These articles are based entirely on a paper by Ashkan Soltani, who works closely with the lawyers who filed these cases, and who published his paper on the same day that the first lawsuit was filed.
Their explanation of the universal cookie ID issue is rather silly. If you're a client of Kissmetrics, your visitors have a cookie scoped to your domain with the visitor's universal Kissmetrics ID. All of the database segregation in the world won't prevent any two or more Kissmetrics clients from collating visitor data on that universal ID, sent in every header on every pageview. Whether any clients are actually doing that, I have no clue. But claiming that permuting that universal ID into client-specific ones rendered when the clients view data actually protects visitors from said collation is just wrong.
I don't see what's silly about the explanation considering it's about efficiency and performance. As a KISSmetrics customer I can tell you the focus is on funnels and key data; not on an internal cookie ID so that we can collude with other companies.
Of course not. Customer data isn't something I would ever share.
Companies that choose to do so will do it regardless of whether they're directly paid for it. It's not a tech problem and it's not something they need a 3rd party vendor for.
But it's a huge oversight and the kind of thing the designers would have come across when designing the system. They decided to use the shared id, either with the assumption that no clients will ever collaborate and share data or they just don't take privacy seriously enough. Not necessarily malicious, but way too careless in privacy related matters.
If the report "significantly distorts our technology and business practices," why are they making such significant changes to their technology and business practices as a result?
I understand technology, and I'm pretty skeezed out by their use of Etags...
Also, if they truly think they're innocent, why wouldn't they just educate their userbase? Seems odd to make such drastic architectural changes just because of a perceptual problem.
> why wouldn't they just educate their userbase? <
If you were competing against better funded companies - one of which may be behind these lawsuits (hey, this is business) - how much time would you spend educating? Wouldn't you rather just be selling and making money?
Ah, but it is all about perception. The same thing happened at reddit a few times.
The mob decided someone was guilty, we investigated, found absolutely no wrongdoing. Told the community, they didn't care. They would only be happy with swift, visible action.
Comparing the relatively thoughtful discussion on this topic among the web development community to the reddit mob is not particularly fair or accurate.
This board is a very rare exception on the internet, and even it descends into its own form of lynch mobbery (with a more elevated tone than most lynch mobs).
Shah writes "Mr. Soltani’s paper speculates that KISSmetrics tracks customers across websites based on his observation of a shared identifier on different customer websites."
Soltani's paper and my story about it said nothing of the sort.
Both point out that KISSmetrics technology gives a user the same unique ID on different sites, a technological choice that would allow its clients to compare their databases -- independent of KISSmetrics -- and share data about users.
I find the recent blog post odd, because on Friday, Shah told me it was accurate and that the techniques were legal.
Can you please reconcile something to me: Kissmetrics operates in a most ethical fashion but they prevent deletion of cookies in order to track my browsing? Do they think I'm stupid?
Or let me ask the other way: Is it ethical to prevent deletion of cookies in order to track my browsing and intentionally hide the fact that they are doing that?
What Kiss does is explicitly violating user intent -- ethical people assume that when cookies go away, the user is making a decision.
From the paper summary : "The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and “Private Browsing Mode” is enabled." Resuscitating cookies the user has cleared is simply wrong.
And you have an expansive definition of "ethical".
Cookies disappear all the time for reasons that have nothing to do with users nuking them. Users rarely delete their cookies, a vanishing cookie isn't an obvious indicator of privacy concerns.
I should caveat this by saying that I wouldn't use an evercookie, though. While most vanishing cookies aren't privacy related, it's clear that a few are. We avoid all sorts of behaviors on the web to keep from treading on a few toes.
Can you please elaborate this statement that "Cookies disappear all the time for reasons that have nothing to do with users nuking them"? I'm genuinely interested to understand in which cases cookies disappear.
EDIT: But it is possible to detect case when cookies are intentionally deleted. Correct?
Sure. It's common for server or client side scripts to overwrite cookies, or cookie expirations. When you embed something that depends on cookies in a third party site, you have very little you can do to keep the site owner from nuking it unintentionally.
Browsers frequently eat cookies for no good reason. Safari has been the biggest offender in my experience, but I've seen it in several.
These are two really common issues I've personally dealt with, I know there are more but I can't think of them off the top of my head.
