If you’re old enough to remember the Cold War, you know what an arms race is. One side comes up with a new weapon, the other side matches it, and then the first comes back with something even bigger and so on and so on. That also describes the ongoing battle between computer users who value their privacy and the Web sites and their advertisers that don’t.
Every time browser developers and others come up with a defense against tracking — the use of tiny bits of computer code that tells Web sites where you’ve been on the Internet — the other side ups the ante with a new trick. And it’s happening again.
A researcher at Stanford University recently found that Microsoft has been using an online tracking technology that allowed the company to sneakily track users on MSN.com even though it had used some of the standard techniques developed to avoid tracking.
Another group of researchers found that other sites, including Hulu.com, employed super cookie techniques to track users for advertising purposes. They wrote: “We found two sites that were respawning cookies, including one site — Hulu.com — where both flash and cache cookies were employed to make identifiers more persistent. The cache cookie method used Etags, and is capable of unique tracking even where all cookies are blocked by the user and ‘private browsing mode’ is enabled.” (The authors are from The University of California at Berkeley, Worcester Polytechnic and the University of Wyoming. The emphasis is mine.)
Shortly after the report by Stanford’s Jonathan Mayer surfaced last week, Microsoft announced that it would stop the use of the so-called super cookies on MSN. A few days after the UC Berkeley report was published, Hulu announced in a blog post: “Upon reading the research report, we acted immediately to investigate and address the issues identified. This included suspending our use of the services of the outside vendor mentioned in the study.”
Hulu says that the super cookie technology was used by two of their outside vendors, an attempt, the report notes, by Hulu to absolve itself of responsibility. You can decide for yourself if you buy that. But more to the point, what can you do to defend yourself?
Some super cookies live in the cache, which is where the browser stores Web pages you’ve visited recently. By clearing the cache, you’ll get rid of them. That works, but there are two caveats: Dumping the cache will slow down your browser. That’s because cached Web sites load right away; without the cache the browser has to render them from scratch. And when you visit that site again, a new super cookie will glom on to your browser.
Clearing the cache is easy: In Firefox, go to “tools,” then “clear recent history.” In Internet Explorer 9, go to “tools” and “safety,” then “delete browsing history.” In Chrome, go to settings and then “under the hood.” Then click “clear browsing data.”
But remember. We’re talking arms race here. The UC Berkeley report also talks about a nasty technique called “respawning,” which means just what it sounds like: The cookie recreates itself. These are hard to defeat. One way is to block any caching at all, but as I mentioned, not having a cache will slow your browser down.
There are two Firefox add-ons that are probably helpful, but I haven’t had a chance to try them yet. One is called SafeCache, which doesn’t yet work with Firefox 6 and RequestPolicy, which does work with Firefox 6.
RequestPolicy blocks what are called “cross-site requests,” which means that a site you’re visiting requests data about a site you’ve visited in the past. That’s important information for advertisers and for Web sites that want to know where people are coming from.
But you may think that’s intrusive, which is why you may want to use RequestPolicy. (Note: This add-on is probably not suitable for you if you’re not comfortable digging under the hood of a browser and making changes.) If other browsers have similar add-ons, I haven’t heard of them.
Lastly, let’s go over the basic defenses you can use against the most common and less sophisticated tracking techniques.
All of the major browsers have some built-in defenses. The first is called private browsing, which stops your browser from making note of where you’ve been in its history file. That’s worth doing if you’re visiting sites that you don’t want other users of that computer to know you’ve visited. It’s very easy to turn on private browsing; in Firefox for example, simply click the “Firefox” button and select private browsing. IE 9 has an option called “inPrivate” browsing you can find on the tools tab and Chrome has incognito mode.
But private browsing isn’t necessarily all that private. In addition to the super cookie issue, some of the extensions you might add to those browsers can reduce their effectiveness. Still, it’s certainly worth using private browsing modes if you’re concerned about tracking. You can also check a box that says something like “tell Web sites I don’t want to be tracked”, and as you’d expect, some Web sites will honor that and others won’t.
Finally, drill down. Each of the three major browsers has quite a few settings involving privacy, and it’s worth a few extra clicks to check them out.
San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at firstname.lastname@example.org. Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline