[LINK] Another Form of Super-Cookie Exposed

Roger Clarke Roger.Clarke at xamax.com.au
Sat Jul 30 11:07:28 AEST 2011 

[Exposed by UC Berkeley, reported in Wired, flicked on by Lauren Weinstein.
[Comments embedded in Kissmetrics' explanation, down below.

Researchers Expose Cunning Online Tracking Service That Can't Be Dodged
By Ryan Singel
Wired Magazine
July 29, 2011
http://www.wired.com/epicenter/2011/07/undeletable-cookie/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index+(Wired:+Index+3+(Top+Stories+2))

... if a user came to Hulu.com from an ad on Facebook, and then 
later, using a different browser on the same computer, visited 
Hulu.com from Google, and then at some point signed up for the 
premium service, KISSmetrics would be able to tell Hulu all about 
that user's path to purchase (without knowing who that person was). 
That tracking trail would remain in place even if a user deleted her 
cookies, due to code that stores the unique ID in places other than 
in a traditional cookie.

The research was published Friday by a team UC Berkeley privacy 
researchers that includes veteran privacy lawyer Chris Hoofnagle and 
noted privacy researcher Ashkan Soltani.

"The stuff works even if you have all cookies blocked and 
private-browsing mode enabled," Soltani said. "The code itself is 
pretty damning."

The researchers were reprising a study from 2009 which discovered 
that some of the net's biggest sites were using technology from 
online ad tracking firms Clearspring and Quantcast to re-create 
users' cookies after users deleted them. The technique involved using 
a little known property of Flash to hold onto unique ID numbers. 
Then, if a user deleted her cookies, the companies would check in the 
secondary stash for the user ID, and use it to resurrect the 
traditional HTML cookies.

That finding led to inquiries from regulators and a class action 
lawsuit alleging that websites and the tracking companies were 
unfairly monitoring users. That suit was settled for $2.4 million in 
cash and a promise by Clearspring and Quantcast not to use that 
method again.

One of the sites named in that suit was Hulu, but its part of the 
settlement only required that the company tell users if it was using 
Flash to store cookies and provide a link in the policy that would 
show users how to turn off Flash data storage. However with 
KISSmetrics running, even knowing how to do that wouldn't have saved 
a user from persistent tracking.

...

____________

The company's explanation:

How KISSmetrics Tracking Works
http://www.kissmetrics.com/how-it-works

KISSmetrics uses a variety of technologies to track people across the 
various browsers and computers they use. In doing so, we provide our 
customers a full view into how their customers interact with their 
websites.

Sites who use KISSmetrics may choose to provide us with personally 
identifiable information for their customers, or they may choose to 
use anonymized identities.

Sites have always had the option of using one of our server-side 
APIs, which do not set cookies or use any other means of 
identification. As of July 2011, sites may also choose to use only 
traditional cookie-based KISSmetrics tracking, which means that user 
information would be cleared whenever the consumer cleared their 
browser cookies.

For consumers who do not wish to be tracked by KISSmetrics, the 
freely available AdBlock Plus extension will prevent their 
information from being tracked by KISSmetrics. Learn more about 
AdBlock Plus.

The Technical Details

When a person visits a site that is using the KISSmetrics Javascript 
API, two javascripts are loaded:
t.js
i.js

t.js is the same for all people who visit a specific site. (t.js is 
unique to each KISSmetrics customer)  [I appears that the second 
't.js' should be 'i.js'.]

i.js returns a unique "identity" for each person. This identity is 
just a random set of characters -- it does not contain an email 
address, name, IP address, or anything else that would be useful for 
identifying a person outside of KISSmetrics.

[The simple point is that personal data is data that can be 
associated with a natural person, or an identity of a natural person. 
It is not relevant that the data *by itself* does not enable that 
association, if some other readily accessible means are available to 
do so.  And, no, I couldn't care less that some legislation defines 
'personal information' in such a way that the identity must be 
apparent from the personal information itself.  There's plenty of 
anti-privacy legislation in the world that pretends to be 
privacy-protective.]

When i.js loads, we set ETags and HTTP headers to tell the browser to 
cache the value of i.js for as long as possible. We also set the 
person's random identity in a first-party cookie and as a third-party 
cookie on our domain (i.kissmetrics.com).

This means that if a person clears their browser cache or cookies, 
the random identity is likely to persist and that person will keep 
being "known" as a consistent random identity. If the random identity 
persists in one of these methods, we will reset the others so they 
all share that same random identity.

We do not use CSS or other versions of the technique known as history knocking.

The cached value for i.js is unique to a person, regardless of which 
site they are visiting. This means that to KISSmetrics, we know a 
single person by the same randomly-generated identity whether they're 
visiting customer site A or customer site B. However, there is no way 
for our customers to access each others' data or know anything about 
a person's activities on other sites.

[That's an over-statement.  There may be no way for Kissmetrics' 
customers to *directly* find out.  But they could find out through 
Kissmetrics.]

This is similar to credit card purchases -- Store A knows what you 
bought at Store A with your Visa. Store B knows what you bought at 
Store B with your Visa. Visa knows what you bought on Store A and 
Store B, but does not share that information between vendors. Just 
like Visa, KISSmetrics does not share any information about your 
interactions with Site A with Site B or with any third parties.

[Visa's business model has to date not included exploitation of data 
in that way.  Visa is subject to some constraints in the financial 
services space that may make it difficult for the organisation to 
adapt its business model in that direction.  But 'never say never'. 
With so much money being generated by exploitation of such data, 
execs and shareholders at Visa, MasterCard and other such companies 
are licking their lips at the prospect.]

The Privacy Details

KISSmetrics has never, and will never, share personally-identifiable 
customer information with any third party sites.

['We are, needless to say, subject to almost no laws that require us 
to sustain that position. And, along with the rest of the US private 
sector, we work hard to ensure that regulators remains toothless and 
uncommitted to enforcing any laws that Congress may pass. As a US 
corporation, we enjoy worldwide protection by successive US 
Administrations, and hence are generally not subject to laws in other 
jurisdictions. In addition, we expressly reserve the right to change 
the Terms unilaterally, without notice.  And we can sell the business 
at any time to an organisation that may choose to do so, and that is 
in no sense, moral or legal, obliged to respect the Terms currently 
expressed on our web-site'.]

KISSmetrics has never, and will never, share anonymous customer 
activity of what people did on customer A's site with customer B.

Person data is available to the KISSmetrics customer for the lifetime 
of their relationship with KISSmetrics. When a customer ends their 
relationship with KISSmetrics, they may request that their data be 
deleted within 30 days.

If you have questions, we're happy to answer them at privacy at kissmetrics.com.


[In case you're sceptical about the comments re Terms:

http://www.kissmetrics.com/terms
VI. Modifications to Terms of Service and Other Policies
KISSmetrics reserves the right to change or modify any of the terms 
and conditions contained in this Agreement or any policy governing 
the Service, at any time, ...

... by posting the new agreement to the KISSmetrics website located 
at http://www.kissmetrics.com/ (or such other URL as KISSmetrics may 
provide). You are responsible for regularly reviewing the policy. No 
amendment to or modification of this Agreement will be binding unless 
(i) in writing and signed by a duly authorized representative of 
KISSmetrics, (ii) you accept updated terms online, or (iii) you 
continue to use the Service after KISSmetrics has posted updates to 
the Agreement or to any policy governing the Service.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list