RealTime IT News

EarthLink Debunks 'Super Cookie' Theory

EarthLink, Inc. Monday debunked reports that the nation's number-two ISP has hidden a "super cookie" in its customized Internet Explorer browser.

This weekend, participants in newsgroups operated by Gibson Research Corporation found what they thought was a unique tag in every User-Agent tagline, a piece of information sent by the Web browser every time a person types in a URL or clicks on a link for download. For EarthLink IE users, that tag begins with the string ELNSB50 followed by a 48-character combination of letters and numbers.

Many corporations and ISPs use Microsoft's Internet Explorer Administration Kit to customize the User Agent string in the browser's header, but according to an initial report from GRC president Steve Gibson, who is credited with helping to publicize privacy flaws in products from Real Networks and Radiate, among others, EarthLink's implementation was dangerously different. Gibson's early investigations suggested that EarthLink's token is unique for each browser user and created after the consumer installs the Web browser and connects with the default home page for EarthLink. There, he surmised, it was possible the member's user name and password could be matched with the 48-character string that stays with the user.

Les Seagraves, EarthLink's chief privacy officer, Monday reassured subscribers that the string is designed to transmit display information to its site about the member's computer settings, and is not a user ID or in any way used to track personal information.

"The information we have in the User-Agent section is browser information. Basically it gives your browser monitor settings so we can tailor our Web pages to the customer's settings," Seagraves said. "It's not unique information, its not tied to any personally identifiable information and there's no way to tie it into a user's personal information.

"There could be thousands of people with the exact same number, based upon their settings being the same," Seagraves continued. "It doesn't have anything to do with who they are. We certainly don't want to do anything against our commitment to our member's privacy or violate our privacy statement "

Seagraves said that the EarthLink site has not incorporated the user settings into a tailored environment yet.

After speaking with EarthLink officials Monday, Gibson published a retraction at this site.

"I was wrong," Gibson told InternetNews today. "What they've said is completely plausible, and so it doesn't nearly look like the type of problem we had presumed," he said.

While users might not appreciate having their EarthLink Web browsers broadcasting internal data about their machines, this data would not be useful for Internet tracking and is probably not explicitly user-unique. Seagraves said the company is considering posting instructions at its site about how to remove the string.

One of the first sightings of the super cookie came last year by the hacker information Web site attrition.org, which noted a strange string of characters after the ELNSB50 designator.

The tag sets the stage for a relatively easy computer script, which would look for the EarthLink designator and string. A query at any search engine nets thousands of returns.

But without the database to link the User-Agent string with the member's personal information, the information is relatively useless to Web advertisers, who are looking for specific user demographics.

The allegations Monday threatened to ravage EarthLink's new ad campaign, a multi-million dollar effort designed to bring in customers with its promise to provide a "totally anonymous Internet."

In its TV spots, the company says unknown parties are "compiling your information, invading your privacy. At EarthLink, we would never do that."