As the old saying goes, “knowledge is power,” and no place is a better witness to this than the internet. For online advertisers, marketing companies, and internet giants like Google, Microsoft and Facebook, knowing about users’ preferences and tracking them remains the key to improving the user experience and maintaining a competitive advantage in today’s cutthroat internet marketplace. For such companies, information about the type of websites users visit and the keywords they search is virtual gold; it helps them build databases on hobbies, buying trends etcetera, and then use them for customer-specific advertising. A person searching for shoes, for example, will be much more receptive to ads that show discounted rates on shoe wear, while a person searching for information on backaches is more likely to respond to ads endorsing pain relievers etcetera.
While companies are scrambling to collect this data and turn it into information, the average internet user remains concerned about the footprint he or she leaves when surfing the Web. No one is comfortable with their online history being stored in an online database without their explicit permission. This is primarily the reason users are often bombarded with confusing privacy options used by companies to get around privacy clauses and obtain users’ consent for gathering data about their internet habits.
The “super” difference
As many internet users know, cookies are small files stored on browsers to record user information. They personalise and speed up your browsing experience by saving your preferences for the next time you visit a particular website. That being said, cookies have the potential for being used to infringe on users’ privacy. Companies that embed cookies on their websites can forward user data to third- parties that may misuse the information for different purposes such as research, marketing, or worse, monitoring a user’s online activities. Traditionally, users have been able to decide whether or not they want cookies enabled on their browsers. This decision-making power often causes problems for companies that want to track users’ visits. A person who has deleted cookies on his system may show up as a different user on the same website, as his PC no longer contains the cookies that were being used to track his previous session.
As users become increasingly aware about privacy and its various clauses, companies have started to resort to new tactics to ensure that their tracking continues uninterrupted, giving birth to a new breed of cookies, commonly referred to as “supercookies”. Discovered by researchers at Stanford University and University of California, supercookies not only track user activities, they also recreate user profiles even after users delete the regular cookies. According to research, major websites like Hulu and MSN have already been using this technique.
Additionally, supercookies not only track users’ activities without their knowledge, they are also notoriously hard to remove. While the traditional cookie file restricts itself to a particular website, supercookies can track and record user behaviour across multiple websites. Also, they are stored in locations different from the traditional browser cache, making it difficult for even advanced users to locate and remove them. For instance, on the Hulu website, researchers discovered that supercookies were being stored in obscure files used by Flash plug-ins – a method not only unknown to many users, but also undetectable through the standard search process. Not only is this bad news for users who thought simply un-checking an option in their browser settings (or deleting the files altogether) could keep them safe from privacy-gobbling cookies, it also provides another way for criminals to commit identity theft.
Microsoft’s stance
Microsoft promptly responded to allegations regarding supercookies on its blog, and released a carefully-worded statement. Though they did not clearly deny the presence of supercookies, it stated that these were a result of an older code on Microsoft-specific websites which was going to be removed anyway. It reminded users about its strong stance on privacy, and gave assurances that such mechanisms would not be deployed in the future.
The thin privacy line
Some people argue that with users becoming increasingly tech-savvy about managing their online privacy settings and valuing their anonymity, such techniques were inevitable. However, this argument does not undermine the severity of the issue, and unfortunately, the adoption of supercookies was not restricted to MSN and Hulu. Researchers discovered that the popular movie website Flixster was also using unauthorised tracking to look into the web history of its customers – including matching their history against more than 1,500 websites. This information was being used to enhance the type of advertising presented to the user upon his or her visit. Like Microsoft, Flixster denied having knowledge of this and blamed a digital marketing company whose technology was being used by the website.
It is clear that customers who value their privacy cannot afford to blindly trust websites with protecting their data, and must ensure their information is not being used for, or extracted by, any illegitimate purposes or means. Often websites hide behind cleverly-worded user agreements as a way of escaping legal liability. However, crossing ethical boundaries by such tracking is not acceptable, and results in a loss of trust of privacy-conscious consumers. In addition to violating users’ privacy rights, the companies involved in using such tactics are also defying the best practices on privacy, which require companies to explicitly state the type of tracking activity used to collect users’ data. Only through clearly-stated and transparent privacy rules can consumers trust what information is being used by websites and how it has been gathered.
On the technical side, websites should not be using tools, plug-ins or cookies that may be collecting customer data without their knowledge. Companies must take responsibility for third-party tools and plug-ins that are present on their websites, and should stop playing the blame game whenever a privacy lapse occurs. Similarly, users should educate themselves on how supercookies are stored, and use Adobe website storage settings to delete existing Flash cookies on their systems and configure it to disallow future files from being stored.
The long road to privacy
According to a recent announcement, the US Department of Homeland Security is considering a notion for inspecting Web traffic of ISPs to find out if users are infected with botnets. Although this initiative might be for users’ security, it diminishes the boundary between what information users want to divulge and what they want to keep private. While governments and companies may give ample assurance that tracking information will only be used for legitimate reasons, the threat of such information falling into the hands of online marketing companies, or worse identity thieves, is a distinct possibility. The excuse used by most companies of not being aware of the usage of supercookies on their websites will not be taken well by most consumers in the future. With increasingly ingenious tactics used by marketing companies, users should empower themselves with the knowledge of latest privacy trends and threats, or risk having their personal details being quietly stored and used in online databases without their knowledge.
Published in the November 2011 issue of Spider.
Dear visitor, the comments section is undergoing an overhaul and will return soon.