You probably didn’t know it while it was happening, but until this summer popular websites including Hulu and MSN were tracking their users’ travels through the internet with the use of so-called “supercookies” — a much more invasive type of behavior-tracking program than traditional cookies that is also harder to circumvent. When privacy advocates turned up the heat, both sites said they stopped the practice.
Facebook was recently accused of using supercookies, too, but pronounced that it does not track its users beyond their actions on the Facebook site.
It’s clear that established sites want to distance themselves from supercookies and what they represent. But what’s not clear is what firms are still using them and what they can do once installed on your computer. The difficulty with monitoring is that the bit of code dropped into your web browsers for the “super” version of cookies is difficult to delete and can actually reappear elsewhere on your computer if you do delete them — and they track your use of other sites. The cookies most of us are used to dealing with simply tell sites you’ve been there before so they can remember your preferences and deliver behavioral advertising.
The fear of what could happen if a site does drop one of these little tracking devices into your browser has prompted a request last week from members of Congress for a Federal Trade Commission Investigation into whether they are deceptive and invade your privacy. Representatives Edward Markey and Joe Barton, co-chairs of the Congressional Bi-Partisan Privacy Caucus asked the agency to look at the implications of supercookies. Meanwhile, a number of prestigious privacy groups want to see an investigation of Facebook’s use of them.
Tracking software raises concerns
Having your every move on the web tracked can be worrisome. If a company doesn’t like your web profile, could it drop you from qualifying for their best offers? Would your bank use them? Could your personal and financial information fall into the wrong hands? There’s precious little information about the repercussions of this tracking software.
“Supercookies are the latest attempt from companies to conquer the last frontier of privacy,” says Martin Lindstrom, author of Brandwashed: Tricks Companies Use to Manipulate Our Minds and Persuade Us to Buy. “Where cookies store a small but essential set of insights about our surfing patterns, supercookies can store up to (25 times as much) and are stored in disguised file formats in folders different from the spots where you typically would find cookies.”
Supercookies can even go back in time to report on your behavior, he says. Even when companies say they aren’t using supercookies, Lindstrom says the answer can be misleading, since they are often dispensed by third parties through advertising networks.
Security experts say there is little to fear since the cookies are marketing focused and don’t collect details of your accounts, your passwords or other specifics about your finances.
“Supercookies cannot harm your computer or steal data from your hard drive,” says Raj Dandage, security engineer and CTO of mobile application development firm Appguppy Mobile. As persistent as supercookies might be, ultimately they’re not doing anything other than tracking what you view online and can’t acquire personal information.
“These cookies do not provide any authentication or proof to the bank… (that) you are who you say you are,” says Michael A. Davis, CEO of the IT consulting firm Savid Technologies. “They merely are used to help track you and provide better advertising while you browse.”
Typically, only the site that created the cookies can access them, says research engineer Akhil Menon of the internet security firm Total Defense. Menon says it would probably be of no benefit to use a separate browser to perform financial transactions to avoid a hypothetical malicious supercookie since information they collect would likely be stored in the same place on your computer regardless of the browser.
However, he says for the most cautious of users, there is the ability to use software such as VMware Player, “which presents an entire virtual operating system that can be used to present an isolated and sanitary environment for online banking.”
But consumer privacy groups aren’t reassured. “The bottom line with supercookies is that companies need to respect the wishes of consumers,” says Amber Yoo, spokeswoman for the advocacy group Privacy Rights Clearinghouse. “If a consumer effectively ‘opts out’ of being tracked by deleting cookies, companies should respect that opt-out and not re-spawn previously deleted cookies. When will companies learn that the best way to gain customer loyalty is to be transparent and let users make decisions about how their data is collected and shared?”
Circumventing consumer will?
“The fact that major sites are using supercookies shows that they are deliberately trying to circumvent the user’s will in protecting his or her privacy,” Dandage says. “That, to me, is a major concern, because we don’t really know what other tactics they may be using — or what they may be planning to deploy in the future.”
Dandage suggests the following steps to avoid supercookies: Turn off Flash and its plugins, even though that will disable visual elements on many sites). Supercookies are also often known as Flash cookies since they may be created by the program Adobe Flash, which delivers visual elements on many sites. Clear your browser cache — in addition to your cookies — regularly If you use Firefox, download plugins such as NoScript, which allow you to tune your privacy settings Use the “privacy mode” on browsers that offer it.