Microsoft has disabled the code responsible for creating supercookies on the computer of users navigating to its websites, designed to harvest browsing data even though plain vanilla cookies were not available.
Websites traditionally rely on cookies in order to store a variety of information about users on their own machines, including preferences, authentication session data, but also additional text info.
Such files can be abused by sites in order to track users online, understand their behavior, their activities, and even access their browsing history.
As users worldwide become increasingly privacy-aware they tend to remove cookies in order to limit the amount of data that third-parties can find out about them. It appears that supercookies continue to be able to access user data even after regular cookies have been removed.
“According to researchers, including Jonathan Mayer at Stanford University, "supercookies" are capable of re-creating users' cookies or other identifiers after people deleted regular cookies,” revealed Mike Hintze
, Associate General Counsel, Regulatory Affairs, Microsoft.
Hintze acknowledged that some Microsoft online properties were using supercookies, but says that once the company was informed of this they promptly moved to discontinue the code responsible for them.
“Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code,” he said.
The Redmond company has a strong commitment to respecting user privacy, Hintze underlined, stressing that any user data that was harvested remained within Microsoft.
“At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft. We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such "supercookie" mechanisms,” he added.