Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Drops Use of 'Supercookies' On MSN

timothy posted more than 2 years ago | from the but-kinect-knows-your-every-move dept.

Microsoft 45

Trailrunner7 writes "In response to work by Stanford University researchers who found that Microsoft and several other high-profile companies were using a controversial technique to keep persistent cookies on users' PCs to track their movements, Microsoft says it has discontinued the practice of using so-called 'supercookies.' In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies were still employing techniques that enabled browser history sniffing, which give the companies information on what sites users have visited and what links they've clicked on. The research also found that some companies were using cookies that re-spawn even after users have deleted them. Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so."

cancel ×

45 comments

Sorry! There are no comments related to the filter you selected.

Shrugs (0)

Anonymous Coward | more than 2 years ago | (#37152312)

" *snip* as a result of older code that was used only on our own sites, and was already scheduled to be discontinued *snip*"

See, why don't i believe you?

Microsoft's motto (1)

Cryacin (657549) | more than 2 years ago | (#37152360)

Be Evil, but be good at it.

Re:Shrugs (1)

PNutts (199112) | more than 2 years ago | (#37153760)

" *snip* as a result of older code that was used only on our own sites, and was already scheduled to be discontinued *snip*"

See, why don't i believe you?

Taking quotes out of context and posting as AC. See why I don't believe you?

"We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft. We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such "supercookie" mechanisms."

Re:Shrugs (1)

Jiro (131519) | more than 2 years ago | (#37154520)

How is that context any different than the "out of context" quote? It shows the same thing as the first one: Microsoft admits that they used supercookies, but claims they had a bunch of internal policies and plans that make them harmless. You just have to trust that they're telling the truth about these internal plans that you can't actually see.

In fact your "full context" quote has more of the same; you can't verify that the information wasn't shared outside Microsoft, and you have no way to distinguish between "we accelerated the process of deletion" and "we weren't planning to delete anything, but the publicity got too bad".

Re:Shrugs (1)

flimflammer (956759) | more than 2 years ago | (#37154726)

I don't think they care if you don't believe them to be honest.

No surprises here... (0)

Seriousity (1441391) | more than 2 years ago | (#37152314)

Considering the corporate mindset and the modus operandi of companies like Microsoft, this is the tip of an unexplored iceberg. I bet they're saving logs of every conversation that takes place over their MSN IM software to glean competitive information to exploit / sell to fellow corporations. We would have to be pretty stupid to assume otherwise.

Hmmm ... (1)

WrongSizeGlass (838941) | more than 2 years ago | (#37152330)

Microsoft was using this technique on one of its sites, MSN.com, and now the company said that it is no longer doing so.

They've probably come up with another way to covertly track users. I've always been amazed at MSN.com's ability to display on a new workstation even if the firewall and proxy haven't been configured yet. I guess those pesky servers just happen to like that combination of letters or something.

Re:Hmmm ... (0)

Anonymous Coward | more than 2 years ago | (#37155684)

Rather than being something sinister, it's probably just http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol [slashdot.org] . IE discovers the proxy settings automatically.

Re:Hmmm ... (1)

thejynxed (831517) | about 3 years ago | (#37160942)

That doesn't explain being able to bypass firewall restrictions, AKA, not having been granted access to outgoing traffic yet since it's a newly installed system.

MSN has always been able to do this somehow.

Re:Hmmm ... (0)

Anonymous Coward | about 3 years ago | (#37177698)

Sounds more like your firewall sucks. Or the person who configured it does.

"Look, we're not so evil after all" (0)

Anonymous Coward | more than 2 years ago | (#37152352)

Microsoft: trying hard, not to look evil.

Fago8z (-1)

Anonymous Coward | more than 2 years ago | (#37152378)

a #conscious stand see. The number

How does it work? (0)

Anonymous Coward | more than 2 years ago | (#37152502)

How can the cookies possibly re-spawn after the user has deleted them? I was under the impression that they were little more than text.

Leave it to browser developers to fuck it up. (0)

Anonymous Coward | more than 2 years ago | (#37152560)

Leave it to browser developers to seriously fuck up even the simplest of tasks. They goofed big time by accepting horribly malformed HTML. Then they fucked up while embedding a client-side scripting language (there's no excuse for the piece of shit that is JavaScript). Then there were the HTML elements that were obviously stupid to begin with, like marquee and blink. So it's no surprise that they'd royally mess up cookies, too. Judging by the current "progress" of HTML5, it's only going to get much, much worse.

