Skip to main content

Hulu, MSN Track Users With "Supercookies"

Down with the Cookie

Down with the Cookie

New research presented by Stanford University and the University of California at Berkeley claims that popular websites including Hulu and MSN are currently using new techniques to track users. These include the use of "supercookies" which are not only legal, but almost impossible to detect. They even reportedly re-create user profiles after the user deletes the original cookie from their computer.

Thursday The Wall Street Journal revealed that supercookies can be used to steal a user's entire browser history. They're also stored in a different place than the typical cookie, the latter of which usually resides within a browser's cache folder. Most of the time supercookies are deployed either through HTML5 code, or through Flash content, both of which store the supercookies in a separate folder, thus making them hard to detect and delete.

According to the paper, Hulu was storing tracking coding in files related to Flash. The website itself also contained code from a company that analyzes website-traffic data which in turn was injecting supercookies into browser cache and into files associated with HTML5. After Hulu was contacted about its use of supercookies, the website posted an online statement claiming that it "acted immediately to investigate and address" the issue.

Mike Hintze, associate general counsel at Microsoft, said that the MSN team was alarmed when the research results were brought to their attention. "It was inconsistent with our intent and our policy," he told the paper, and then added that Microsoft removed the offending code from the MSN website. Other Microsoft-owned websites and its advertising network were also found to be using supercookies.

"Microsoft's Mr. Hintze said that the company removed the code after being contacted by Mr. [Stanford researcher Jonathan] Mayer, and that Microsoft is still trying to figure out why the code was created," the paper states. "A spokeswoman said the data gathered by the supercookie were used only by Microsoft and weren't shared with outside companies."

Both Flixter and Charter.net were discovered to be using a "history stealing" tracking service which snoops into the browsing histories of visitors to see if they frequent one of more than 1,500 listed websites. The history stealing on those two sites was being performed by Epic Media Group, but chief executive Don Mathis claims that his company was inadvertently using the technology and no longer uses it. Flixter and Charter were completely (and conveniently) unaware of the ordeal.

Thankfully there' a way to eliminate and prevent supercookies from invading your privacy. For the Windows platform, CCleaner will nuke most cookies stashed on the hard drive, and Flush.app is a handy cookie cutter for the Mac platform. Those using Mozilla's Firefox browser can install the BetterPrivacy extension that will help block most of those pesky invaders.

  • kinggraves
    Oops, how did several lines of code which serve a specific and intentional purpose get in there?
    Reply
  • mister g
    kinggravesOops, how did several lines of code which serve a specific and intentional purpose get in there?My exact thoughts! Don't think these guys are the only ones though I'm betting other huge companies are doing the same thing and haven't been caught yet.
    Reply
  • house70
    Funny how they got their hands in the cookie jar, but upon questioning, they're all like "what? That's not my hand! I don't know how it got there!"
    bull$h1t
    Reply
  • sliem
    which are not only legal, but almost impossible to detect.

    So it's legal. Why is it an issue if it's legal?
    Reply
  • gokanis
    "These include the use of "supercookies" which are not only legal, but almost impossible to detect."

    Legal? For something legal they sure removed it quick, or said they did. How is it legal to rummage through my hard drive? Maybe someone will rummage through theirs and leave a present someday......
    Reply
  • JohnnyLucky
    Sounds to me like desperate acts to generate revenue.
    Reply
  • drwho1
    I think that they using the term "legal" very loosely.
    I don't like their interpretation for "legal" at all.
    Reply
  • mortsmi7
    Legal means there is not currently a law against it. So I guess sending them a "supercookie" is ok too.
    Reply
  • HappyBB
    How I am not surprised to read this. A lot of tech companies are doing this and yet, no one admits it! What a bunch of hypocritical BSes!
    Reply
  • memadmax
    FF+NoScript+Ghoster=Win.

    And hulu hates me for it too, "We're sorry, we are not able to run ads at this time. Movies are brought to you for free with support from our advertisers......" and blah blah blah blah

    But the crappy movie that nobody ever watches, still runs....
    Reply