In association with heise online

16 August 2011, 16:06

Legal dispute over "eternal" cookies

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

For over two weeks a lawsuit has been outstanding against the tracking metrics company KISSmetrics because its customers web sites – including Hulu, Spotify, Etsy and GigaOm – place an almost indestructible cookie on visitors' machines. The lawsuit was triggered by a scientific study under the direction of researcher and consultant Ashkan Soltani, who originally disclosed the tracking method that uses Flash cookies two years ago; that also resulted in a lawsuit. Soltani has now submitted an analysis of the tracking mechanisms used by Hulu (representing more than 500 KISSmetrics customers).

Similar to the older cookie technology, which was used by the tracking companies Clearspring and Quantcast, Soltani describes a technique known as "respawning", in which previously deleted HTTP cookies are restored, outside of the user's control. Hulu's own tracking code uses Flash-cookies, HTML5 localStorage and the userData in older versions of Internet Explorer. In addition to these three storage methods, KISSmetrics has also been using ETags; these are placed in HTTP headers to check whether a resource has been changed since it was last accessed.

In practice, as KISSmetrics uses JavaScript, users can protect themselves through the use of advertising and tracking script blockers. However, this would not protect against HTTP cookies or ETags, meaning more robust tracking methods are still feasible.

According to Hiten Shah, the CEO of the company: "KISSmetrics does not track users across different websites, nor do we have the ability to do so." He also stressed that information collected regarding a user has never been shared with any third party. Since the legal complaint PDF was filed on 29 July, the company has stopped using cookie respawning and ETags; it has also added a "consumer-level opt-out" and supports the Do Not Track header.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit