- The Search Agents - http://www.thesearchagents.com -

Super Cookies Raise Privacy Concerns

Posted By Ami Grant On August 30, 2011 @ 5:03 pm In Featured,News | 7 Comments

There’s a “new” cookie in the spotlight which is virtually impossible for computer users to detect, and it’s completely legal, at least for now. According to researchers [1] at Stanford University and University of California at Berkley, websites such as MSN.com and Hulu.com have been “installing files known as ‘super cookies’ which are capable of recreating users’ profiles after people deleted regular cookies” and without the knowledge of the user.  The companies’ reaction when contacted by researchers? The tracking technique was claimed to be inadvertent and shut down immediately.  Microsoft associate general counsel Mike Hintze offered this explanation [2]: “We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued.”

As a search marketer, I am all too familiar with session cookies, secure cookies and third party cookies, but I was unfamiliar with these smarter, stealthier cookies with more interesting agendas. So I did a little cookie research on Wikipedia to better understand.

I’ll start by noting, cookies are not by nature bad [3], as Wikipedia [3] explains, they “cannot be programmed, cannot carry viruses, and cannot install malware on the host computer. However, they can be used by spyware to track user’s browsing activities – a major privacy concern that prompted European and US law makers to take action. Cookies could also be stolen by hackers to gain access to a victim’s web account.”

A Super cookie is a “cookie set through the Adobe Flash system, bypassing the browser cookie manager. These cookies cannot be deleted through the browser, but require modifications to the settings on the Adobe Flash panel.”

Evercookie is a “javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.”

Interestingly, the Evercookie was created by Samy Kamkar, creator of the Samy Worm, which took down MySpace in 2005.

A Zombie cookie (produced by an Evercookie) is “any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie’s absence is detected.”

Techie lingo aside, each of these cookies has one goal — continue to collect user web-browsing information even after standard cookies have been deleted.

Privacy concerns are once again at the forefront due to these types of tracking tactics.  And despite the increasing calls for stricter governmental regulations, the online ad industry claims to be capable of regulating itself.  [1] But Julia Angwin of The Wall Street Journal explains [1], “Under the self-imposed guidelines, collecting health and financial data about individuals is permissible as long as the data don’t contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records. But using techniques such as history stealing and supercookies ‘to negate consumer choices’ about privacy violates the guidelines, says Lee Peeler, executive vice president of the Council of Better Business Bureaus, one of several groups enforcing the rules.”

I understand the need for companies to maximize revenue through targeted advertising, and have seen such products as Google’s remarketing perform amazingly well for advertisers, but using secretive tracking techniques without user consent appears suspect. As an avid online shopper, I do enjoy a customized shopping experience with sites that recommend items I might actually like i.e. Amazon, but I’m not keen on the idea of all of my personal web-browsing history being recorded somewhere and potentially sold to a company willing to pay for the valuable information, or even worse, accessed by hackers for more malicious uses.

Article printed from The Search Agents: http://www.thesearchagents.com

URL to article: http://www.thesearchagents.com/2011/08/super-cookies-raise-privacy-concerns/

URLs in this post:

[1] researchers: http://online.wsj.com/article/SB20001424053111903480904576508382675931492.html

[2] explanation: http://www.geekosystem.com/stanford-msn-supercookie/

[3] cookies are not by nature bad: http://en.wikipedia.org/wiki/HTTP_cookie

[4] Will Google’s AdID Change the Online Advertising World?: http://www.thesearchagents.com/2013/09/will-googles-adid-change-the-online-advertising-world/

[5] The Continuing Battle for Privacy: Firefox 22 to Block Third Party Cookies in Firefox by Default: http://www.thesearchagents.com/2013/02/the-continuing-battle-for-privacy-firefox-22-to-block-third-party-cookies-in-firefox-by-default/

[6] Who Cares About Privacy?: http://www.thesearchagents.com/2012/11/who-cares-about-privacy/

Copyright © 2009 The Search Agents. All rights reserved.