Wired reports that KISSmetrics, one of most popular web analytics services today, is using software that evades end-users’ basic privacy requests that they not be tracked. The revelation comes after the FTC has called on web browsers to add a “Do Not Track” option.
The initial discovery of the KISSmetrics’s use of undetectable cookie code was made by security researchers at UC Berkeley. They found that the services cannot be avoided even when users take advantage of all the tools at their disposal, such as blocking, turning off storage in Flash, and using their browser’s “incognito mode.”
In response to the initial report, KISSmetrics founder Hitten Shah denied that there was anything illegal about the service. “We don’t do it for malicious reasons. We don’t do it for tracking people across the web,” he said. Shah justified the company’s activities by saying that it does not buy or sell any of the data it collects.
It does, however, use a particular property of Flash by which users keep the same ID numbers used in analytics over different websites. This means that users visiting one site would be providing a certain amount of information about their preferences, which constitutes the basic value of analytics as a marketing tool. On the other hand, that information is limited to the user’s activity on that particular site. What KISSmetrics does by using the same tracking number over multiple sites is allow sites to share information collected from different sources.
So, if user X went to a shopping site looking for a shirt, information about that user’s wardrobe preferences would be filed with a certain number. If that same user then went to a social networking site which contains personal information such as a name or home address, that information would be filed under the same number, creating a more comprehensive portfolio about the particular user.
Researcher Ashan Soltani says that, “These services are using practically every known method to circumvent user attempts to protect their privacy, creating a perpetual game of privacy ‘whack-a-mole.’” Her rejects Shah’s claim that KISSmetrics is not being used to track users across the web, adding that without clear policy restrictions, “advertisers are incentivized to come up with more pervasive tracking mechanisms.”
In response to the Wired article, the popular video site Hulu announced on Friday that it was severing all ties with KISSmetrics. The European music streaming service Spotify also announced that it was suspending its use of the service while it investigates the allegations.