"It is difficult to estimate the number of users affected by Microsoft's respawning without knowing more about traffic to Microsoft's web properties and the conditions under which it would set [the identifier ID]," Mayer said in his blog. But the company had the ability to easily associate a user's interactions with msn.com, live.com and the Atlas network both before and after cookie clearing.
"One of the most prolific ad networks was using technologies that are widely frowned upon for circumventing user privacy choices," Mayer told Computerworld via email. "At minimum this was a colossal privacy gaffe."
One problem with supercookies is that they are stored outside a browser, meaning they work outside browser privacy protections, said Ashkan Soltani, an independent security researcher and co-author of the UC Berkeley report. As a result, switching browsers to protect privacy doesn't help, Soltani said in a blog post .
"A Flash cookie acquired while using Firefox is also available to websites when using Internet Explorer," he said.
In many cases, such cookies are used without any user notice, opt-out or choice, Soltani said in an interview. Often, such cookies can be used by online tracking companies to peer into Web-browsing habits across multiple sites to build a highly detailed profile about users, he said.
As an example, Soltani pointed to technology from KISSmetrics, a company used by Hulu and others for online tracking purposes. According to Soltani, the respawing and tracking techniques used by KISSmetrics generates unique identifiers, even when the user blocks HTTP and Flash cookies. Soltani said that he and another researcher earlier this month identified at least 515 websites using KISSmetrics code that would allow cookie respawning.
"We are seeing this arms race between consumers who want to declare their privacy preferences and companies that that have strong motivations to track users," for advertising and analytics, he said.
Hiten Shah, the CEO of KISSmetrics, on Thursday did not comment on Soltani's findings but instead pointed to a blog post explaining the company's position.
In it, Shah insisted that KISSmetrics does not track users across different websites nor does it have the ability to do so. Shah denied that KISSmetrics uses persistent cookies and said the company has added an opt-out feature for those who do not want to be tracked.