This story appeared on Network World at http://www

This story appeared on Network World at http://www.networkworld.com/columnists/2006/051506bradner.html

Are Microsoft's cookies super?

'Net Insider By Scott Bradner, Network World, 05/15/06

On May 2, six years to the day after Microsoft filed its application, the U.S. Patent and Trademark Office granted the company patent No. 7,039,699, "Tracking usage behavior in computer systems."

Some wags dubbed the technology "super cookie." They call it that even though Microsoft limited the patent in some specific ways (probably to persuade the patent office to grant it).

It flies in the face of IETF guidance on valid cookie use and provides information that is generally redundant with what Web companies can do already.

At first read, the patent (to view the text, plug the number above into this link) does not offer much that's new, even if you take into account the 2000 filing date. You would learn much of what the patent describes in a Cookies 101 class. Most of its concepts also are described in "HTTP State Management Mechanism," RFC 2109, from February 1997 and its update, RFC 2965, from October 2000. (I'm not sure why these RFCs are not referenced by the Microsoft patent; they are clearly relevant, and Microsoft does know about the IETF and RFCs.)

To issue the patent, the USPTO had to have concluded the technology was new and not obvious to a person skilled in the art of cookies in May 2000.

There is one puzzling restriction in the patent's claims that might hold a clue as to why the USPTO reached that conclusion (it would take a careful reading of the patent office's file history to be sure). For example, the patent's first claim is limited to the case in which there is a "first computer system having a first domain name and at least one other computer system having a second domain name that is different from said first domain name and wherein at least a portion of the first and second domain names are identical." The other main claims have similar restrictions.

Note the first claim does not say what part has to be identical; maybe it could be ".com," in which case this would not be that much of a restriction.

The patent talks about all the marvy things that could be done with information from cookies, including targeted advertising, special display formats, special offers, unique services and creating a "psychographic profile" of the user. Just what I was missing - Microsoft creating a psychographic profile of me when I visit its Web site to get a patch for Word.

The body of the patent talks about creating a "domain-level cookie" for MSN's Web site that could be used by every MSN online service to record or find out what a user did on other MSN sites. The patent says, "Reading from the domain cookie would be equivalent to checking what the user did elsewhere on MSN.com."

I can see how it would be useful for an MSN online travel service to know I just bought an expensive camera from an MSN online camera store so the travel site could point me to expensive resorts rather than Motel 6. But a use like this violates the spirit, if not the letter of RFC 2964, "Use of HTTP State Management," the IETF's statement of best practices for the use of cookies.

In the end, I don't think this patent amounts to much, because I expect MSN's online sites are exchanging far more information already about their users than their users expect and are doing so without using the technology in this patent. I expect Microsoft is not alone in doing this, which is why I have set Firefox to wipe out all cookies, other than a select few, every time I exit the browser.

Disclaimer: Harvard, like other universities, is subject to federal rules about sharing student information. Too bad there are not similar federal rules for nonstudents. But the university has no opinion about this patent: