Two major Web companies, Hulu and Spotify, suspended use of KISSmetrics' analytics service after it emerged late last week that the company was using "ETag" technology to track users even when they delete their cookies.
In addition, two consumers filed a potential class-action privacy lawsuit against KISSmetrics and Hulu on Friday, alleging violations of federal law and California state law.
The controversy about KISSmetrics' tracking methods erupted late Friday, when researchers from UC Berkeley published a report stating that the company was using ETags to track people regardless of steps they had taken to protect their privacy.
KISSMetrics used ETags to store information in users' browser caches. When those users deleted their cookies, they could be recreated with the ETag information. The report says the only way for users to block the tracking is to clear their browser caches between each Web site visit.
"To our knowledge, this is the first demonstration of this ETag tracking 'in the wild,'" the report states. "ETag tracking and respawning is particularly problematic because the technique generates unique tracking values even where the consumer blocks HTTP, Flash, and HTML5 cookies."
The researchers reported that KISSmetrics' ETag tracking was used by sites including Hulu and Spotify. Both companies declined to comment beyond saying that they suspended their use of KISSmetrics' technology.
KISSMetrics has not responded to Online Media Daily's requests for comment, but the company reportedly said late last week that its technology is used by publishers to track people on their own sites, but isn't used to track people across more than one site.
But Ashkan Soltani, a privacy researcher who co-authored the report, says the technology also enables companies to compile profiles of users based on their activity across the Web. Here's how: KISSMetrics assigned persistent numbers to Web users across every site they visited. That means that someone identified as "User 123" at Hulu.com would also be "User 123" at Spotify. That system enabled Web sites to trade data with each other about the same users, Soltani says. It's not yet known whether the publisher sites that worked with KISSmetrics did so.
Attorney Scott Kamber, who represents the consumers, says that he believes KISSMetrics and its partners were using ETags to track users across multiple sites. "The allegations of the complaint makes clear that they had the ability to track across sites. We believe they exercised that ability."
Kamber also says his law firm has identified about 30 Web publishers that are using KISSmetrics for tracking.
ETags are just one of several new tracking technologies that can trail people online independently of HTTP cookies. Others include Flash cookies (which are stored in a different location than HTTP cookies) and "history-sniffing" (which relies on exploiting a vulnerability in browsers).
"We're seeing a bunch of techniques moving from theoretical to being used in practice," Soltani says. "The incentives are there."
This is a much more nuanced issue than simply "good" vs. "nefarious." Personally, I think KISSmetrics showed a lack of good judgment in their effort to help sites *improve* the user experience. But, as politicians seem to be demonstrating with increasing frequency, lack of good judgment is enough to cause real PR and legal problems.
The Web Analytics Association has taken a non-regulatory crack at self-monitoring through their development of the Web Analytics Code of Ethics (http://bit.ly/Code_of_Ethics). The intent there is to have individuals working in the analytics space put conscious thought into how, where, and when they are capturing behavioral data, and then elevating and informing their company and clients as soon as gray area is approached. Reaching out to John Lovett (@johnlovett) for more details would be a great way to get the WAA's perspective there.
While there is certainly the potential for Evil when it comes to behavioral tracking -- especially cross-session and cross-site -- there is also tremendous benefit to consumers of being anonymously (and "anonymous" is a gray area in and of itself) tracked. Web site owners use that data to improve the user experience -- putting more relevant content in front of visitors and making paths to the content visitors are most interested in shorter, smoother, and easier for visitors to follow.
This is a messy area. In addition to the WAA, the NRF is actively working to establish guidelines and find the appropriate balance between data capture and consumer concerns (and some level of consumer education is warranted as well...but that's a tough area to tackle).