In response to work by Stanford University researchers who found that Microsoft and several other high-profile companies were using a controversial technique to keep persistent cookies on users’ PCs to track their movements, Microsoft says it has discontinued the practice of using so-called “supercookies.”
In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies were still employing techniques that enabled browser history sniffing, which give the companies information on what sites users have visited and what links they’ve clicked on. The research also found that some companies were using cookies that re-spawn even after users have deleted them. Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so.
“According to researchers, including Jonathan Mayer at Stanford University, ‘supercookies’ are capable of re-creating users’ cookies or other identifiers after people deleted regular cookies. Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code,” Mike Hintze, associate general counsel at Microsoft, wrote in a blog post on the topic.
The use of undeletable cookies or cookies that re-spawn after deletion has become a highly controversial practice in the last year or so, and users and privacy advocates have pressured online ad companies and site operators to stop using such techniques. However, some companies have resisted or found ways around the ad industry’s self-regulation attempts.
Many, if not most, consumers have little idea how history sniffing works or that the practice even exists. They also may not know that cookies can be used to track their movements outside of the sites that they’ve approved them on, or that the cookies can be recreated after they’ve deleted the files. So now, some of the larger companies that have been using some of these techniques are reconsidering them.
“We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such ‘supercookie’ mechanisms,” Hintze said.