Jul 29, 2011

I School alums uncover devious - and unstoppable - online tracking service

From Wired

Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged

By Ryan Singel

Researchers at U.C. Berkeley [including I School alumni Ashkan Soltani (MIMS 2009) and Nathan Good (Ph.D. 2009)] have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.

The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics.

But the researchers say the site is using sneaky techniques to prevent users from opting out of being tracked on popular sites, including the TV streaming site Hulu.com.

The discovery of KISSmetrics tracking techniques comes as federal regulators, browser makers, privacy activists and ad tracking companies are trying to define what tracking actually is. The FTC called on browser makers to add a “Do Not Track” setting that essentially lets users tell websites to leave them alone — though it doesn’t block tracking on its own. It’s more like a “privacy, please” sign on a hotel door. One of the big questions surrounding Do Not Track is about web analytics software, which sites use to determine what’s popular on their site, how many unique visitors a site has a month, where users are coming from, and what pages they leave from....

The research was published Friday by a team UC Berkeley privacy researchers that includes veteran privacy lawyer Chris Hoofnagle and noted privacy researcher Ashkan Soltani.

“The stuff works even if you have all cookies blocked and private-browsing mode enabled,” Soltani said. “The code itself is pretty damning.”...

This go-round the researchers’ report found only two sites that were recreating cookies after users deleted them — and Hulu.com was the only one doing so for tracking users across the entire site....

“Both the Hulu and KISSmetrics code is pretty enlightening,” Soltani told Wired.com in an e-mail. “These services are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags…) creating a perpetual game of privacy ‘whack-a-mole’.”

“This is yet another example of the continued arms-race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless there’s policy restrictions to prevent it.”...


Read the research paper: “Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning”

Last updated: October 4, 2016