Microsoft Drops Use of 'Supercookies' On MSN

← Back to Stories (view on slashdot.org)

Microsoft Drops Use of 'Supercookies' On MSN

Posted by timothy on Saturday August 20, 2011 @12:31AM from the but-kinect-knows-your-every-move dept.

Trailrunner7 writes "In response to work by Stanford University researchers who found that Microsoft and several other high-profile companies were using a controversial technique to keep persistent cookies on users' PCs to track their movements, Microsoft says it has discontinued the practice of using so-called 'supercookies.' In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies were still employing techniques that enabled browser history sniffing, which give the companies information on what sites users have visited and what links they've clicked on. The research also found that some companies were using cookies that re-spawn even after users have deleted them. Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so."

45 comments

Min score:

Reason:

Sort:

Shrugs by Anonymous Coward · 2011-08-20 00:38 · Score: 0

" *snip* as a result of older code that was used only on our own sites, and was already scheduled to be discontinued *snip*"
See, why don't i believe you?
1. Re:Shrugs by PNutts · 2011-08-20 03:44 · Score: 1
  
  " *snip* as a result of older code that was used only on our own sites, and was already scheduled to be discontinued *snip*"
  See, why don't i believe you?
  Taking quotes out of context and posting as AC. See why I don't believe you?
  "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft. We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such "supercookie" mechanisms."
2. Re:Shrugs by Jiro · 2011-08-20 04:55 · Score: 1
  
  How is that context any different than the "out of context" quote? It shows the same thing as the first one: Microsoft admits that they used supercookies, but claims they had a bunch of internal policies and plans that make them harmless. You just have to trust that they're telling the truth about these internal plans that you can't actually see.
  In fact your "full context" quote has more of the same; you can't verify that the information wasn't shared outside Microsoft, and you have no way to distinguish between "we accelerated the process of deletion" and "we weren't planning to delete anything, but the publicity got too bad".
3. Re:Shrugs by flimflammer · 2011-08-20 05:17 · Score: 1
  
  I don't think they care if you don't believe them to be honest.
No surprises here... by Seriousity · 2011-08-20 00:38 · Score: 0

Considering the corporate mindset and the modus operandi of companies like Microsoft, this is the tip of an unexplored iceberg. I bet they're saving logs of every conversation that takes place over their MSN IM software to glean competitive information to exploit / sell to fellow corporations. We would have to be pretty stupid to assume otherwise.

--
This post was made in complete sincere seriousity; as such any attempts to derive humour are doomed to instant failure.
Hmmm ... by WrongSizeGlass · 2011-08-20 00:40 · Score: 1

Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so.
They've probably come up with another way to covertly track users. I've always been amazed at MSN.com's ability to display on a new workstation even if the firewall and proxy haven't been configured yet. I guess those pesky servers just happen to like that combination of letters or something.
1. Re:Hmmm ... by Anonymous Coward · 2011-08-20 07:18 · Score: 0
  
  Rather than being something sinister, it's probably just http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol. IE discovers the proxy settings automatically.
2. Re:Hmmm ... by thejynxed · 2011-08-21 03:08 · Score: 1
  
  That doesn't explain being able to bypass firewall restrictions, AKA, not having been granted access to outgoing traffic yet since it's a newly installed system.
  MSN has always been able to do this somehow.
  
  --
  @Mindless Drivel: 100% of Twitter posts ever Tweeted.
3. Re:Hmmm ... by Anonymous Coward · 2011-08-23 01:48 · Score: 0
  
  Sounds more like your firewall sucks. Or the person who configured it does.
"Look, we're not so evil after all" by Anonymous Coward · 2011-08-20 00:42 · Score: 0

Microsoft: trying hard, not to look evil.
Microsoft's motto by Cryacin · 2011-08-20 00:44 · Score: 1

Be Evil, but be good at it.

--
Science advances one funeral at a time- Max Planck
How does it work? by Anonymous Coward · 2011-08-20 01:04 · Score: 0

How can the cookies possibly re-spawn after the user has deleted them? I was under the impression that they were little more than text.
1. Re:How does it work? by BillX · 2011-08-20 05:49 · Score: 1
  
  Look up "supercookie" and "evercookie". Clever people have found ways to store and retrieve cookie-equivalent data (e.g. unique tracking IDs) that survive deleting all cookies and cache, and can in certain cases survive formatting the hard drive (by hiding data in content cached by certain ISPs transparent proxies). Of course, if you miss even one of the 7 places the site hid the data, the other 6 are immediately restored from it next time you visit.
  
