FTC urged to take tough line on ‘super cookie’ use

The Centre for Democracy and Technology (CDT) is one of several groups that have written to the FTC with concerns about the way technology such as Flash local shared objects (LSOs) and ETags have been used.

In a filing with the FTC, the CDT wrote: “In response to a growing population of users who remove cookies and take other ‘good housekeeping’ measures for the express purpose of preventing tracking, many companies have devised new means for tracking users, some of which are impossible for users to block.

“The commission’s updated guidelines should clarify that certain online data collection practices are considered deceptive and that participating companies should transparently explain their practices.”

The use of Flash LSOs to respawn deleted HTML cookies and allow user tracking continue was brought to public attention by privacy researchers several years back and led to a number of lawsuits, most of which have since been settled or dismissed.

Ashkan Soltani, who was part of the original LSO research team, recently published a report into the use of ETags, which are stored in a computer user’s browser cache so are unaffected when cookies are deleted but contain information necessary to allow deleted cookies to be recreated.

Web analytics firm Kissmetrics was found to be using ETags for tracking but has since revised its system to only use first-party cookies. Still, it faces two lawsuits, which its CEO has called “meritless”.

Another team of privacy researchers at Stanford University recently discovered Microsoft using a form of ‘cache cookie’ – similar to ETags – that would respawn deleted cookies. Microsoft said it took immediate action to disable the relevant code once it was made aware of the issue.