Shah was responding to a paper published last Friday by Ashkan Soltani and other researchers showing how KISSmetrics tracked people using ETags. KISSmetrics used ETags to store information in people's browser caches. When those users erased their cookies, they could be recreated with information from the ETags.
One reason -- though not the only one -- why KISSmetrics' technology caused concern was because the company assigned the same random identifier to users across more than one site. Soltani pointed out that doing so enabled companies to compare information about the same user, regardless of that person's attempts to avoid tracking and online profiling.
Shah responds that KISSmetrics has never linked data about users' activities across sites. "We use the same url for all customers to reduce server and bandwidth resources and increase end-user performance, which is critical given our small size," he writes in a blog post. "An incidental consequence of this is that the same anonymous identifier was returned externally across multiple websites. However, internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers."
Even if that's true, however, there's still a problem when companies go out of their way to defeat consumers' efforts to protect their privacy. If people are deleting their cookies because they don't want to be tracked, the answer isn't to develop technology that overrides users' wishes.
Since the report came out last week, KISSmetrics has stopped using ETags and is now allowing consumers to opt out of all tracking. The company also says it's honoring the new browser-based do-not-track headers.
Also last Friday, before the Soltani report was published -- and completely independent of his research -- the first of two class-action lawsuits was filed against KISSmetrics and Web sites that use the company's analytics.
Shah says that courts have "repeatedly held" that similar claims against other Web companies "have no merit."
Whether that's the case is subject to interpretation. It's true that a federal judge recently threw out a similar privacy lawsuit against Specific Media, which was accused of tracking users with hard-to-delete Flash cookies. (Specific Media denies the allegations.) That dismissal, however, was without prejudice, meaning that the consumers could refile their case. The consumers amended their papers and brought the case again; the matter is still pending.