Ars Technica reports that Reps. Joe Barton (R-Tex.) and Edward Markey (D-Mass.), co-chairs of the Bipartisan Privacy Caucus, have asked the Federal Trade Commission to investigate “supercookies.” Regular HTTP “cookies,” which collect data about and can track users’ Internet searches and sites visited, as the kind of cookies that most people know about. Supercookies, according to the Wall Street Journal article that Barton and Markey cited in their letter (pdf) to the FTC, are cookies that can “respawn” or “re-create” user profiles even after people have deleted regular cookies from their browsers. Some have called these “zombie cookies.” Ars Technica reports:
In a Monday letter to the Federal Trade Commission, two prominent members of the House of Representatives raised alarm about the use of “supercookies” by popular websites such as msn.com and hulu.com. Citing an August Wall Street Journal article, they urged the FTC to investigate the growing use of supercookies as a potential “unfair and deceptive act or practice.” […]
In their letter to FTC chairman Jon Leibowitz, they wrote that “we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for misuse of personal information, and provides another way for consumers to be tracked online.” […]
In July [Ashkan Soltani, an independent privacy researcher who has assisted the Wall Street Journal with its privacy reporting,] was part of a team that uncovered a tracking method using ETags that worked even when the user was in private browsing mode. One of the sites using the technology, Hulu, quickly dropped it and severed ties with KISSmetrics, the company that provided it. KISSmetrics, along with clients such as Spotify and AOL, are now embroiled in a lawsuit arguing that the technology violates privacy laws.
Soltani pointed to Evercookie, a research prototype that demonstrates just how powerful supercookies can be. It stores information about itself in up to a dozen places in the user’s browser. And any time information stored in one place disappears (for example, when a user clears his cookies), it is “respawned” using information stored elsewhere. Such “zombie cookies” are extraordinarily difficult for ordinary users to delete. […]
“Companies should not be behaving like supercookie monsters, gobbling up personal, sensitive information without users’ knowledge,” [Markey] said.