A few weeks ago it came to light that Spotify was using a special type of tracking cookie. Of course, once caught with their hand in … um, the cookie jar (sorry!), Spotify said they would suspend the use of the Kissmetrics cookie technology. But as Digital Music News notes, it is a bit late for the tens of millions of users worldwide who have used Spotify already!
Spotify is already managing this like a crisis. According to research just published by researchers at UC Berkeley, Spotify has been using a cookie that cannot be deleted, still tracks if the user blocks cookies, and even operates in browser stealth mode. In fact, if you try to delete this thing, the cookie dynamically regenerates. “The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and ‘Private Browsing Mode’ is enabled,” the researchers described.
The cookie is powered by Kissmetrics, and also deployed by Hulu and others.
In response to the potentially horrible press, both companies have dropped the use of the cookie immediately. In other words, both were caught red-handed, and are now hoping for the best. “We take the privacy of our users incredibly seriously and are concerned by this report,” a Spotify spokeswoman told Digital Music News. “As a result, we have taken immediate action in suspending our use of Kissmetrics whilst the situation is investigated.”
The only problem is that most in Europe have already downloaded the application, as have early-adopting Americans. And, there’s no clear way to remove this thing. “If you do everything the average user does to say ‘I don’t want to be tracked,’ it still tracks you,” an IT professional who examined the cookie told Digital Music News. “The potential for invasion of privacy is huge.”
Update (8/4): Spotify is now part of a lawsuit related to the Kissmetrics tracking implementation.
If you look at the short sentence in the middle, you will see the name ‘Hulu’. Well, apparently Hulu is a bit late to dealing with this tracking issue, as both they and MSN are using the so-called ‘Super Cookies’ to track users in a way that cannot be blocked or removed:
It has been discovered that both Hulu.com and MSN.com have been using powerful supercookies to track online visitors user data. The supercookies are almost impossible to detect and can recreate user profiles even after a normal cookie has been deleted and are capable of stealing a users complete browser history in some cases.The data can then be used to see a visitors financial and health status and provide advertisers with considerably more detailed information than a standard cookie would divulge.
The websites use of the new supercookies was discovered by researchers at Stanford University and University of California at Berkeley. The supercookies are sometimes distributed through Flash content as cookies for this type of content are stored in a separate folder away from normal cookies, and are not removed when a user clears their normal cookies folder.
Once contacted about the new Supercookies Microsoft removed the code and explained, “when it was brought to our attention, we were alarmed. It was inconsistent with our intent and our policy.” said Mike Hintze, associate general counsel at MSN parent company Microsoft Corp. Hulu has said that are currently investigating the discovery.
If you are worried about supercookies on your systems there are a number of ways to clean them off. Mac Users can use the Flush.app software, while Windows users can use CCleaner to remove most of the harmful cookies making the rounds. There is also a plugin for Firefox called BetterPrivacy which will help keep cookies out of your system.
As noted, once Microsoft was alerted to the issue they immediately removed the code – meaning that like Spotify they got caught and immediately responded in a way that would benefit future users (but not existing users). Hulu, on the other hand, is simply ‘looking into it’. Given the invasive nature of the technology, my cynical take says they are looking busy while hoping things blow over and can just keep on collecting user data – I hope I’m wrong!
The article mentions a few ways to dump these super-cookies from your PC or Mac. I suggest taking these steps immediately even if you don’t use Spotify or Hulu or MSN … because those are the three who have been CAUGHT, so there are likely plenty more scumbags out there hoping you won’t notice them taking your private information and ignoring your attempts to block them!
But wait … there’s MORE!
Y’know how Apple talks about Adobe Flash as being one of the worst offenders in terms of security and stability, and many folks say that ‘the full web’ is defined by having Flash? Well, apparently ‘the full web’ includes Super Cookies!
More than half of the internet’s top web sites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies.
Under the direction of Chris Hoofnagle of the Information Privacy Programs at the Berkeley Center for Law and Technology, the researchers discovered that most web users aren’t familiar with Flash cookies and that Flash web cookies can’t be controlled through the cookie privacy controls in a browser. Even more interesting was the use of Flash cookies to ‘re-spawn’ or bring back to life traditional browser cookies that had been deleted on customer computers. In the study even several federal government web sites were found to contain Flash cookie ID information. The federal government has a policy of banning the use of traditional browser cookies.
So not only is Flash insecure and unstable, it carries unauthorized cookies that ignore user preferences, and can be used as a Trojan to reinstate cookies that the user has flushed. Fortunately the site mentions that the same methods can kill all of these Super Cookies.
It seems that just when we start to feel secure – everyone has their personal firewall, anti-virus scanner, malware blocker, spyware removal, all with subscriptions that cost money and eat processor cycles … but that just isn’t enough!