Legal dispute over "eternal" cookies
For over two weeks a lawsuit has been outstanding against the tracking metrics company KISSmetrics because its customers web sites – including Hulu, Spotify, Etsy and GigaOm – place an almost indestructible cookie on visitors' machines. The lawsuit was triggered by a scientific study under the direction of researcher and consultant Ashkan Soltani, who originally disclosed the tracking method that uses Flash cookies two years ago; that also resulted in a lawsuit. Soltani has now submitted an analysis of the tracking mechanisms used by Hulu (representing more than 500 KISSmetrics customers).
Similar to the older cookie technology, which was used by the tracking companies Clearspring and Quantcast, Soltani describes a technique known as "respawning", in which previously deleted HTTP cookies are restored, outside of the user's control. Hulu's own tracking code uses Flash-cookies, HTML5 localStorage and the userData in older versions of Internet Explorer. In addition to these three storage methods, KISSmetrics has also been using ETags; these are placed in HTTP headers to check whether a resource has been changed since it was last accessed.
According to Hiten Shah, the CEO of the company: "KISSmetrics does not track users across different websites, nor do we have the ability to do so." He also stressed that information collected regarding a user has never been shared with any third party. Since the legal complaint was filed on 29 July, the company has stopped using cookie respawning and ETags; it has also added a "consumer-level opt-out" and supports the Do Not Track header.