Major websites such as MSN.com and Hulu.com have been tracking people's online activities using powerful new methods that are almost impossible for computer users to detect, new research shows.
The new techniques, which are legal, reach beyond the traditional "cookie," a small file that websites routinely install on users' computers to help track their activities online. Hulu and MSN were installing files known as "supercookies," which are capable of re-creating users' profiles after people deleted regular cookies, according to researchers at Stanford University and University of California at Berkeley.
Websites and advertisers have faced strong criticism for collecting and selling personal data about computer users without their knowledge, and a half-dozen privacy bills have been introduced on Capitol Hill this year.
Many of the companies found to be using the new techniques say the tracking was inadvertent and they stopped it after being contacted by the researchers.
Mike Hintze, associate general counsel at MSN parent company Microsoft Corp., said that when the supercookie "was brought to our attention, we were alarmed. It was inconsistent with our intent and our policy." He said the company removed the computer code, which had been created by Microsoft.
Hulu posted a statement online saying it "acted immediately to investigate and address" the issues identified by researchers. It declined to comment further.
The spread of advanced tracking techniques shows how quickly data-tracking companies are adapting their techniques. When The Wall Street Journal examined tracking tools on major websites last year, most of these more aggressive techniques were not in wide use.
But as consumers become savvier about protecting their privacy online, the new techniques appear to be gaining ground.
Stanford researcher Jonathan Mayer, a Stanford Ph.D. candidate, identified what is known as a "history stealing" tracking service on Flixster.com, a social-networking service for movie fans recently acquired by Time Warner Inc., and on Charter Communications Inc.'s Charter.net.
Such tracking peers into people's Web-browsing histories to see if they previously had visited any of more than 1,500 websites, including ones dealing with fertility problems, menopause and credit repair, the researchers said. History stealing has been identified on other sites in recent years, but rarely at that scale.
Mr. Mayer determined that the history stealing on those two sites was being done by Epic Media Group, a New York digital-marketing company. Charter and Flixster said they didn't have a direct relationship with Epic, but as is common in online advertising, Epic's tracking service was installed by advertisers.
Don Mathis, chief executive of Epic, says his company was inadvertently using the technology and no longer uses it. He said the information was used only to verify the accuracy of data that it had bought from other vendors.
Both Flixster and Charter say they were unaware of Epic's activities and have since removed all Epic technology from their sites. Charter did the same last year with a different vendor doing history stealing on a smaller scale.
Gathering information about Web-browsing history can offer valuable clues about people's interests, concerns or household finances. Someone researching a disease online, for example, might be thought to have the illness, or at least to be worried about it.
The potential for privacy legislation in Washington has driven the online-ad industry to establish its own rules, which it says are designed to alert computer users of tracking and offer them ways to limit the use of such data by advertisers.
Under the self-imposed guidelines, collecting health and financial data about individuals is permissible as long as the data don't contain financial-account numbers, Social Security numbers, pharmaceutical prescriptions or medical records. But using techniques such as history stealing and supercookies "to negate consumer choices" about privacy violates the guidelines, says Lee Peeler, executive vice president of the Council of Better Business Bureaus, one of several groups enforcing the rules.
Until now, the council "has been trying to push companies into the program, not kick them out," Mr. Peeler says. "You can expect to see more formal public enforcement soon."
Last year, the online-ad industry launched a program to label ads that are sent to computer users based on tracking data. The goal is to provide users a place to click in the ad itself that would let them opt out of receiving such targeted ads. (It doesn't turn off tracking altogether.) The program has been slow to catch on, new findings indicate.
The industry has estimated that nearly 80% of online display ads are based on tracking data. Mr. Mayer, along with researchers Jovanni Hernandez and Akshay Jagadeesh of Stanford's Computer Science Security Lab, found that only 9% of the ads they examined on the 500 most popular websites—62 out of 627 ads—contained the label. They looked at standard-size display ads placed by third parties between Aug. 4 and 11.
The industry says self-regulation is working. Peter Kosmala, managing director of the Digital Advertising Alliance, says the labeling program has made "tremendous progress."
Mr. Mayer discovered that several Microsoft-owned websites, including MSN.com and Microsoft.com, were using supercookies.
Supercookies are stored in different places than regular cookies, such as within the Web browser's "cache" of previously visited websites, which is where the Microsoft ones were located. Privacy-conscious users who know how to find and delete regular cookies might have trouble locating supercookies.
Mr. Mayer also found supercookies on Microsoft's advertising network, which places ads for other companies across the Internet. As a result, people could have had the supercookie installed on their machines without visiting Microsoft websites directly. Even if they deleted regular cookies, information about their Web-browsing could have been retained by Microsoft.
Microsoft's Mr. Hintze said that the company removed the code after being contacted by Mr. Mayer, and that Microsoft is still trying to figure out why the code was created. A spokeswoman said the data gathered by the supercookie were used only by Microsoft and weren't shared with outside companies.
Separately last month, researchers at the University of California at Berkeley, led by law professor Chris Hoofnagle, found supercookie techniques used by dozens of sites. One of them, Hulu, was storing tracking coding in files related to Adobe Systems Inc.'s widely used Flash software, which enables many of the videos found online, the researchers said in a report. Hulu is owned by NBC Universal, Walt Disney Co. and News Corp., owner of The Wall Street Journal.
Hulu was one of several companies that entered into a $2.4 million class-action settlement last year related to the use of Flash cookies to circumvent users who tried to delete their regular cookies.
The Berkeley researchers also found that Hulu's website contained code from Kissmetrics, a company that analyzes website-traffic data. Kissmetrics was inserting supercookies into users' browser caches and into files associated with the latest version of the standard programming language used to build Web pages, known as HTML5.
In a blog post after the report was released, Kissmetrics said it would use only regular cookies for future tracking. The company didn't return calls seeking comment.
COMMENTARY: I've been writing about privacy violations for quite sometime, but visiting websites isn't the only way to get your PC "infected" with cookies or supercookies. Here other ways advertisers have been stealing your private information.
In a blog posted dated October 18, 2010, I commented on the theft of your Facebook ID and other profile information by online app developers LOLapps Media, Zynga, Crowdstar and Playdom. Zynga is the developer of Farmville and Mafia Wars, two of the most popular Facebook social games. All of them were caught and pleaded the fifth amendment. The supplier of the software that created the supercookies was none other than Lapleaf.
In another blog posted dated December 28, 2010, I commented on The Wall Street Journal's investigation of 100 mobile apps that were supplying the Unique Device Identifier (UDID) which identifies the identify of the owner of the mobile phone users to advertisers. Out of 101 popular smartphone "apps"—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders. Once the advertisers obtained that information they matched it against a profile database, and they used that infomation to target you in future mobile ads.
In another blog article dated April 25, 2011, The Wall Street Journal reported that both Apple iPhones and Google Android phones were regularly tracking your location illegally which is really scary.
HELP REMOVING SUPERCOOKES FROM YOUR COMPUTER
It's a good idea for you to "disinfect" from flash cookies or supercookies. Click HERE for help in removing Flash Cookies or supercookies from your computer. Microsoft also offers HELP on how to remove cookies from your Internet Explorer cache. If you are a Firefox browser youser HERE is a great source for several tools and add-ons for removing flash cookies and supercookies from your computer.
Courtesy of an article August 18, 2011 appearing in The Wall Street Journal
Grace,
Thank you for visiting my blog and your comment about super cookies. Hope to see you more often. Tommy
Posted by: Tommy | 08/22/2012 at 10:27 AM
Good morning, thankyou for a really informative
article, I don't invariably add posts but enjoyed your blog post therefore decided I would say thanks for your time -- Grace
Posted by: anti spyware | 08/20/2012 at 12:17 PM
Good day! this is one of the most interested statement I have heard anyone said. I have always say to myself there are no rules telling us what to do, but rules telling us what not to do. We need to start making rules telling us what to do and we will see how creative our world would be. thanks,
Posted by: stock item | 10/27/2011 at 09:17 PM
Great post! It saws strong argument to refer to the open innovation movement in government. This explanation would require far fewer friends outside this arena and is generally well accepted
Posted by: shopping reviews | 10/26/2011 at 09:18 PM