Microsoft Drops Use of 'Supercookies' On MSN

Trailrunner7 writes "In response to work by Stanford University researchers who found that Microsoft and several other high-profile companies were using a controversial technique to keep persistent cookies on users' PCs to track their movements, Microsoft says it has discontinued the practice of using so-called 'supercookies.' In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies were still employing techniques that enabled browser history sniffing, which give the companies information on what sites users have visited and what links they've clicked on. The research also found that some companies were using cookies that re-spawn even after users have deleted them. Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so."

Microsoft's motto

[Cryacin]

Be Evil, but be good at it.

Re:

[PNutts]

" *snip* as a result of older code that was used only on our own sites, and was already scheduled to be discontinued *snip*"

See, why don't i believe you?

Taking quotes out of context and posting as AC. See why I don't believe you?

"We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft. We are committed to provid

Re:

[Jiro]

How is that context any different than the "out of context" quote? It shows the same thing as the first one: Microsoft admits that they used supercookies, but claims they had a bunch of internal policies and plans that make them harmless. You just have to trust that they're telling the truth about these internal plans that you can't actually see.

In fact your "full context" quote has more of the same; you can't verify that the information wasn't shared outside Microsoft, and you have no way to distinguish

Re:

[flimflammer]

I don't think they care if you don't believe them to be honest.

No surprises here...

[Seriousity]

Considering the corporate mindset and the modus operandi of companies like Microsoft, this is the tip of an unexplored iceberg. I bet they're saving logs of every conversation that takes place over their MSN IM software to glean competitive information to exploit / sell to fellow corporations. We would have to be pretty stupid to assume otherwise.

Hmmm ...

[WrongSizeGlass]

Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so.

They've probably come up with another way to covertly track users. I've always been amazed at MSN.com's ability to display on a new workstation even if the firewall and proxy haven't been configured yet. I guess those pesky servers just happen to like that combination of letters or something.

Re:

[thejynxed]

That doesn't explain being able to bypass firewall restrictions, AKA, not having been granted access to outgoing traffic yet since it's a newly installed system.

MSN has always been able to do this somehow.

Re:

[Oligonicella]

Are *all* the rationale you use no more than idiotic emotional pimples?

Re:

[BillX]

Look up "supercookie" and "evercookie". Clever people have found ways to store and retrieve cookie-equivalent data (e.g. unique tracking IDs) that survive deleting all cookies and cache, and can in certain cases survive formatting the hard drive (by hiding data in content cached by certain ISPs transparent proxies). Of course, if you miss even one of the 7 places the site hid the data, the other 6 are immediately restored from it next time you visit.

God, I feel old...

[mosel-saar-ruwer]

by hiding data in content cached by certain ISPs transparent proxies

Okay, I'll say it: That's really evil.

Of course, if you miss even one of the 7 places the site hid the data, the other 6 are immediately restored from it next time you visit.

God, I'm starting to feel old.

7 places?!?

I think I might have just experienced a "get off my lawn" moment...

Re:

[KDR_11k]

Sounds like cancer. I suggest radiation treatment at the originating location.

Computer Fraud and Abuse Act

[Hatta]

The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems. Surely planting a cookie that restores itself after the user has deleted it is unauthorized access.

Re:

[maxume]

Nothing restores itself. Code on a visited page checks for other information stored on the computer and then creates a cookie with the same content as the deleted cookie.

Re:

[O('_')O_Bush]

If it were true that the information was the same, and it could have been trivially derived from other information on the computer, then there would be no need for the persistent cookie. That information could just be accessed when needed, and a non-persistent cookie could be issued or mapped to that user (that is how relational databases work after all, object with lots of keys in a map).

Re:

[maxume]

If you squint more and think of the persistent part as the cookie, then the browser cookie api is just being used to facilitate access.

Re:

[Anonymous Coward]

Please get your facts straight. The Euro and the European Union are distinct; for example, the UK does not participate. There may soon be no more Euro (though I very much doubt this), but that does not mean there is no more European Union.

Re:

[kmoser]

That somebody allowed the cookie to be stored on their computer in the first place implies authorization. If the cookie planters are successful, they can assume it's because you granted them such access (whether express or implied). Just like if you walk up to a store and the front door is unlocked, you can assume they're open for business. Even if you are successful in deleting these supercookies forever, nothing will stop the web servers from identifying and tracking you by browser signature (among other

Re:

[KDR_11k]

No, it does not. It's the default behaviour of a browser and something most people are unaware of. The browser developer has decided to agree in place of the user.

Re:

[Baseclass]

This content requires Flash

Download the free Flash Player now!

Microsoft is Fixing the Problem

[northerner]

It seems that Microsoft is trying to do the right thing by removing the use of supercookies.

Why not list the names of the other companies using these cookies so we can avoid them rather than single out Microsoft who is doing something about it?

Did anyone find the article listing the companies found to be using supercookies in July? "In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies..."

We may avoid the offending sites, but usually we won't know if advertisers on those sites are using them.

Re:

[flimflammer]

Your analogy makes absolutely no sense whatsoever.

Re:

[KingBenny]

some kind of a reversy psychology blacklist, i'd love that

One Hand Offers, The Other Conceals

[tunapez]

While it seems everyone is milking the 'supercookie' cessation hype, at least one org is telling us why...

Online Behavioral Tracking [eff.org]

What are Supercookies - in 20seconds

[Monkier]

Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715 [stanford.edu])
* you hit a page which includes a wlHelper.js script
* wlHelper.js is served with header that tell your browser - cache this forever
* wlHelper.js contains code something like this:
var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
if MUID cookie doesn't already exist
set MUID cookie to unique_id

You delete your MUID cooki

Re:

[KDR_11k]

An argument for not letting browser caches persist after the program exits.