When Stanford University computer science researcher Jonathan Mayer discovered last year that Microsoft’s MSN.com, Flixster.com, and other top Websites were
circumventing traditional cookie-centric privacy protections via untraditional tracking technologies, it was an eye-opener to the business sector.
Persistent tracking raises at least two challenges for enterprise IT: First, it may require preventive countermeasures to keep other firms from mining your users’ activity. Second, it may require you to keep a closer eye on your monetization partners for the subtle signs of abusive behavior.
Looking at the first issue, consider that consumer privacy may be a valuable commodity, but in the wrong hands, corporate secrets can lead to millions of dollars in damages. That’s not to say a simple URL is a key to all your company’s secrets or that companies that track or whose partners track are really going to stoop to corporate espionage.
Still, at the end of the day, the only sensible policy is risk mitigation; you don’t want someone monitoring your users’ Web history.
To defeat untraditional tracking technologies, it’s important to understand them. “Supercookies,” “evercookies,” or “zombie cookies” refer to a broad class of tracking technologies designed to circumvent the “same origin” policy -- which, according to Mayer, is the rule that “cookies can only be read and modified by the domain that set them.”
The bad news is that blocking all of these potentially retrievable technologies can be difficult to impossible without breaking certain Webpages.
For that reason, the following policies may be the best choice to adopt on sensitive machines:
- If possible from a manageability standpoint, use a modern browser that supports privacy-enhancing extensions, such as Firefox or Chrome.
- Disable the DOM (Document Object Model) storage in your browser settings. This stops the browser from storing client data.
- Set the cache clearing in your browser to the strictest possible setting.
Since IT can’t block everything, one valuable tactic is to identity obfuscation: Have employees, when possible, access the Internet via wireless modems on managed laptops or, alternatively, via mobile devices. When traffic is originating from an enterprise’s local gateways, it’s easy to identify the user, and in theory it’s easier to use persistent tracking to perform some sort of cyberespionage. The more page requests that are routed through semi-anonymous wireless infrastructure, the harder it will be to perform such concerted malfeasance.
It is also worth mentioning the flip side of the tracking coin -- being on guard for content monetization partners pushing such technologies on your domains. After all, Microsoft, Flixster-owner Time Warner, and others all claim that the persistent tracking they were accused of was accidental.
Most large companies have a variety of content monetization partners for their domains. While it can be tough to keep track of what they’re putting on a firm’s pages, it’s important to inform them of expectations up front and in writing. If you don’t support violating users’ trust by overriding their privacy settings, tell your partners you want to stick with traditional cookies and you don’t want to adopt other more questionable tracking schemes.
Lastly, be clear to your end users who your monetization partners are and what their expectation of privacy on your site(s) is. The more transparent your policies, the more goodwill you’ll generate. And that means that if a partner does violate your rules and your customer’s trust, the reputation damage will to a certain extent be mitigated.
— Jason Mick is senior news editor at the independent tech news site DailyTech.