EDIT: No, I'm not aware of any way to detect how/why a cookie has been deleted. It just vanishes.
I don't know anyone at the company, but I do read their blog, follow on twitter, etc. and think they're probably great guys. But this tweet just said it all for me:
It's completely absurd that people have to download anything to not be tracked - whether the data is anonymous, not shared between clients, etc. As mentioned, they are purposely defeating user intent. What about the next company after KISSmetrics that isn't as "ethical" w/ user data? That's why this type of thing needs to be stopped dead.
Mr. Soltani also claims that it is somehow improper to use
any technology other than browser cookies to track website
activity. In fact, countless online companies, including
other major analytics providers, use a variety of different
technologies to provide these services, including the
persistent technologies Mr. Soltani targets in his paper.
That's not a justification for doing it too. It's merely a lame excuse for unethical behavior.
Also, I don't care if the guys at KISSmetrics are nice, kitten-loving jolly good fellows - that has absolutely zero relevance to the case at hand.
46 comments
[ 3.1 ms ] story [ 107 ms ] threadBut correlation is not always causation, and KISSmetrics is putting themselves at risk of a libel suit if they don't have any proof.
See Wired's screenshot here: http://www.wired.com/images_blogs/epicenter/2011/07/Screen-S...
Companies that choose to do so will do it regardless of whether they're directly paid for it. It's not a tech problem and it's not something they need a 3rd party vendor for.
To me this seems like an oversight rather than malicious intent.
Also, if they truly think they're innocent, why wouldn't they just educate their userbase? Seems odd to make such drastic architectural changes just because of a perceptual problem.
If you were competing against better funded companies - one of which may be behind these lawsuits (hey, this is business) - how much time would you spend educating? Wouldn't you rather just be selling and making money?
One law firm in particular is behind this lawsuit. This type of thing is their bread and butter.
The mob decided someone was guilty, we investigated, found absolutely no wrongdoing. Told the community, they didn't care. They would only be happy with swift, visible action.
Any group, no matter how civil and educated, can dislove pretty quickly into mob mentality.
The report -- http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1898390 -- was technically correct. In fact, it's KISSmetrics that's distorting what the report said.
Shah writes "Mr. Soltani’s paper speculates that KISSmetrics tracks customers across websites based on his observation of a shared identifier on different customer websites."
Soltani's paper and my story about it said nothing of the sort.
Both point out that KISSmetrics technology gives a user the same unique ID on different sites, a technological choice that would allow its clients to compare their databases -- independent of KISSmetrics -- and share data about users.
I find the recent blog post odd, because on Friday, Shah told me it was accurate and that the techniques were legal.
I don't see any good reasons why they can't simply use cookies and acknowledge that some folks will delete them.
I would trust them over most any analytics company any day.
It's a shame that this meritless lawsuit even exists.
They used evercookie-ish methods to track people who don't want to be tracked. That's unethical, full stop.
Or let me ask the other way: Is it ethical to prevent deletion of cookies in order to track my browsing and intentionally hide the fact that they are doing that?
From the paper summary : "The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and “Private Browsing Mode” is enabled." Resuscitating cookies the user has cleared is simply wrong.
And you have an expansive definition of "ethical".
I should caveat this by saying that I wouldn't use an evercookie, though. While most vanishing cookies aren't privacy related, it's clear that a few are. We avoid all sorts of behaviors on the web to keep from treading on a few toes.
EDIT: But it is possible to detect case when cookies are intentionally deleted. Correct?
Browsers frequently eat cookies for no good reason. Safari has been the biggest offender in my experience, but I've seen it in several.
These are two really common issues I've personally dealt with, I know there are more but I can't think of them off the top of my head.
EDIT: No, I'm not aware of any way to detect how/why a cookie has been deleted. It just vanishes.
"Consumers who wish to opt out of all KISSmetrics tracking can use the free tools http://adblockplus.org & https://easylist.adblockplus.org/
It's completely absurd that people have to download anything to not be tracked - whether the data is anonymous, not shared between clients, etc. As mentioned, they are purposely defeating user intent. What about the next company after KISSmetrics that isn't as "ethical" w/ user data? That's why this type of thing needs to be stopped dead.
EDIT: little more clarity
Also, I don't care if the guys at KISSmetrics are nice, kitten-loving jolly good fellows - that has absolutely zero relevance to the case at hand.