Supercookies Stealing Personal Information

Story first appeared in the Wall Street Journal.

Major websites such as MSN.com and Hulu.com have been tracking people's online activities using powerful new methods that are almost impossible for computer users to detect, new research shows. Unfortunately, security solutions may not be effective against these so called "supercookies".

What 'History Stealing' Is

The new techniques, which are legal, reach beyond the traditional "cookie," a small file that websites routinely install on users' computers to help track their activities online. Hulu and MSN were installing files known as "supercookies," which are capable of re-creating users' profiles after people deleted regular cookies, according to researchers at Stanford University and University of California at Berkeley.

Websites and advertisers have faced strong criticism for collecting and selling personal data about computer users without their knowledge, and a half-dozen privacy bills have been introduced on Capitol Hill this year.

Many of the companies found to be using the new techniques say the tracking was inadvertent and they stopped it after being contacted by the researchers.

The associate general counsel at MSN parent company Microsoft Corp., said that when the supercookie was brought to their attention, and they were alarmed by it. It was inconsistent with their intent and their policy. He said the company removed the computer code, which had been created by Microsoft.

WSJ reports so-called 'supercookies' reside in web sites that are tracking web users' activities and can continue to track users after they click a box to remove cookies from their computer.

Hulu posted a statement online saying it acted immediately to investigate and address the issues identified by researchers. It declined to comment further.

The spread of advanced tracking techniques shows how quickly data-tracking companies are adapting their techniques. When The Wall Street Journal examined tracking tools on major websites last year, most of these more aggressive techniques were not in wide use.

But as consumers become savvier about protecting their privacy online, the new techniques appear to be gaining ground.

A Stanford researcher identified what is known as a "history stealing" tracking service on Flixster.com, a social-networking service for movie fans recently acquired by Time Warner Inc., and on Charter Communications Inc.'s Charter.net.

Such tracking peers into people's Web-browsing histories to see if they previously had visited any of more than 1,500 websites, including ones dealing with fertility problems, menopause and credit repair, the researchers said. History stealing has been identified on other sites in recent years, but rarely at that scale.

The researchers determined that the history stealing on those two sites was being done by Epic Media Group, a New York digital-marketing company. Charter and Flixster said they didn't have a direct relationship with Epic, but as is common in online advertising, Epic's tracking service was installed by advertisers.

The chief executive of Epic, says his company was inadvertently using the technology and no longer uses it. He said the information was used only to verify the accuracy of data that it had bought from other vendors.

Both Flixster and Charter say they were unaware of Epic's activities and have since removed all Epic technology from their sites. Charter did the same last year with a different vendor doing history stealing on a smaller scale.

Gathering information about Web-browsing history can offer valuable clues about people's interests, concerns or household finances. Someone researching a disease online, for example, might be thought to have the illness, or at least to be worried about it.

The potential for privacy legislation in Washington has driven the online-ad industry to establish its own rules, which it says are designed to alert computer users of tracking and offer them ways to limit the use of such data by advertisers.

Under the self-imposed guidelines, collecting health and financial data about individuals is permissible as long as the data don't contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records. But using techniques such as history stealing and supercookies "to negate consumer choices" about privacy violates the guidelines.

Until now, the council has been trying to push companies into the program, not kick them out.

Last year, the online-ad industry launched a program to label ads that are sent to computer users based on tracking data. The goal is to provide users a place to click in the ad itself that would let them opt out of receiving such targeted ads. (It doesn't turn off tracking altogether.) The program has been slow to catch on, new findings indicate.

The industry has estimated that nearly 80% of online display ads are based on tracking data. Only 9% of the ads they examined on the 500 most popular websites—62 out of 627 ads—contained the label. They looked at standard-size display ads placed by third parties between Aug. 4 and 11.

The industry says self-regulation is working. The labeling program has made tremendous progress.

Several Microsoft-owned websites, including MSN.com and Microsoft.com, were using supercookies.

Supercookies are stored in different places than regular cookies, such as within the Web browser's "cache" of previously visited websites, which is where the Microsoft ones were located. Privacy-conscious users who know how to find and delete regular cookies might have trouble locating supercookies.

Supercookies have also been found on Microsoft's advertising network, which places ads for other companies across the Internet. As a result, people could have had the supercookie installed on their machines without visiting Microsoft websites directly. Even if they deleted regular cookies, information about their Web-browsing could have been retained by Microsoft.

Microsoft's representative said that the company removed the code after being contacted, and that Microsoft is still trying to figure out why the code was created. A spokeswoman said the data gathered by the supercookie were used only by Microsoft and weren't shared with outside companies.

Separately last month, researchers at the University of California at Berkeley, found supercookie techniques used by dozens of sites. One of them, Hulu, was storing tracking coding in files related to Adobe Systems Inc.'s widely used Flash software, which enables many of the videos found online, the researchers said in a report. Hulu is owned by NBC Universal, Walt Disney Co. and News Corp., owner of The Wall Street Journal.

Hulu was one of several companies that entered into a $2.4 million class-action settlement last year related to the use of Flash cookies to circumvent users who tried to delete their regular cookies.

The Berkeley researchers also found that Hulu's website contained code from Kissmetrics, a company that analyzes website-traffic data. Kissmetrics was inserting supercookies into users' browser caches and into files associated with the latest version of the standard programming language used to build Web pages, known as HTML5.

In a blog post after the report was released, Kissmetrics said it would use only regular cookies for future tracking. The company didn't return calls seeking comment.

For technology and electronics related news, visit the Electronics America blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.