ktlight
1st August 2011, 10:07
FYI:
http://www.wired.com/images_blogs/epicenter/2011/07/browser-cache-cookie.gif
Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.
The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics.
But the researchers say the site is using sneaky techniques to prevent users from opting out of being tracked on popular sites, including the TV streaming site Hulu.com.
The discovery of KISSmetrics tracking techniques comes as federal regulators, browser makers, privacy activists and ad tracking companies are trying to define what tracking actually is. The FTC called on browser makers to add a “Do Not Track” setting that essentially lets users tell websites not to leave them alone — though it doesn’t block tracking on its own. It’s more like a “privacy, please” sign on a hotel door. One of the big questions surrounding Do Not Track is about web analytics software, which sites use to determine what’s popular on their site, how many unique visitors a site has a month, where users are coming from, and what pages they leave from.
In response to inquiries from Wired.com, Hulu cut ties with KISSmetrics on Friday.
UPDATE 5:00 PM Friday: Spotify, another KISSmetrics customer named in the report, said that it was concerned by the story:
“We take the privacy of our users incredibly seriously and are concerned by this report,” a spokeswoman said by e-mail. “As a result, we have taken immediate action in suspending our use of KISSmetrics whilst the situation is investigated.” /UPDATE
“Hulu has suspended our use of KISSmetrics’ services pending further investigation,” a spokeswoman told Wired.com. “Hulu takes our users’ privacy very seriously. We have no further comment at this time.”
KISSmetrics is a 17-person start-up founded in 2008 and based in the San Francisco Bay Area. Founder Hitten Shah confirmed that the research was correct, but told Wired.com Friday morning that there was nothing illegal about the techniques it was using.
“We don’t do it for malicious reasons. We don’t do it for tracking people across the web,” Shah said. “I would be having lawyers talk to you if we were doing anything malicious.”
Shah says KISSmetrics is used by thousands of sites to track incoming users, and it does not sell or buy data about those visitors, according to Shah. After this story was published, the company tweeted a link that explains how its tracking works.
So if a user came to Hulu.com from an ad on Facebook, and then later, using a different browser on the same computer, visited Hulu.com from Google, and then at some point signed up for the premium service, KISSmetrics would be able to tell Hulu all about that user’s path to purchase (without knowing who that person was). That tracking trail would remain in place even if a user deleted her cookies, due to code that stores the unique ID in places other than in a traditional cookie.
The research was published Friday by a team UC Berkeley privacy researchers that includes veteran privacy lawyer Chris Hoofnagle and noted privacy researcher Ashkan Soltani.
“The stuff works even if you have all cookies blocked and private-browsing mode enabled,” Soltani said. “The code itself is pretty damning.”
The researchers were reprising a study from 2009 which discovered that some of the net’s biggest sites were using technology from online ad tracking firms Clearspring and Quantcast to re-create users’ cookies after users deleted them. The technique involved using a little known property of Flash to hold onto unique ID numbers. Then, if a user deleted her cookies, the companies would check in the secondary stash for the user ID, and use it to resurrect the traditional HTML cookies.
That finding led to inquiries from regulators and a class action lawsuit alleging that websites and the tracking companies were unfairly monitoring users. That suit was settled for $2.4 million in cash and a promise by Clearspring and Quantcast not to use that method again.
One of the sites named in that suit was Hulu, but its part of the settlement only required that the company tell users if it was using Flash to store cookies and provide a link in the policy that would show users how to turn off Flash data storage. However with KISSmetrics running, even knowing how to do that wouldn’t have saved a user from persistent tracking.
source to read more
http://www.wired.com/epicenter/2011/07/undeletable-cookie/
http://www.wired.com/images_blogs/epicenter/2011/07/browser-cache-cookie.gif
Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.
The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics.
But the researchers say the site is using sneaky techniques to prevent users from opting out of being tracked on popular sites, including the TV streaming site Hulu.com.
The discovery of KISSmetrics tracking techniques comes as federal regulators, browser makers, privacy activists and ad tracking companies are trying to define what tracking actually is. The FTC called on browser makers to add a “Do Not Track” setting that essentially lets users tell websites not to leave them alone — though it doesn’t block tracking on its own. It’s more like a “privacy, please” sign on a hotel door. One of the big questions surrounding Do Not Track is about web analytics software, which sites use to determine what’s popular on their site, how many unique visitors a site has a month, where users are coming from, and what pages they leave from.
In response to inquiries from Wired.com, Hulu cut ties with KISSmetrics on Friday.
UPDATE 5:00 PM Friday: Spotify, another KISSmetrics customer named in the report, said that it was concerned by the story:
“We take the privacy of our users incredibly seriously and are concerned by this report,” a spokeswoman said by e-mail. “As a result, we have taken immediate action in suspending our use of KISSmetrics whilst the situation is investigated.” /UPDATE
“Hulu has suspended our use of KISSmetrics’ services pending further investigation,” a spokeswoman told Wired.com. “Hulu takes our users’ privacy very seriously. We have no further comment at this time.”
KISSmetrics is a 17-person start-up founded in 2008 and based in the San Francisco Bay Area. Founder Hitten Shah confirmed that the research was correct, but told Wired.com Friday morning that there was nothing illegal about the techniques it was using.
“We don’t do it for malicious reasons. We don’t do it for tracking people across the web,” Shah said. “I would be having lawyers talk to you if we were doing anything malicious.”
Shah says KISSmetrics is used by thousands of sites to track incoming users, and it does not sell or buy data about those visitors, according to Shah. After this story was published, the company tweeted a link that explains how its tracking works.
So if a user came to Hulu.com from an ad on Facebook, and then later, using a different browser on the same computer, visited Hulu.com from Google, and then at some point signed up for the premium service, KISSmetrics would be able to tell Hulu all about that user’s path to purchase (without knowing who that person was). That tracking trail would remain in place even if a user deleted her cookies, due to code that stores the unique ID in places other than in a traditional cookie.
The research was published Friday by a team UC Berkeley privacy researchers that includes veteran privacy lawyer Chris Hoofnagle and noted privacy researcher Ashkan Soltani.
“The stuff works even if you have all cookies blocked and private-browsing mode enabled,” Soltani said. “The code itself is pretty damning.”
The researchers were reprising a study from 2009 which discovered that some of the net’s biggest sites were using technology from online ad tracking firms Clearspring and Quantcast to re-create users’ cookies after users deleted them. The technique involved using a little known property of Flash to hold onto unique ID numbers. Then, if a user deleted her cookies, the companies would check in the secondary stash for the user ID, and use it to resurrect the traditional HTML cookies.
That finding led to inquiries from regulators and a class action lawsuit alleging that websites and the tracking companies were unfairly monitoring users. That suit was settled for $2.4 million in cash and a promise by Clearspring and Quantcast not to use that method again.
One of the sites named in that suit was Hulu, but its part of the settlement only required that the company tell users if it was using Flash to store cookies and provide a link in the policy that would show users how to turn off Flash data storage. However with KISSmetrics running, even knowing how to do that wouldn’t have saved a user from persistent tracking.
source to read more
http://www.wired.com/epicenter/2011/07/undeletable-cookie/