Re:Leave it to browser developers to fuck it up. (1)

Oligonicella (659917) | more than 2 years ago | (#37152800)

Are *all* the rationale you use no more than idiotic emotional pimples?

Re:Leave it to browser developers to fuck it up. (0)

Anonymous Coward | about 3 years ago | (#37178802)

Leave it to browser developers to seriously fuck up even the simplest of tasks. They goofed big time by accepting horribly malformed HTML. Then they fucked up while embedding a client-side scripting language (there's no excuse for the piece of shit that is JavaScript). Then there were the HTML elements that were obviously stupid to begin with, like marquee and blink. So it's no surprise that they'd royally mess up cookies, too. Judging by the current "progress" of HTML5, it's only going to get much, much worse.

What a twat nuff said.

Re:How does it work? (1)

BillX (307153) | more than 2 years ago | (#37154998)

Look up "supercookie" and "evercookie". Clever people have found ways to store and retrieve cookie-equivalent data (e.g. unique tracking IDs) that survive deleting all cookies and cache, and can in certain cases survive formatting the hard drive (by hiding data in content cached by certain ISPs transparent proxies). Of course, if you miss even one of the 7 places the site hid the data, the other 6 are immediately restored from it next time you visit.

God, I feel old... (1)

mosel-saar-ruwer (732341) | about 3 years ago | (#37166124)

by hiding data in content cached by certain ISPs transparent proxies

Okay, I'll say it: That's really evil.

Of course, if you miss even one of the 7 places the site hid the data, the other 6 are immediately restored from it next time you visit.

God, I'm starting to feel old.

7 places?!?

I think I might have just experienced a "get off my lawn" moment...

Re:How does it work? (1)

KDR_11k (778916) | about 3 years ago | (#37179172)

Sounds like cancer. I suggest radiation treatment at the originating location.

Really (0)

Anonymous Coward | more than 2 years ago | (#37152646)

So Microsoft says they have a commitment to user privacy, so they are discontinuing use of this technique right? My question is, if they are committed to user privacy then why use the technique in the first place? Getting caught then stopping is like saying you wont steal cookies from the cookie jar anymore, while you still have two handfuls of cookies.

Computer Fraud and Abuse Act (2)

Hatta (162192) | more than 2 years ago | (#37152694)

The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems. Surely planting a cookie that restores itself after the user has deleted it is unauthorized access.

Re:Computer Fraud and Abuse Act (1)

maxume (22995) | more than 2 years ago | (#37152736)

Nothing restores itself. Code on a visited page checks for other information stored on the computer and then creates a cookie with the same content as the deleted cookie.

Re:Computer Fraud and Abuse Act (1)

O('_')O_Bush (1162487) | more than 2 years ago | (#37152806)

If it were true that the information was the same, and it could have been trivially derived from other information on the computer, then there would be no need for the persistent cookie. That information could just be accessed when needed, and a non-persistent cookie could be issued or mapped to that user (that is how relational databases work after all, object with lots of keys in a map).

Re:Computer Fraud and Abuse Act (1)

maxume (22995) | more than 2 years ago | (#37153386)

If you squint more and think of the persistent part as the cookie, then the browser cookie api is just being used to facilitate access.

Re:Computer Fraud and Abuse Act (0)

Anonymous Coward | more than 2 years ago | (#37156610)

Potato potato. For all intents and purposes it's self-restoring. The mechanism may not be that specific file, but you're just arguing semantics... Technically you're right, but who gives a crap. It's like arguing with someone over saying a murder victim was stabbed vs. slashed.

Re:Computer Fraud and Abuse Act (0)

Anonymous Coward | more than 2 years ago | (#37152752)

They'd also have broken the controversial new EU cookie law thats recently been implemented throughout Europe.

Re:Computer Fraud and Abuse Act (0)

Anonymous Coward | more than 2 years ago | (#37153078)

Noone cares about the EU's silly laws they try to apply to the internet. Especially since there may not be an EU anymore soon. Oh, and thanks for ruining the global economy eutard.

Re:Computer Fraud and Abuse Act (1)

Anonymous Coward | more than 2 years ago | (#37153664)

Please get your facts straight. The Euro and the European Union are distinct; for example, the UK does not participate. There may soon be no more Euro (though I very much doubt this), but that does not mean there is no more European Union.

Re:Computer Fraud and Abuse Act (0)

Anonymous Coward | about 3 years ago | (#37178512)

Getting your facts straight has been considered un-American since the Bush Administration.

