One problem with supercookies is that they are stored outside a browser, meaning they work outside browser privacy protections, said Ashkan Soltani, an independent security researcher and co-author of the UC Berkeley report. As a result, switching browsers to protect privacy doesn't help, Soltani said in a blog post.
"A Flash cookie acquired while using Firefox is also available to websites when using Internet Explorer," he said.
In many cases, such cookies are used without any user notice, opt-out or choice, Soltani said in an interview. Often, such cookies can be used by online tracking companies to peer into Web-browsing habits across multiple sites to build a highly detailed profile about users, he said.
As an example, Soltani pointed to technology from KISSmetrics, a company used by Hulu and others for online tracking purposes. According to Soltani, the respawing and tracking techniques used by KISSmetrics generates unique identifiers, even when the user blocks HTTP and Flash cookies. Soltani said that he and another researcher earlier this month identified at least 515 websites using KISSmetrics code that would allow cookie respawning.
"We are seeing this arms race between consumers who want to declare their privacy preferences and companies that that have strong motivations to track users," for advertising and analytics, he said.
Hiten Shah, the CEO of KISSmetrics, on Thursday did not comment on Soltani's findings but instead pointed to a blog post explaining the company's position.
In it, Shah insisted that KISSmetrics does not track users across different websites nor does it have the ability to do so. Shah denied that KISSmetrics uses persistent cookies and said the company has added an opt-out feature for those who do not want to be tracked.
The legality of supercookies is unclear. The Network Advertising Initiative (NAI), which sets standards for behavior by online marketers and analytics firms, officially frowns upon the use of Flash cookies and other tracking technologies that circumvent user privacy settings.
In 2009, Quantcast, an online tracking firm, was sued after Soltani and other UC Berkeley researchers showed how the company's respawning Flash cookies were being used widely by major websites. Quantcast agreed to settle the lawsuit for $2.4 million last December.
Since Soltani's latest paper was released, KISSmetrics has already been hit with two lawsuits by consumers claiming their privacy rights were violated.
"The behavior uncovered by these researchers demonstrates conclusively that industry self-regulation is a myth," said John Simpson, director of Consumer Watchdog. "Promises of responsible behavior under self-regulation have repeatedly been demonstrated to be meaningless.
"We need a law that creates a strong Do Not Track mechanism, which would enable consumers to make their desire not to be tracked clear, no matter what invasive technology might be implemented, Simpson said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is [email protected].
