KISSmetrics, Hulu Sued Over New Tracking Technology

 hulu

Two major Web companies, Hulu and Spotify, suspended use of KISSmetrics' analytics service after it emerged late last week that the company was using "ETag" technology to track users even when they delete their cookies.

In addition, two consumers filed a potential class-action privacy lawsuit against KISSmetrics and Hulu on Friday, alleging violations of federal law and California state law. 

KISSmetrics revised its privacy policy this weekend. The new policy indicates that the company changed its practices and is no longer tracking users who delete their cookies or otherwise indicate that they don't want to be tracked. 

The controversy about KISSmetrics' tracking methods erupted late Friday, when researchers from UC Berkeley published a report stating that the company was using ETags to track people regardless of steps they had taken to protect their privacy.

KISSMetrics used ETags to store information in users' browser caches. When those users deleted their cookies, they could be recreated with the ETag information. The report says the only way for users to block the tracking is to clear their browser caches between each Web site visit.

"To our knowledge, this is the first demonstration of this ETag tracking 'in the wild,'" the report states. "ETag tracking and respawning is particularly problematic because the technique generates unique tracking values even where the consumer blocks HTTP, Flash, and HTML5 cookies."

The researchers reported that KISSmetrics' ETag tracking was used by sites including Hulu and Spotify. Both companies declined to comment beyond saying that they suspended their use of KISSmetrics' technology. 

KISSMetrics has not responded to Online Media Daily's requests for comment, but the company reportedly said late last week that its technology is used by publishers to track people on their own sites, but isn't used to track people across more than one site. 

But Ashkan Soltani, a privacy researcher who co-authored the report, says the technology also enables companies to compile profiles of users based on their activity across the Web. Here's how: KISSMetrics assigned persistent numbers to Web users across every site they visited. That means that someone identified as "User 123" at Hulu.com would also be "User 123" at Spotify. That system enabled Web sites to trade data with each other about the same users, Soltani says. It's not yet known whether the publisher sites that worked with KISSmetrics did so.

Before KISSmetrics revised its policies on Saturday, the company said on its Web site that users could avoid its tracking by installing the browser extension AdBlock Plus. KISSmetrics now says in its privacy policy that it will honor users' requests to opt out of tracking. 

Independent of the Berkeley report's publication, KISSmetrics and Hulu were sued on Friday by two consumers, Joseph Garvey and Stacey Tsan, who argue that the companies' tracking methods violate the federal Video Privacy Protection Act as well as California state laws. "While it is generally reasonable to expect a website to use cookies for tracking, Hulu and Kissmetrics created numerous, alternative, 'shadow' mechanisms for tracking," Garvey and Tsan allege in their lawsuit, filed Friday. "It is contrary to Internet standards, for privacy reasons, for two Web sites to share common identifiers," they add.

Attorney Scott Kamber, who represents the consumers, says that he believes KISSMetrics and its partners were using ETags to track users across multiple sites. "The allegations of the complaint makes clear that they had the ability to track across sites. We believe they exercised that ability."

Kamber also says his law firm has identified about 30 Web publishers that are using KISSmetrics for tracking. 

ETags are just one of several new tracking technologies that can trail people online independently of HTTP cookies. Others include Flash cookies (which are stored in a different location than HTTP cookies) and "history-sniffing" (which relies on exploiting a vulnerability in browsers).

"We're seeing a bunch of techniques moving from theoretical to being used in practice," Soltani says. "The incentives are there."

Recommend (11) Print RSS
2 comments about "KISSmetrics, Hulu Sued Over New Tracking Technology".
  1. Paula Lynn from Who Else Unlimited , August 2, 2011 at 8:36 a.m.

    More begging everyday for Do Not Track regulation. Class action lawyers are drooling and connot blame them. These companies have proven time and again they cannot be trusted.

  2. Tim Wilson from Resource Interactive , August 2, 2011 at 10:18 a.m.

    This is a much more nuanced issue than simply "good" vs. "nefarious." Personally, I think KISSmetrics showed a lack of good judgment in their effort to help sites *improve* the user experience. But, as politicians seem to be demonstrating with increasing frequency, lack of good judgment is enough to cause real PR and legal problems.

    The Web Analytics Association has taken a non-regulatory crack at self-monitoring through their development of the Web Analytics Code of Ethics (http://bit.ly/Code_of_Ethics). The intent there is to have individuals working in the analytics space put conscious thought into how, where, and when they are capturing behavioral data, and then elevating and informing their company and clients as soon as gray area is approached. Reaching out to John Lovett (@johnlovett) for more details would be a great way to get the WAA's perspective there.

    While there is certainly the potential for Evil when it comes to behavioral tracking -- especially cross-session and cross-site -- there is also tremendous benefit to consumers of being anonymously (and "anonymous" is a gray area in and of itself) tracked. Web site owners use that data to improve the user experience -- putting more relevant content in front of visitors and making paths to the content visitors are most interested in shorter, smoother, and easier for visitors to follow.

    This is a messy area. In addition to the WAA, the NRF is actively working to establish guidelines and find the appropriate balance between data capture and consumer concerns (and some level of consumer education is warranted as well...but that's a tough area to tackle).