KISSmetrics, Hulu Sued Over New Tracking Technology
Two major Web companies, Hulu and Spotify, suspended use of KISSmetrics' analytics service after it emerged late last week that the company was using "ETag" technology to track users even when they delete their cookies.
In addition, two consumers filed a potential class-action privacy lawsuit against KISSmetrics and Hulu on Friday, alleging violations of federal law and California state law.
The controversy about KISSmetrics' tracking methods erupted late Friday, when researchers from UC Berkeley published a report stating that the company was using ETags to track people regardless of steps they had taken to protect their privacy.
KISSMetrics used ETags to store information in users' browser caches. When those users deleted their cookies, they could be recreated with the ETag information. The report says the only way for users to block the tracking is to clear their browser caches between each Web site visit.
"To our knowledge, this is the first demonstration of this ETag tracking 'in the wild,'" the report states. "ETag tracking and respawning is particularly problematic because the technique generates unique tracking values even where the consumer blocks HTTP, Flash, and HTML5 cookies."
The researchers reported that KISSmetrics' ETag tracking was used by sites including Hulu and Spotify. Both companies declined to comment beyond saying that they suspended their use of KISSmetrics' technology.
KISSMetrics has not responded to Online Media Daily's requests for comment, but the company reportedly said late last week that its technology is used by publishers to track people on their own sites, but isn't used to track people across more than one site.
But Ashkan Soltani, a privacy researcher who co-authored the report, says the technology also enables companies to compile profiles of users based on their activity across the Web. Here's how: KISSMetrics assigned persistent numbers to Web users across every site they visited. That means that someone identified as "User 123" at Hulu.com would also be "User 123" at Spotify. That system enabled Web sites to trade data with each other about the same users, Soltani says. It's not yet known whether the publisher sites that worked with KISSmetrics did so.
Attorney Scott Kamber, who represents the consumers, says that he believes KISSMetrics and its partners were using ETags to track users across multiple sites. "The allegations of the complaint makes clear that they had the ability to track across sites. We believe they exercised that ability."
Kamber also says his law firm has identified about 30 Web publishers that are using KISSmetrics for tracking.
ETags are just one of several new tracking technologies that can trail people online independently of HTTP cookies. Others include Flash cookies (which are stored in a different location than HTTP cookies) and "history-sniffing" (which relies on exploiting a vulnerability in browsers).
"We're seeing a bunch of techniques moving from theoretical to being used in practice," Soltani says. "The incentives are there."