Recently, online properties like Hulu, MSN and Flixster have been caught using a tougher version of the common cookie. These “supercookies” (aka “Flash cookies” and “zombie cookies”) serve the same purpose as regular cookies by tracking user preferences and browsing histories. Unlike their popular cousins, however, this breed is difficult to detect and subsequently remove. These cookies secretly collect user data beyond the limitations of common industry practice, and thus raise serious privacy concerns.
Supercookies are similar to the standard browser cookies most folks are familiar with, but are stored in different locations on a user’s machine, for example, in a file used by a plug-in (Flash is the most common). This makes them harder to find and delete, especially since a browser’s built-in cookie detection process won’t remove them either. Furthermore, some supercookies have additional capabilities, like regenerating regular cookies to prevent their removal by the user.
To make matters worse, removing master supercookies is much more difficult. It requires the user to dig through the file system and delete them manually, an inconvenient task even for advanced users. The novice, on the other hand, likely won’t even realize supercookies exist, let alone be able to find them.
The kind of data supercookies track isn’t typical cookie material. A browser limits the typical cookie to be written, read and ultimately removed by the site that created it. The supercookie, on the other hand, operates outside of established safeguards. It can track and record user behavior across multiple sites. While it’s easy to understand that a site would want to track a user’s activity while she navigates its turf, it’s ethically questionable that site operators are able to record a user’s actions beyond site parameters.
In several cases, a company’s supercookie is the result its partnership with a digital marketing firm that places a high value on user behavior. In response to FTC pressure, the Internet ad and marketing industry respondedby publishing “self-regulatory” policies, although it restricts itself from little else than a user’s medical records.
While many companies that had been challenged on their use of supercookies were quick to cease, some choose to continue the practice. Many web marketing firms, advertisers and less-than-scrupulous websites still refuse to follow industry best practices — they continue to practice knowingly. And many more sites don’t even realize they’re utilizing supercookies in the first place.
Whether it has decided to cease web tracking or not, the company at risk needs to beware of losing control of already collected data. A data breach would result in catastrophic — and perhaps incurable — brand distrust. A user’s discovery of a company’s surreptitious data collection and the subsequent vulnerability of that data could easily spell the end of a brand’s reputation.
Companies that care about reputation and user trust should audit their sites and properties to ensure that data collection and the use of supercookies parallel user expectations. This analysis applies to the site, its advertisers and any third party tools or plug-ins. Companies need to ensure that all data collection has been thoroughly disclosed in order to avoid legal liability.
Companies should not wait for a problem to arise before initiating a comprehensive data security overview. A regular screening of all user data and its safeguards is good practice. The cost a company suffers for securing its data and customer trust is small compared to the business and public relations fallouts that would result from a security breach.
A successful company will always make a comprehensive attempt at transparency by handling data responsibly. The use of data tracking tools like supercookies does not rank highly in consumer acceptance, whether its application is technically “legal” or not. Regardless of the manner in which information is collected, know that negligent data handling will not be excused by claims that a company was in the dark about its collection practices. In the eyes of the consumer, the more data collected, the more of an obligation that company has to keep it safe.