Hulu and MSN Using Stealthy 'Supercookies' to Espionage

The cookie can track your online activity without being detected. Major websites such as MSN.com and Hulu.com apparently have been tracking people's online activities using powerful new methods that are almost impossible for computer users to detect, new research shows."The new techniques, which are legal, reach beyond the traditional "cookie," a small file that websites […]

The cookie can track your online activity without being detected. Major websites such as MSN.com and Hulu.com apparently have been tracking people's online activities using powerful new methods that are almost impossible for computer users to detect, new research shows.

"The new techniques, which are legal, reach beyond the traditional "cookie," a small file that websites routinely install on users' computers to help track their activities online. Hulu and MSN were installing files known as "supercookies," which are capable of re-creating users' profiles after people deleted regular cookies, according to researchers at Stanford University and University of California at Berkeley," according to The Wall Street Journal.

A Stanford's researcher Jonathan Mayer, said in a blog post that "tracking technologies that do not rely on cookies are often referred to as 'supercookies,' and they are widely viewed as unsavory in the computer security community because they continue tracking even when a user clears her cookies to preserve privacy."

Mayer makes the Microsoft connection:

In one of our recent FourthParty web measurement crawls we included a cookie clearing step to emulate a user's privacy choice. We observed that after clearing the browser's cookies an identifier cookie (named "MUID" for "machine unique identifier") respawned on live.com, a Microsoft domain. We dug into Microsoft's cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies. We contacted Microsoft with our observations, and we have collaborated to assist in rectifying the issues we uncovered.

A Microsoft corporate attorney, Mike Hintze, associate general counsel at MSN parent company Microsoft, said that when the supercookie "was brought to our attention, we were alarmed. It was inconsistent with our intent and our policy." He said the company removed the computer code, which had been created by Microsoft.

Hulu posted a statement online saying it "acted immediately to investigate and address" the issues identified by researchers. It declined to comment further.

According to WSJ, "The spread of advanced tracking techniques shows how quickly data-tracking companies are adapting their techniques. When they examined tracking tools on major websites last year, most of these more aggressive techniques were not in wide use.

Update: Hintze just responded on Microsoft Privay & Safety blog:

We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft. We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such "supercookie" mechanisms.