title:

Are super cookies good for you?

By Scott Bradner

On May 2nd, 6 years to the day after the application was filed, the US Patent and Trademark Office granted Microsoft Patent number 7,039,699 "Tracking usage behavior in computer systems." Some wags instantly dubbed the technology "super cookie" even though the patent is limited in some specific ways -- probably to convince the patent office to grant it, flies in the face of IETF guidance on valid cookie use and provides information that is generally redundant with what web companies can and do already get and use.

At first read, the patent (plug the patent number into http://patft.uspto.gov/netahtml/PTO/srchnum.htm) does not offer that much new, even if one takes the May 2, 2000 filing date into account. One would learn much of what is described in the patent in a 'cookies 101' class. Most of the concepts are also described in RFC 2109 "HTTP State Management Mechanism" from Feb 1997 (http://www.ietf.org/rfc/rfc2109.txt) and its update RFC 2965 from October 2000 (http://www.ietf.org/rfc/rfc2965.txt). (Parenthetically, I'm not sure why these RFCs are not referenced by the patent since they are clearly relevant and Microsoft does know about the IETF and RFCs.) But, to issue the patent, the Patent Office had to have concluded that the technology was new and unobvious to a person skilled in the art of cookies in May of 2000.

There is one puzzling restriction in the claims that might hold a clue as to why the Patent Office concluded what they did (it would take a careful reading of the file history from the Patent Office to be sure). For example claim 1 is limited to the case where there is a "first computer system having a first domain name and at least one other computer system having a second domain name that is different from said first domain name and wherein at least a portion of the first and second domain names are identical." The other main claims have similar restrictions. Note that the claim does not say what part has to be identical, maybe it could be ".com" in which case this would not be all that much of a restriction.

The patent talks about all the marvy things that could be done with information from cookies including targeted advertising, special display formats, special offers, unique services, and creating a "psychographic profile" of the user. Just what I was missing - Microsoft creating a psychographic profile of me when I visit their web site to get a patch for Word.

The body of the patent talks about creating a "domain level cookie" for msn.com which could be used by all the msn.com services to record or find out what a user did on other sites. The patent says 'Reading from the domain cookie would be equivalent to checking what the user did elsewhere on MSN.COM." I can see how it would be useful for a msn.com travel service to know that I just bought an expensive camera from a MSN.COM camera store so the travel site could point me to expensive resorts rather than Motel 6 but a use like this violates the spirit, if not the letter, of RFC 2964 "Use of HTTP State Management," (http://www.ietf.org/rfc/rfc2964.txt) the IETF's Best Current Practices for use of cookies.

In the end, I don't think this patent amounts to much because I expect that MSN.COM sites are already exchanging far more information about their users than their users expect to be shared, and doing so without using the technology in this patent. And I expect Microsoft is not alone in doing this, which is why I have set Firefox to wipe out all cookies, other than a select few, every time I exit the browser.

disclaimer: Harvard, like other universities, is subject to US federal rules about sharing student information -- too bad there are not similar federal rules for non-students -- but the university has no opinion on this patent -- the above is just my own 2 cents worth.