'Zombie cookies' won't die: Microsoft admits use, HTML5 looms as new vector

Despite lawsuits, bad publicity, and Adobe's promise to end their use in Flash, zombie cookies persist and could find a new host in HTML5

One year ago this week, I wrote about zombie cookies, describing how Disney, MySpace, and NBC Universal had just been sued for using zombie cookies to track people even if they have gone to great lengths to disable, block, or delete cookies. Seven months ago, I mentioned that Adobe had taken up the pitchfork and vowed to make Flash zombie cookies a thing of the past.

So it's pretty shocking that Jonathan Mayer, a Stanford researcher, caught Microsoft using both a cache-based zombie cookie and a more advanced type of persistent "supercookie" to track folks even if they blocked or deleted browser cookies. Microsoft surreptitiously tracked users who had the temerity to visit MSN.com (in the United States, Canada, and Spain), the U.S. English home page of www.microsoft.com, or the Microsoft Store.

Perhaps even scarier, as HTML5 gains traction: Its local storage is a great feature, but one wide open for abuse for such items as zombie cookies. And Internet Explorer's InPrivate Browsing, Firefox's Private Browsing, and Chrome's Incognito browsing modes won't protect you from the ETag form of zombie cookies or from HTML5-based zombies.

The controversy over zombie cookies continues to play out in the courts as well. Hulu and Web-tracking company Kissmetrics were sued last month (PDF) for using the ETags technique in a zombie redux uncovered by University of California at Berkely researchers, according to Jennifer Granick at ZwillGen. That case came despite the legal warning issued last year when Clearspring and Quantcast, the primary defendants in the first zombie cookie class-action lawsuit, settled last December, paid $2.4 million for their transgressions.