Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.
Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged
- By Ryan Singel
The discovery of KISSmetrics tracking techniques comes as federal regulators, browser makers, privacy activists and ad tracking companies are trying to define what tracking actually is. The FTC called on browser makers to add a “Do Not Track” setting that essentially lets users tell websites not to leave them alone — though it doesn’t block tracking on its own. It’s more like a “privacy, please” sign on a hotel door. One of the big questions surrounding Do Not Track is about web analytics software, which sites use to determine what’s popular on their site, how many unique visitors a site has a month, where users are coming from, and what pages they leave from.
UPDATE 5:00 PM Friday: Spotify, another KISSmetrics customer named in the report, said that it was concerned by the story:
“We take the privacy of our users incredibly seriously and are concerned by this report,” a spokeswoman said by e-mail. “As a result, we have taken immediate action in suspending our use of KISSmetrics whilst the situation is investigated.” /UPDATE
“Hulu has suspended our use of KISSmetrics’ services pending further investigation,” a spokeswoman told Wired.com. “Hulu takes our users’ privacy very seriously. We have no further comment at this time.”
KISSmetrics is a 17-person start-up founded in 2008 and based in the San Francisco Bay Area. Founder Hitten Shah confirmed that the research was correct, but told Wired.com Friday morning that there was nothing illegal about the techniques it was using.
“We don’t do it for malicious reasons. We don’t do it for tracking people across the web,” Shah said. “I would be having lawyers talk to you if we were doing anything malicious.”
“This is yet another example of the continued arms-race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless there’s policy restrictions to prevent it.”
In this screenshot provided by U.C. Berkeley’s Chris Hoofnagle, the IDs numbers for all three cookies are exactly the same.
So that makes it possible, the researchers say, for any two sites using KISSmetrics to compare their databases, and ask things like “Hey, what do you know about user 345627?” and the other site could say “his name is John Smith and his email address is firstname.lastname@example.org and he likes these kinds of things.”
The research also found that many top websites have adopted new ways to track users using HTML5 and that Google tracking cookies are present on 97 of the top sites, including government sites such as IRS.gov.