Data Breach Affects 4.9 Million Active And Retired Military Personnel And Their Families
Former Countrywide Financial Analyst Sentenced to 18 Months of Prison And Ordered To Repay $1.8 Million

Congressional Representatives Ask FTC To Investigate Companies Online Tracking Practice With "Supercookies"

On September 27, Congressional representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the U.S. Federal Trade Commission (FTC) asking the agency to investigate “supercookies,” files that can be installed on consumers' computers without their knowledge or consent. Websites use supercookies to collect detailed personal information about consumers and to track consumers' online usage across the Internet.

Supercookies represent the latest effort in the Internet technology race for companies to track consumers' online behaviors versus consumers' need for privacy. First there were browser cookies, which were fairly simple text files websites used to recognize whether or user had visited that website before -- without requiring the user to identify their self.

As consumer awareness increased about the tracking and privacy issues with web browser cookies, some companies began to use the Flash cookies, with the Flash technology, to track and store consumer information data, since most consumers have the Flash plugin installed with their web browsers. As consumers supported "do not track" legislation and began using "do not track" options with their web browsers to delete standard browser cookies, some companies began using "zombie cookies"-- a tracking method to both save tracking information within other folders on consumers' computers and to continually regenerate standard web browser cookies deleted by consumers.

Most recently, some companies began using "zombie e-tags." The term "supercookies" seems to be a catch-all term for both covert tracking approaches: "zombie cookies" and "zombie e-tags." According to PrivateWiFi:

"... supercookie files can store more information than a normal cookie and can sometimes be stored in different places than regular cookies, such as a file used by a plugin (such as Flash), which makes them harder to identify and remove. In addition, some supercookies have the capability of regenerating regular cookies to prevent their removal. Supercookies track things differently from ordinary cookies. A normal cookie can be written, read and ultimately removed by the website that created it. However, the supercookie operates much more stealthily by tracking and recording user behavior across multiple sites. It’s ethically questionable that a website should be able to record a user’s actions beyond its borders. Websites that have been found to use supercookies include,, and"

The ethics is definitely an issue. Is it ethical for a website, like or, to track consumers' usage beyond their websites and across the entire Internet? Perhaps, it is okay if the website policies are transparent, provide legible notice, and gain consumers' opt-in consent first. So, the letter by Barton and Markey is very timely and appropriate. Their September 26 letter read in part:

"As C-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe this new business practice raises serious privacy concerns and is unacceptable. We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online. In an effort to protect consumers, we are interested in any actions the Federal Trade Commission (FTC) has taken or plans to take to investigate the usage and impact of supercookies on the Internet and consumers. We believe that an investigation of the usage of supercookies would fall within the FTC’s mandate as stipulated in Section 5 of the Federal Trade Commission Act with respect to protecting Americans from ‘unfair and deceptive acts or practices.’”

Read the full text of the letter by Barton and Markey (PDF).

What I'd really like to see is legislation that requires companies to fully disclose their tracking methods and the precise data collected, much like labels on food attempt to descibe what is in the packaging. Why? It's all about consumer trust.

Similar to food, ingredients will change. For the Internet, tracking technologies will change. And change quickly, too. Yesterday's browser cookies morphed into "zombie cookies" and "super cookies," which has morphed again into "zombie e-tags." So, the companies' website terms-of-use and privacy policy should explain in simple English:

  1. The tracking technologies (e.g., hardware and software) currently used,
  2. The names of all affiliate companies and business partners they do business with for #1,
  3. The services, products, software, and consumer dinformation exchanged in #2,
  4. The length of time the data collected in #3 is archived,
  5. The anonymization process used, and verified by an independent third-party, and
  6. A large, easy-to-find and easy-to-understand opt-in button, because the program only includes consumers who choose to opt-in or register.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.