  --
  Caveat Emptor is not a business model.
2. Re:How does it work? by KDR_11k · 2011-08-23 03:30 · Score: 1
  
  Sounds like cancer. I suggest radiation treatment at the originating location.
  
  --
  Justice is the sheep getting arrested while an impartial judge declares the vote void.
Leave it to browser developers to fuck it up. by Anonymous Coward · 2011-08-20 01:13 · Score: 0

Leave it to browser developers to seriously fuck up even the simplest of tasks. They goofed big time by accepting horribly malformed HTML. Then they fucked up while embedding a client-side scripting language (there's no excuse for the piece of shit that is JavaScript). Then there were the HTML elements that were obviously stupid to begin with, like marquee and blink. So it's no surprise that they'd royally mess up cookies, too. Judging by the current "progress" of HTML5, it's only going to get much, much worse.
1. Re:Leave it to browser developers to fuck it up. by Oligonicella · 2011-08-20 01:47 · Score: 1
  
  Are *all* the rationale you use no more than idiotic emotional pimples?
2. Re:Leave it to browser developers to fuck it up. by Anonymous Coward · 2011-08-23 03:07 · Score: 0
  
  Leave it to browser developers to seriously fuck up even the simplest of tasks. They goofed big time by accepting horribly malformed HTML. Then they fucked up while embedding a client-side scripting language (there's no excuse for the piece of shit that is JavaScript). Then there were the HTML elements that were obviously stupid to begin with, like marquee and blink. So it's no surprise that they'd royally mess up cookies, too. Judging by the current "progress" of HTML5, it's only going to get much, much worse.
  What a twat nuff said.
Really by Anonymous Coward · 2011-08-20 01:23 · Score: 0

So Microsoft says they have a commitment to user privacy, so they are discontinuing use of this technique right? My question is, if they are committed to user privacy then why use the technique in the first place? Getting caught then stopping is like saying you wont steal cookies from the cookie jar anymore, while you still have two handfuls of cookies.
Computer Fraud and Abuse Act by Hatta · 2011-08-20 01:30 · Score: 2

The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems. Surely planting a cookie that restores itself after the user has deleted it is unauthorized access.

--
Give me Classic Slashdot or give me death!
1. Re:Computer Fraud and Abuse Act by maxume · 2011-08-20 01:36 · Score: 1
  
  Nothing restores itself. Code on a visited page checks for other information stored on the computer and then creates a cookie with the same content as the deleted cookie.
  
  --
  Nerd rage is the funniest rage.
2. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-20 01:38 · Score: 0
  
  They'd also have broken the controversial new EU cookie law thats recently been implemented throughout Europe.
3. Re:Computer Fraud and Abuse Act by O('_')O_Bush · 2011-08-20 01:48 · Score: 1
  
  If it were true that the information was the same, and it could have been trivially derived from other information on the computer, then there would be no need for the persistent cookie. That information could just be accessed when needed, and a non-persistent cookie could be issued or mapped to that user (that is how relational databases work after all, object with lots of keys in a map).
  
  --
  while(1) attack(People.Sandy);
4. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-20 02:27 · Score: 0
  
  Noone cares about the EU's silly laws they try to apply to the internet. Especially since there may not be an EU anymore soon. Oh, and thanks for ruining the global economy eutard.
5. Re:Computer Fraud and Abuse Act by maxume · 2011-08-20 02:57 · Score: 1
  
  If you squint more and think of the persistent part as the cookie, then the browser cookie api is just being used to facilitate access.
  
  --
  Nerd rage is the funniest rage.
6. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-20 03:33 · Score: 1
  
  Please get your facts straight. The Euro and the European Union are distinct; for example, the UK does not participate. There may soon be no more Euro (though I very much doubt this), but that does not mean there is no more European Union.
7. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-20 04:04 · Score: 0
  
  Nothing like the US raising the debt ceiling over wasting soo much money over silly wars, yanktard!
8. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-20 04:04 · Score: 0
  
  The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems. Surely planting a cookie that restores itself after the user has deleted it is unauthorized access.
  You obviously have not see the SouthPark episode on the HumanCentiPad... those End User License Agreements allow the software companies to do just about anything...
9. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-20 09:32 · Score: 0
  
  Potato potato. For all intents and purposes it's self-restoring. The mechanism may not be that specific file, but you're just arguing semantics... Technically you're right, but who gives a crap. It's like arguing with someone over saying a murder victim was stabbed vs. slashed.
10. Re:Computer Fraud and Abuse Act by kmoser · 2011-08-21 03:55 · Score: 1
  
