Popular websites’ use of ‘supercookies’ raises online privacy issues

The age-old Internet security advice for kids has always been to never release their phone numbers on the Web.

But in an age in which Google and Facebook request phone numbers for increased security, recent studies by UC Berkeley and Stanford University found that Web users are still at risk as popular websites are able to recover browser history immediately after users visit the site.

Websites like Hulu and MSN have utilized new technologies known as “supercookies,” — designed to undo or bypass consumers’ preferences to keep their information private — allowing the sites to access users’ browser history even after they have cleared their browser.

This usage of supercookies can lead to third-party tracking and behavioral advertising, and according to an email from Chris Hoofnagle, a UC Berkeley lecturer in residence and lead on the UC Berkeley study, the supercookies use tricks to make users think they are not being monitored while still tracking them across the Internet.

“Imagine that your RA wanted to monitor your behavior in the dorm, so your RA installed large windows in your room in order to watch over you,” Hoofnagle said in the email. “The RA also tells you that you have the right to opt out of this monitoring.  You opt out, but instead of installing blinds, the RA installs a one-way mirror.”

UC Berkeley published an online study on July 29 about online privacy, and Stanford released a separate, informal study, called the Do Not Track project, to the Federal Trade Commission regarding its research. But Hoofnagle said both universities’ work is complementary and part of the same National Science Foundation group looking at secure computing.

According to Jonathan Mayer, a Stanford graduate student in computer science and leader of the Stanford project, his team began working on the project in March 2011 when they realized that so-called credible supercookie technologies were actually not protecting people on the Web.

“If you don’t want to be tracked, you should be able to check a box that does this,” Mayer said.

Mayer also said that some supercookie technologies should only be used to prevent online fraud and that it is objectionable to be “supercookied” every time a user tries to partake in an action — like opening a credit card — on the Internet.

“We need to be giving users choices based on online tracking, private browsing modes and making sure they don’t leave things behind on the computer,” Mayer said.

One of the websites that was mentioned in both the UC Berkeley and Stanford studies and is currently involved in litigation regarding online privacy is the popular video site Hulu, which can regenerate Web activity between browsers.

Representatives from Hulu declined to comment when contacted but did write a blog post on Aug. 5 on their website about the issue of online privacy,  which states, “Upon reading the research report, we acted immediately to investigate and address the issues identified. This included suspending our use of the services of the outside vendor mentioned in the study.”

Ashkan Soltani, an independent  online privacy researcher and security consultant who collaborated on both studies, said that  the problem is that websites circumvent users’ anonymous choices.

“It highlights the technology arms race that consumers are engaged in,” Soltani said. “It’s this game of privacy Whac-A-Mole where you block one way but there’s another way to get someone’s information.”

Please keep our community civil. Comments should remain on topic and be respectful.
Read our full comment policy
  • 580 Super L Series 2 82064

    fraud? how about blackmail? life resembles perry mason murder mysteries where he solves crime in 1 hour. thanks, DC, i’d Never find this on the sf chronicle or even yahoo. (oo-hay! spelled backwards= yahoo……………………

  • John Name

    Technological evolution synchronised with the creeping of flesh