[LINK] Another Form of Super-Cookie Exposed
Roger Clarke
Roger.Clarke at xamax.com.au
Sat Jul 30 11:07:28 AEST 2011
[Exposed by UC Berkeley, reported in Wired, flicked on by Lauren Weinstein.
[Comments embedded in Kissmetrics' explanation, down below.
Researchers Expose Cunning Online Tracking Service That Can't Be Dodged
By Ryan Singel
Wired Magazine
July 29, 2011
http://www.wired.com/epicenter/2011/07/undeletable-cookie/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index+(Wired:+Index+3+(Top+Stories+2))
... if a user came to Hulu.com from an ad on Facebook, and then
later, using a different browser on the same computer, visited
Hulu.com from Google, and then at some point signed up for the
premium service, KISSmetrics would be able to tell Hulu all about
that user's path to purchase (without knowing who that person was).
That tracking trail would remain in place even if a user deleted her
cookies, due to code that stores the unique ID in places other than
in a traditional cookie.
The research was published Friday by a team UC Berkeley privacy
researchers that includes veteran privacy lawyer Chris Hoofnagle and
noted privacy researcher Ashkan Soltani.
"The stuff works even if you have all cookies blocked and
private-browsing mode enabled," Soltani said. "The code itself is
pretty damning."
The researchers were reprising a study from 2009 which discovered
that some of the net's biggest sites were using technology from
online ad tracking firms Clearspring and Quantcast to re-create
users' cookies after users deleted them. The technique involved using
a little known property of Flash to hold onto unique ID numbers.
Then, if a user deleted her cookies, the companies would check in the
secondary stash for the user ID, and use it to resurrect the
traditional HTML cookies.
That finding led to inquiries from regulators and a class action
lawsuit alleging that websites and the tracking companies were
unfairly monitoring users. That suit was settled for $2.4 million in
cash and a promise by Clearspring and Quantcast not to use that
method again.
One of the sites named in that suit was Hulu, but its part of the
settlement only required that the company tell users if it was using
Flash to store cookies and provide a link in the policy that would
show users how to turn off Flash data storage. However with
KISSmetrics running, even knowing how to do that wouldn't have saved
a user from persistent tracking.
...
____________
The company's explanation:
How KISSmetrics Tracking Works
http://www.kissmetrics.com/how-it-works
KISSmetrics uses a variety of technologies to track people across the
various browsers and computers they use. In doing so, we provide our
customers a full view into how their customers interact with their
websites.
Sites who use KISSmetrics may choose to provide us with personally
identifiable information for their customers, or they may choose to
use anonymized identities.
Sites have always had the option of using one of our server-side
APIs, which do not set cookies or use any other means of
identification. As of July 2011, sites may also choose to use only
traditional cookie-based KISSmetrics tracking, which means that user
information would be cleared whenever the consumer cleared their
browser cookies.
For consumers who do not wish to be tracked by KISSmetrics, the
freely available AdBlock Plus extension will prevent their
information from being tracked by KISSmetrics. Learn more about
AdBlock Plus.
The Technical Details
When a person visits a site that is using the KISSmetrics Javascript
API, two javascripts are loaded:
t.js
i.js
t.js is the same for all people who visit a specific site. (t.js is
unique to each KISSmetrics customer) [I appears that the second
't.js' should be 'i.js'.]
i.js returns a unique "identity" for each person. This identity is
just a random set of characters -- it does not contain an email
address, name, IP address, or anything else that would be useful for
identifying a person outside of KISSmetrics.
[The simple point is that personal data is data that can be
associated with a natural person, or an identity of a natural person.
It is not relevant that the data *by itself* does not enable that
association, if some other readily accessible means are available to
do so. And, no, I couldn't care less that some legislation defines
'personal information' in such a way that the identity must be
apparent from the personal information itself. There's plenty of
anti-privacy legislation in the world that pretends to be
privacy-protective.]
When i.js loads, we set ETags and HTTP headers to tell the browser to
cache the value of i.js for as long as possible. We also set the
person's random identity in a first-party cookie and as a third-party
cookie on our domain (i.kissmetrics.com).
This means that if a person clears their browser cache or cookies,
the random identity is likely to persist and that person will keep
being "known" as a consistent random identity. If the random identity
persists in one of these methods, we will reset the others so they
all share that same random identity.
We do not use CSS or other versions of the technique known as history knocking.
The cached value for i.js is unique to a person, regardless of which
site they are visiting. This means that to KISSmetrics, we know a
single person by the same randomly-generated identity whether they're
visiting customer site A or customer site B. However, there is no way
for our customers to access each others' data or know anything about
a person's activities on other sites.
[That's an over-statement. There may be no way for Kissmetrics'
customers to *directly* find out. But they could find out through
Kissmetrics.]
This is similar to credit card purchases -- Store A knows what you
bought at Store A with your Visa. Store B knows what you bought at
Store B with your Visa. Visa knows what you bought on Store A and
Store B, but does not share that information between vendors. Just
like Visa, KISSmetrics does not share any information about your
interactions with Site A with Site B or with any third parties.
[Visa's business model has to date not included exploitation of data
in that way. Visa is subject to some constraints in the financial
services space that may make it difficult for the organisation to
adapt its business model in that direction. But 'never say never'.
With so much money being generated by exploitation of such data,
execs and shareholders at Visa, MasterCard and other such companies
are licking their lips at the prospect.]
The Privacy Details
KISSmetrics has never, and will never, share personally-identifiable
customer information with any third party sites.
['We are, needless to say, subject to almost no laws that require us
to sustain that position. And, along with the rest of the US private
sector, we work hard to ensure that regulators remains toothless and
uncommitted to enforcing any laws that Congress may pass. As a US
corporation, we enjoy worldwide protection by successive US
Administrations, and hence are generally not subject to laws in other
jurisdictions. In addition, we expressly reserve the right to change
the Terms unilaterally, without notice. And we can sell the business
at any time to an organisation that may choose to do so, and that is
in no sense, moral or legal, obliged to respect the Terms currently
expressed on our web-site'.]
KISSmetrics has never, and will never, share anonymous customer
activity of what people did on customer A's site with customer B.
Person data is available to the KISSmetrics customer for the lifetime
of their relationship with KISSmetrics. When a customer ends their
relationship with KISSmetrics, they may request that their data be
deleted within 30 days.
If you have questions, we're happy to answer them at privacy at kissmetrics.com.
[In case you're sceptical about the comments re Terms:
http://www.kissmetrics.com/terms
VI. Modifications to Terms of Service and Other Policies
KISSmetrics reserves the right to change or modify any of the terms
and conditions contained in this Agreement or any policy governing
the Service, at any time, ...
... by posting the new agreement to the KISSmetrics website located
at http://www.kissmetrics.com/ (or such other URL as KISSmetrics may
provide). You are responsible for regularly reviewing the policy. No
amendment to or modification of this Agreement will be binding unless
(i) in writing and signed by a duly authorized representative of
KISSmetrics, (ii) you accept updated terms online, or (iii) you
continue to use the Service after KISSmetrics has posted updates to
the Agreement or to any policy governing the Service.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list