There’s a “new” cookie in the spotlight which is virtually impossible for computer users to detect, and it’s completely legal, at least for now. According to researchers at Stanford University and University of California at Berkley, websites such as MSN.com and Hulu.com have been “installing files known as ‘super cookies’ which are capable of recreating users’ profiles after people deleted regular cookies” and without the knowledge of the user. The companies’ reaction when contacted by researchers? The tracking technique was claimed to be inadvertent and shut down immediately. Microsoft associate general counsel Mike Hintze offered this explanation: “We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued.”
As a search marketer, I am all too familiar with session cookies, secure cookies and third party cookies, but I was unfamiliar with these smarter, stealthier cookies with more interesting agendas. So I did a little cookie research on Wikipedia to better understand.
I’ll start by noting, cookies are not by nature bad, as Wikipedia explains, they “cannot be programmed, cannot carry viruses, and cannot install malware on the host computer. However, they can be used by spyware to track user’s browsing activities – a major privacy concern that prompted European and US law makers to take action. Cookies could also be stolen by hackers to gain access to a victim’s web account.”
A Super cookie is a “cookie set through the Adobe Flash system, bypassing the browser cookie manager. These cookies cannot be deleted through the browser, but require modifications to the settings on the Adobe Flash panel.”
Interestingly, the Evercookie was created by Samy Kamkar, creator of the Samy Worm, which took down MySpace in 2005.
A Zombie cookie (produced by an Evercookie) is “any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie’s absence is detected.”
Techie lingo aside, each of these cookies has one goal — continue to collect user web-browsing information even after standard cookies have been deleted.
Privacy concerns are once again at the forefront due to these types of tracking tactics. And despite the increasing calls for stricter governmental regulations, the online ad industry claims to be capable of regulating itself. But Julia Angwin of The Wall Street Journal explains, “Under the self-imposed guidelines, collecting health and financial data about individuals is permissible as long as the data don’t contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records. But using techniques such as history stealing and supercookies ‘to negate consumer choices’ about privacy violates the guidelines, says Lee Peeler, executive vice president of the Council of Better Business Bureaus, one of several groups enforcing the rules.”
I understand the need for companies to maximize revenue through targeted advertising, and have seen such products as Google’s remarketing perform amazingly well for advertisers, but using secretive tracking techniques without user consent appears suspect. As an avid online shopper, I do enjoy a customized shopping experience with sites that recommend items I might actually like i.e. Amazon, but I’m not keen on the idea of all of my personal web-browsing history being recorded somewhere and potentially sold to a company willing to pay for the valuable information, or even worse, accessed by hackers for more malicious uses.
Tags | Adobe Flash, Amazon, Cookies, Customized Shopping Experience, Evercookie, Google, HTML5, Microsoft, privacy concerns, Stanford University, Super cookie, University of California at Berkley, Wikipedia, Zombie cookie