Re:Computer Fraud and Abuse Act (0)

Anonymous Coward | more than 2 years ago | (#37153992)

Nothing like the US raising the debt ceiling over wasting soo much money over silly wars, yanktard!

Re:Computer Fraud and Abuse Act (0)

Anonymous Coward | more than 2 years ago | (#37154000)

The Computer Fraud and Abuse Act prohibits unauthorized access to computer systems. Surely planting a cookie that restores itself after the user has deleted it is unauthorized access.

You obviously have not see the SouthPark episode on the HumanCentiPad... those End User License Agreements allow the software companies to do just about anything...

Re:Computer Fraud and Abuse Act (1)

kmoser (1469707) | about 3 years ago | (#37161212)

That somebody allowed the cookie to be stored on their computer in the first place implies authorization. If the cookie planters are successful, they can assume it's because you granted them such access (whether express or implied). Just like if you walk up to a store and the front door is unlocked, you can assume they're open for business. Even if you are successful in deleting these supercookies forever, nothing will stop the web servers from identifying and tracking you by browser signature (among other things, like IP address), which does not require storing anything at all on your computer.

Re:Computer Fraud and Abuse Act (1)

KDR_11k (778916) | about 3 years ago | (#37179298)

No, it does not. It's the default behaviour of a browser and something most people are unaware of. The browser developer has decided to agree in place of the user.

Re:Computer Fraud and Abuse Act (0)

Anonymous Coward | about 3 years ago | (#37162040)

How do super cookies work exactly I thought a cookie could only be accessed by the domain that put it there in the first place.

Adobe (0)

Anonymous Coward | more than 2 years ago | (#37153074)

Adobe has been doing this same thing, your browser is set to delete cookies and history.
Adobe won't let you

Go ahead delete them, now visit this site and see what's up
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

Re:Adobe (1)

Baseclass (785652) | more than 2 years ago | (#37156870)

This content requires Flash

Download the free Flash Player now!

Microsoft is Fixing the Problem (3, Insightful)

northerner (651751) | more than 2 years ago | (#37153226)

It seems that Microsoft is trying to do the right thing by removing the use of supercookies.

Why not list the names of the other companies using these cookies so we can avoid them rather than single out Microsoft who is doing something about it?

Did anyone find the article listing the companies found to be using supercookies in July? "In July, Jonathan Mayer, a graduate student at Stanford, revealed that some companies..."

We may avoid the offending sites, but usually we won't know if advertisers on those sites are using them.

Re:Microsoft is Fixing the Problem (0)

Anonymous Coward | more than 2 years ago | (#37154304)

"It seems that Microsoft is trying to do the right thing by removing the use of supercookies."

WTF?

"It seems that the assailant is trying to do the right thing by removing the knife used in the mugging from the victim after the stabbing."

Rittard.

Re:Microsoft is Fixing the Problem (1)

flimflammer (956759) | more than 2 years ago | (#37154848)

Your analogy makes absolutely no sense whatsoever.

Re:Microsoft is Fixing the Problem (1)

KingBenny (1301797) | about 3 years ago | (#37159460)

some kind of a reversy psychology blacklist, i'd love that

One Hand Offers, The Other Conceals (1)

tunapez (1161697) | more than 2 years ago | (#37155238)

While it seems everyone is milking the 'supercookie' cessation hype, at least one org is telling us why...

Online Behavioral Tracking [eff.org]

betterprivacy (0)

Anonymous Coward | about 3 years ago | (#37157990)

Hmm good they quit using them but for all these other websites that do can anyone say firefox portable with the better privacy plugin and after that add in ccleaner for good measure

Apologist title (0)

Anonymous Coward | about 3 years ago | (#37159402)

Shouldn't it rather be 'Micro$oft confesses wrongdoing'?

What are Supercookies - in 20seconds (1)

Monkier (607445) | about 3 years ago | (#37160080)

Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715 [stanford.edu] )
* you hit a page which includes a wlHelper.js script
* wlHelper.js is served with header that tell your browser - cache this forever
* wlHelper.js contains code something like this:
      var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
      if MUID cookie doesn't already exist
            set MUID cookie to unique_id

You delete your MUID cookie - but next time you hit a page that contains wlHelper.js the cached version is pulled form your browser. unique_id is there in the cached code, so the cookie gets set again.

Re:What are Supercookies - in 20seconds (1)

KDR_11k (778916) | about 3 years ago | (#37179340)

An argument for not letting browser caches persist after the program exits.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>