Microsoft Disables Supercookies On MSN

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Disables Supercookies On MSN


The online user tracking technique is drawing fire, and numerous businesses are stepping away from the firms that practice it.



(click image for larger view and for full slideshow)
Slideshow: 7 Biggest Microsoft Flops (click image for larger view and for full slideshow)
Microsoft has eliminated controversial supercookies that were present on MSN.com, in response to research that detailed the user-tracking technique.
Unlike regular cookies, or even newer Flash cookies, the latest generation of tracking technologies cant be disabled by browser users, even with privacy add-ons. That revelation surfaced late last month, in two separate research papers.
The first
paper
, Tracking the Trackers: Microsoft Advertising (cache and ETag supercookies), written by Stanford University graduate student Jonathan R. Mayer, highlighted new, persistent-cookie techniques being used by Microsoft on its MSN.com site.
In response to that paper, released in July, Microsoft on Thursday disclosed that it had immediately investigated Mayers assertions, identified the code in question, and disabled it. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued, said Mike Hintze, associate general counsel for regulatory affairs at Microsoft, in a
blog post
.
We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft, he said. We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such supercookie mechanisms.
Interestingly, the use of ETag supercookies that Mayer discovered wasnt limited to Microsoft. In fact, a separate group of researchers found similar techniques at use in a wide range of websites, as detailed in their
paper
, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning, released late last month.
That reports co-author, Ashkan Soltani, an independent privacy researcher, said in a
blog post
that the team discovered the new tracking techniques when recreating their 2009 study, which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed respawning). The technique is often used by online advertisers and their affiliates to
track online behavior
.
In the course of the new research, the team identified 5,600 HTTP cookies used on popular sites, 88% of them from third parties. Google-run cookies were present on 97 of the top 100 websites--including government websites--and Flash cookies were also present on 37 of the top 100 websites. In addition, 17 sites used HTML5, with seven also used HTML5 local storage and HTTP cookies with matching values, said Soltani.
In addition, we found two sites that were respawning cookies, including one site--hulu.com--where both Flash and cache cookies were employed to make identifiers more persistent, he said. The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and Private Browsing Mode is enabled.
Exactly what are ETags? According to the report, ETags are tokens presented by a users browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their km_ai user cookies.
Wired
first
reported
those findings, which led television streaming website Hulu.com to sever ties with one of the supercookie-using tracking firms detailed in the report, startup KISSmetrics. Spotify also suspended its relationship with the company, pending an investigation.
In a
blog post
, Hiten Shah, CEO of KISSmetrics, slammed the report for inaccuracies, arguing that it significantly distorts our technology and business practices. Namely, he said, while his company employs a unique identifier for every person it tracks, even across websites, internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers, including segregating each customers data in a completely separate database.
According to Shah, the same day the report was released, the first of two related lawsuits were filed against his company.
Hulus move to sever ties over controversial marketing practices isnt surprising, considering it had been named in a previous class action lawsuit that resulted from Soltanis original respawning study, released in 2009. The result of that lawsuit was a $2.4 million settlement in December 2010, and a promise by Clearspring and Quantcast to discontinue using the technology.
Meanwhile, other defendants in the suit--ABC, ESPN, Hulu, JibJab Media, MTV Networks, NBC Universal, and Scribd--agreed to warn user if Flash was being used to track them, and to detail in their website privacy policies how to block the practice.
How can users stop supercookies? While
do not track
capabilities in browsers have attracted much attention lately as a way to block persistent tracking, supercookies cant currently be stopped from within the browser. Accordingly, blocking supercookies might require some type of privacy legislation that compels U.S. businesses to respect users do not track intentions, as well as to disclose their tracking techniques.
At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25.
Register now
.

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Disables Supercookies On MSN