Forgot your password?
typodupeerror
Microsoft Privacy The Internet Your Rights Online

Microsoft Drops Use of 'Supercookies' On MSN 45

Posted by timothy
from the but-kinect-knows-your-every-move dept.
Trailrunner7 writes "In response to work by Stanford University researchers who found that Microsoft and several other high-profile companies were using a controversial technique to keep persistent cookies on users' PCs to track their movements, Microsoft says it has discontinued the practice of using so-called 'supercookies.' In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies were still employing techniques that enabled browser history sniffing, which give the companies information on what sites users have visited and what links they've clicked on. The research also found that some companies were using cookies that re-spawn even after users have deleted them. Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so."
This discussion has been archived. No new comments can be posted.

Microsoft Drops Use of 'Supercookies' On MSN

Comments Filter:
  • Considering the corporate mindset and the modus operandi of companies like Microsoft, this is the tip of an unexplored iceberg. I bet they're saving logs of every conversation that takes place over their MSN IM software to glean competitive information to exploit / sell to fellow corporations. We would have to be pretty stupid to assume otherwise.
  • Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so.

    They've probably come up with another way to covertly track users. I've always been amazed at MSN.com's ability to display on a new workstation even if the firewall and proxy haven't been configured yet. I guess those pesky servers just happen to like that combination of letters or something.

  • by Hatta (162192) on Saturday August 20, 2011 @08:30AM (#37152694) Journal

    The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems. Surely planting a cookie that restores itself after the user has deleted it is unauthorized access.

    • by maxume (22995)

      Nothing restores itself. Code on a visited page checks for other information stored on the computer and then creates a cookie with the same content as the deleted cookie.

      • If it were true that the information was the same, and it could have been trivially derived from other information on the computer, then there would be no need for the persistent cookie. That information could just be accessed when needed, and a non-persistent cookie could be issued or mapped to that user (that is how relational databases work after all, object with lots of keys in a map).
        • by maxume (22995)

          If you squint more and think of the persistent part as the cookie, then the browser cookie api is just being used to facilitate access.

    • by kmoser (1469707)
      That somebody allowed the cookie to be stored on their computer in the first place implies authorization. If the cookie planters are successful, they can assume it's because you granted them such access (whether express or implied). Just like if you walk up to a store and the front door is unlocked, you can assume they're open for business. Even if you are successful in deleting these supercookies forever, nothing will stop the web servers from identifying and tracking you by browser signature (among other
      • by KDR_11k (778916)

        No, it does not. It's the default behaviour of a browser and something most people are unaware of. The browser developer has decided to agree in place of the user.

  • by northerner (651751) on Saturday August 20, 2011 @09:40AM (#37153226)
    It seems that Microsoft is trying to do the right thing by removing the use of supercookies.

    Why not list the names of the other companies using these cookies so we can avoid them rather than single out Microsoft who is doing something about it?

    Did anyone find the article listing the companies found to be using supercookies in July? "In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies..."

    We may avoid the offending sites, but usually we won't know if advertisers on those sites are using them.

  • While it seems everyone is milking the 'supercookie' cessation hype, at least one org is telling us why...

    Online Behavioral Tracking [eff.org]

  • Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715 [stanford.edu])
    * you hit a page which includes a wlHelper.js script
    * wlHelper.js is served with header that tell your browser - cache this forever
    * wlHelper.js contains code something like this:
    var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
    if MUID cookie doesn't already exist
    set MUID cookie to unique_id

    You delete your MUID cooki

Unix is the worst operating system; except for all others. -- Berry Kercheval

Working...