Congressional Representatives Ask FTC To Investigate Companies Online Tracking Practice With "Supercookies"
On September 27, Congressional representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the U.S. Federal Trade Commission (FTC) asking the agency to investigate “supercookies,” files that can be installed on consumers' computers without their knowledge or consent. Websites use supercookies to collect detailed personal information about consumers and to track consumers' online usage across the Internet.
Supercookies represent the latest effort in the Internet technology race for companies to track consumers' online behaviors versus consumers' need for privacy. First there were browser cookies, which were fairly simple text files websites used to recognize whether or user had visited that website before -- without requiring the user to identify their self.
As consumer awareness increased about the tracking and privacy issues with web browser cookies, some companies began to use the Flash cookies, with the Flash technology, to track and store consumer information data, since most consumers have the Flash plugin installed with their web browsers. As consumers supported "do not track" legislation and began using "do not track" options with their web browsers to delete standard browser cookies, some companies began using "zombie cookies"-- a tracking method to both save tracking information within other folders on consumers' computers and to continually regenerate standard web browser cookies deleted by consumers.
Most recently, some companies began using "zombie e-tags." The term "supercookies" seems to be a catch-all term for both covert tracking approaches: "zombie cookies" and "zombie e-tags." According to PrivateWiFi:
"... supercookie files can store more information than a normal cookie and can sometimes be stored in different places than regular cookies, such as a file used by a plugin (such as Flash), which makes them harder to identify and remove. In addition, some supercookies have the capability of regenerating regular cookies to prevent their removal. Supercookies track things differently from ordinary cookies. A normal cookie can be written, read and ultimately removed by the website that created it. However, the supercookie operates much more stealthily by tracking and recording user behavior across multiple sites. It’s ethically questionable that a website should be able to record a user’s actions beyond its borders. Websites that have been found to use supercookies include MSN.com, Hulu.com, and Flixster.com."
The ethics is definitely an issue. Is it ethical for a website, like Hulu.com or Facebook.com, to track consumers' usage beyond their websites and across the entire Internet? Perhaps, it is okay if the website policies are transparent, provide legible notice, and gain consumers' opt-in consent first. So, the letter by Barton and Markey is very timely and appropriate. Their September 26 letter read in part:
"As C-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe this new business practice raises serious privacy concerns and is unacceptable. We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online. In an effort to protect consumers, we are interested in any actions the Federal Trade Commission (FTC) has taken or plans to take to investigate the usage and impact of supercookies on the Internet and consumers. We believe that an investigation of the usage of supercookies would fall within the FTC’s mandate as stipulated in Section 5 of the Federal Trade Commission Act with respect to protecting Americans from ‘unfair and deceptive acts or practices.’”
What I'd really like to see is legislation that requires companies to fully disclose their tracking methods and the precise data collected, much like labels on food attempt to descibe what is in the packaging. Why? It's all about consumer trust.
- The tracking technologies (e.g., hardware and software) currently used,
- The names of all affiliate companies and business partners they do business with for #1,
- The services, products, software, and consumer dinformation exchanged in #2,
- The length of time the data collected in #3 is archived,
- The anonymization process used, and verified by an independent third-party, and
- A large, easy-to-find and easy-to-understand opt-in button, because the program only includes consumers who choose to opt-in or register.