after being deleted, allowing companies to track user activity and behavior over time despite cookie deletions.

Persistent cookies are not new, as there are a number of techniques used to prevent users from deleting them. Since the cookies are stored outside the web browser, switching browsers to protect privacy doesn’t help, according to Askhan Soltani, an independent security researcher and co-author of the UC Berkeley report. Flash cookies store user-tracking data in an Adobe Flash plug-in. Cache cookies in which data is stored in eTags are used to save bandwidth. Microsoft’s supercookie appears to have been a cache cookie, which means the only way to remove it was to clear the cache as well.

Respawning cookies

“A Flash cookie acquired while using Firefox is also available to websites when using Internet Explorer,” Soltani said on his blog.

Hulu and others were using cookies from KISSmetrics, which saved cookies onto the user’s computer without notice, even if the user had specified that all HTTP and Flash cookies should be blocked, Soltani said. At least 515 websites used KISSmetrics code to allow cookies to respawn.

Hulu said in a blog post it was investigating the researchers’ claims.

KISSmetrics chief executive Hiten Shah claimed in a blog post the company does not track users across different websites, nor does it have the ability to do so. Shah denied the use of persistent cookies and claimed all users have an opt-out feature.

Websites and advertisers have faced strong criticism for collecting and selling personal data about computer users without their knowledge, or without giving users a clear way to opt out. Despite the industries claims that it could self-regulate itself to protect consumer privacy, drafts of several “do not track” privacy bills are currently making the rounds in both chambers of Congress.