Despite all the attention they've received in the debates around online privacy, cookies are far from the only way to track a user. Broadly speaking, a website can either stash a unique identifier anyplace in the browser ("tagging")1 or explore features of the browser until it becomes unique ("fingerprinting").2 Tracking technologies that do not rely on cookies are often referred to as "supercookies," and they are widely viewed as unsavory in the computer security community because they continue tracking even when a user clears her cookies to preserve privacy. Sometimes a site will use a supercookie to "respawn" its original identifier cookie, creating a "zombie cookie" — the basis of several lawsuits.
In one of our recent FourthParty web measurement crawls we included a cookie clearing step to emulate a user's privacy choice. We observed that after clearing the browser's cookies an identifier cookie (named "MUID" for "machine unique identifier") respawned on live.com, a Microsoft domain. We dug into Microsoft's cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies. We contacted Microsoft with our observations, and we have collaborated to assist in rectifying the issues we uncovered. Here is what we know.
Thanks, once again, to Jovanni Hernandez and Akshay Jagadeesh for their indispensable research assistance. Read more about Tracking the Trackers: Microsoft Advertising