Microsoft quietly shadows Web surfers across MSN sites
Days after acknowledging a privacy problem with its browser, Microsoft says its privacy policy does not say how it identifies people who travel across its network of Web sites.
A complaint that Microsoft was tracking Web surfers across its multiple properties raised the privacy bugaboo of the moment: the ability of companies to uniquely identify people as they traverse domains.
In response to an advisory posted by PCHelp, a Washington state Internet technology consultancy, Microsoft said it redirects its various Web properties' visitors to a single server that assigns them a unique identifier. That identifier, an "MSID," lets Microsoft chart a single person's visits and activities over the company's Web sites, which include MSN.com and dozens of affiliated sites like Hotmail, CarPoint, Expedia, bCentral and LinkExchange.
Microsoft said its method of identifying surfers across various sites is not addressed in its privacy policy, but that a version in progress will explain the practice. That new privacy policy is due at the beginning of October.
Analysts and advocates were divided on whether Microsoft's cross-domain identification constituted a privacy violation.
Some maintained that in identifying visitors across its various properties, Microsoft is doing essentially the same thing as other portals that share information between sites but address those sites under the same domain. Yahoo, for instance, lets visitors to its My Yahoo page (my.yahoo.com) know whether they have mail in their Yahoo Mail (mail.yahoo.com) accounts; both sites are addressed under the "yahoo.com" domain.
But others said that because Microsoft's Web properties constituted so many differently named and branded sites, the company should be held to a different standard in sharing information and uniquely identifying its visitors.
"Microsoft obviously has a lot of different Web site properties and active investments in different Web companies and provides a wide range of products," said Andrew Shen, analyst for the Electronic Privacy Information Center (EPIC). "Instead of playing these technical games, you have to imagine what a reasonably intelligent consumer will expect. If I want to buy a plane ticket on Expedia, I think I'm providing information to Expedia. But if I want to send email on Hotmail, that's a different entity to me."
Expedia, served under the "expedia.com" domain, is a travel site Microsoft spun off in September 1999. It is still affiliated with MSN. Hotmail is a Web-based email provider Microsoft acquired in January 1998 that it maintains under the MSN brand and serves under the "passport.com" domain.
"As a business philosophy we're integrating our sites more and more so users can move throughout the network more easily," said Diane McDade, privacy product manager for MSN. "It's clear to users in our network that they're in it and that the sites work together. I think users have an expectation when they see that identical header and footer that they're in MSN."
Microsoft last month patched its Internet Explorer browser to give people more information about and control over the types of cookies Web sites were attempting to place on their computers. The complaint that spurred that repair had to do with third-party cookies that worked across different domains.
Cookies are files that let Web sites identify visitors on subsequent visits and store information about them.
Most Web surfers permit Web sites to place cookies on their computers to take advantage of shopping carts, Web-based email and other applications that depend on the technology.
Privacy advocates don't disparage the use of cookies in general, but when third-party Web sites, such as advertisers, start handing out unique identifiers that track computers from site to site, those advocates cry foul.
Microsoft confirmed that the IE patch does not detect its own cross-domain cookies, so visitors are not warned when the cookies are placed.
"Cookies ordinarily don't get sent back to any but the originating domain," PCHelp wrote in its advisory. "This mechanism of redirects allows cookie data to be carried invisibly from one domain to another, and for matching cookies to be created. It is a very clever technique.
"An important aspect of this is its invisibility. Any ordinary Web browser follows the trail it's forced to follow by the redirections, displaying nothing, while the user is none the wiser."
Microsoft earlier in the week acknowledged that IE could thwart the efforts of Web surfers who took precautions to surf anonymously.