Deep linking to any stories on our site welcomed
|
|
|
Sneaky online tracking used by major websites is exposed
ONLINE TRACKING OUTFIT Kissmetrics has been exposed by researchers for using surrepticious techniques to track users without their knowledge and even against their wishes.
Researchers at UC Berkeley found that Kissmetrics, a sort of Google Analytics on crack, uses sneaky methods to track users from one website to another, violating any user disablement of cookies, use of the 'Do Not Track' features of web browsers, or use of a 'private browsing' mode. According to the researchers, who took apart the tracking code used by the online video streaming website Hulu, the only way to avoid persistent tracking is to clear the web browser's cache between visits.
Kissmetrics confirmed to Wired that the research findings were valid, meaning that it was using Etags, something that until now was only thought of as a theoretical way of tracking users. The researchers sent a snippet of a cookie to Wired that shows a cookie using the same identifier between Kissmetrics.com, Hulu.com and Spotify.com. This essentially allows these three sites to share information without the user's knowledge.
Hulu told Wired that it had severed links with Kissmetrics. Hitten Shah, founder of Kissmetrics said, "We don't do it for malicious reasons. We don't do it for tracking people across the web [...] I would be having lawyers talk to you if we were doing anything malicious."
However Shah's answer isn't being accepted by Ashkan Soltani, one of the authors of the paper, who told Wired, "Both the Hulu and KISSmetrics code is pretty enlightening [...] these services are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags...) creating a perpetual game of privacy 'whack-a-mole'."
The issue here is not tracking users per se, as many outfits including firms such as Facebook, Google and Microsoft already do that, but the stark fact that users cannot opt out of Kissmetrics' tracking methods. Shah's claims that Kissmetrics doesn't go to any such lengths in order to track people are highly questionable.
As the report clearly states, firms such as Kissmetrics employ elaborate methods in order to get around those users who take the time to tweak privacy settings in the first place. It is sad, yet with tracking users being such a profitable source of information, we will be surprised if that is all Kissmetrics is used for. µ
Tags: Software
Share this:
Share
The method of HTTP cookie respawning described in this report relies on flash cookies and etags. Private browsing mode will stop flash cookies from storing data (if you are using an up to date version of flash), and it will flush the browser cache (thus deleting the etags) if the browser is closed. So yes, this method only allows limited tracking if private browsing mode is used. The report itself never says that this method completely circumvents private browsing mode.
Checks out their site and interestingly they have google tracking on it, so they either have no confidence in their own skills or are part of google's empire I guess.
I also noticed a new trick in google's box of tricks, they already tracked everybody with ajax.googleapis.com but now they added fonts.googleapis.com as an underhanded trick.
Update your signatures!
My count shows 11 on the page this am!
Bet you just can't wait till your new tracking Smart TV (dumb buyers) arrives with now way at all to flush any cache.
No Private mode on the TV I'll bet.
But if everyone was well informed and refused to buy those TV's ...they would have to stop making them if they can't sell them !
Respawning cookies often happens by using the browserfingerprint (screen size,installed fonts, installed plugins, OS, Language, country, ....). Now one could change the browsersettings to make it more general so the uniquenes dissaepears a bit, but one can also make the browser settings change radomly each time the browser start creating indefinite new cookies instead of respawning old cookies. To my knowledge this will only work with FF at best because Chrome is created by a marketing company, IE is just a leaking bucket of private information and Safari isn't easily customized.
@King Calamari - Negative. Read the article carefully. It tracks you regardless of whether you use private mode or not because it respawns cookies that you may or may not have created. Porn mode isn't going to prevent you from being tracked.
Using the private browsing mode in most web browsers does clear the cache, if the browser is closed. So this method only allows tracking for the duration of the current private browsing session.
Given that there are a grand total of 9 tracking scripts blocked by Ghostery on every inquirer page ...
"I would be having lawyers talk to you if we were doing anything malicious."
Well, lawyers is probably what your looking at since the code is pretty well damning.
Kissmetric your ass goodbye.
Hitten Shah, founder of Kissmetrics said, "We don't do it for malicious reasons."
Bullshit! There are NO legitimate reasons for cross-site tracking. Full stop.
Effective immediately, I am submitting Kissmetrics to MVPS.org with a recommendation to block them in the "malicious Web sites hosts file" distributed by that organisation.