  That somebody allowed the cookie to be stored on their computer in the first place implies authorization. If the cookie planters are successful, they can assume it's because you granted them such access (whether express or implied). Just like if you walk up to a store and the front door is unlocked, you can assume they're open for business. Even if you are successful in deleting these supercookies forever, nothing will stop the web servers from identifying and tracking you by browser signature (among other things, like IP address), which does not require storing anything at all on your computer.
11. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-21 06:00 · Score: 0
  
  How do super cookies work exactly I thought a cookie could only be accessed by the domain that put it there in the first place.
12. Re:Computer Fraud and Abuse Act by Anonymous Coward · 2011-08-23 02:48 · Score: 0
  
  Getting your facts straight has been considered un-American since the Bush Administration.
13. Re:Computer Fraud and Abuse Act by KDR_11k · 2011-08-23 03:36 · Score: 1
  
  No, it does not. It's the default behaviour of a browser and something most people are unaware of. The browser developer has decided to agree in place of the user.
  
  --
  Justice is the sheep getting arrested while an impartial judge declares the vote void.
Adobe by Anonymous Coward · 2011-08-20 02:25 · Score: 0

Adobe has been doing this same thing, your browser is set to delete cookies and history.
Adobe won't let you
Go ahead delete them, now visit this site and see what's up
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
1. Re:Adobe by Baseclass · 2011-08-20 10:20 · Score: 1
  
  This content requires Flash
  Download the free Flash Player now!
  
  --
  ^^vv<><>BA
Microsoft is Fixing the Problem by northerner · 2011-08-20 02:40 · Score: 3, Insightful

It seems that Microsoft is trying to do the right thing by removing the use of supercookies.
Why not list the names of the other companies using these cookies so we can avoid them rather than single out Microsoft who is doing something about it?
Did anyone find the article listing the companies found to be using supercookies in July? "In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies..."
We may avoid the offending sites, but usually we won't know if advertisers on those sites are using them.
1. Re:Microsoft is Fixing the Problem by Anonymous Coward · 2011-08-20 04:37 · Score: 0
  
  "It seems that Microsoft is trying to do the right thing by removing the use of supercookies."
  WTF?
  "It seems that the assailant is trying to do the right thing by removing the knife used in the mugging from the victim after the stabbing."
  Rittard.
2. Re:Microsoft is Fixing the Problem by flimflammer · 2011-08-20 05:31 · Score: 1
  
  Your analogy makes absolutely no sense whatsoever.
3. Re:Microsoft is Fixing the Problem by KingBenny · 2011-08-20 20:29 · Score: 1
  
  some kind of a reversy psychology blacklist, i'd love that
  
  --
  Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
One Hand Offers, The Other Conceals by tunapez · 2011-08-20 06:21 · Score: 1

While it seems everyone is milking the 'supercookie' cessation hype, at least one org is telling us why...
Online Behavioral Tracking

--
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
betterprivacy by Anonymous Coward · 2011-08-20 13:52 · Score: 0

Hmm good they quit using them but for all these other websites that do can anyone say firefox portable with the better privacy plugin and after that add in ccleaner for good measure
Apologist title by Anonymous Coward · 2011-08-20 20:12 · Score: 0

Shouldn't it rather be 'Micro$oft confesses wrongdoing'?
What are Supercookies - in 20seconds by Monkier · 2011-08-20 23:34 · Score: 1

Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715)
* you hit a page which includes a wlHelper.js script
* wlHelper.js is served with header that tell your browser - cache this forever
* wlHelper.js contains code something like this:
var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
if MUID cookie doesn't already exist
set MUID cookie to unique_id
You delete your MUID cookie - but next time you hit a page that contains wlHelper.js the cached version is pulled form your browser. unique_id is there in the cached code, so the cookie gets set again.
1. Re:What are Supercookies - in 20seconds by KDR_11k · 2011-08-23 03:39 · Score: 1
  
  An argument for not letting browser caches persist after the program exits.
  
  --
  Justice is the sheep getting arrested while an impartial judge declares the vote void.
God, I feel old... by mosel-saar-ruwer · 2011-08-21 23:38 · Score: 1

by hiding data in content cached by certain ISPs transparent proxies

Okay, I'll say it: That's really evil.

Of course, if you miss even one of the 7 places the site hid the data, the other 6 are immediately restored from it next time you visit.

God, I'm starting to feel old.

7 places?!?

I think I might have just experienced a "get off my lawn" moment...