Web sites can bypass anti-cookie measures

Some major web sites use sophisticated tracking techniques that allow them to track even those users who try to prevent this – for instance by refusing to accept cookies or by surfing the net in private mode. While investigating the mechanisms used by popular web sites such as Amazon, Hulu, Spotify, Etsy and GigaOm, researchers at Berkeley University came across the KISSmetrics service provider.

Browsers already offer functional tools for handling regular HTTP cookies. While "Flash cookies" (Local Shared Objects) were long considered the biggest threat for users with privacy concerns, the situation in this area has recently been significantly improved – most browsers now discard Flash cookies along with all other cookies. Last year, however, an "evercookie", that combines HTTP, Flash and Silverlight cookies with such HTML5 technologies as localStorage, caused a stir. The technology also included unusual storage methods such as Internet Explorer's old userData technology, caching via PNG images, history stealing and HTTP ETags.

Commercial services such as KISSmetrics have now reached a similar degree of sophistication. The code of the tracking script makes it virtually impossible for users to escape being tracked. The script's most important components appear to be HTTP and Flash cookies, localStorage, IE userData and ETags. ETags consist of an HTTP header that provides the browser with a kind of caching signature; a web site can later retrieve the ETag to determine whether the browser requires an updated version of the file.

KISSmetrics can track users across multiple web sites to collate comprehensive user profile information. The method proved particularly embarrassing for the Hulu video web site: last year, tracking vendors Clearspring and Quantcast were taken to court for using Flash cookies to restore deleted HTTP cookies; Hulu was a Quantcast customer. Wired magazine reports that Hulu has already stopped using KISSmetrics. Talking to Wired, KISSmetrics founder Hitten Shah said that his company is not doing anything illegal or malicious.

Discussions about web sites tracking their users have gained momentum across Europe and the US in recent years. While the EU's decision only to allow cookies after prior confirmation by the user caused considerable feelings of insecurity, the US seems to be leaning towards an opt-out solution as advocated, for example, by the Mozilla browser developers. From a technical perspective, there doesn't seem to be any way to avoid being tracked: according to a study by the Electronic Frontier Foundation (EFF) civil rights movement, virtually every browser can be uniquely identified.

(ehe)