46 comments

[ 3.1 ms ] story [ 107 ms ] thread
They don't deny recreating cookies.
Is that illegal now?
No, but unethical for most applications, don't you think?
Who cares? It's still lame and violates the Law of Demeter.
These articles are based entirely on a paper by Ashkan Soltani, who works closely with the lawyers who filed these cases, and who published his paper on the same day that the first lawsuit was filed.
So what? Does that automatically make everything he exposed false?
It makes his objectivity suspect.
Both the lawyers and Soltani deny any working relationship, and it's not clear what proof KISSmetrics has beyond timing.

But correlation is not always causation, and KISSmetrics is putting themselves at risk of a libel suit if they don't have any proof.

How does Hiten's working for KM affect his objectivity?
He's not posing as an objective third party.
That's a strange way to establish someone's credibility!
Their explanation of the universal cookie ID issue is rather silly. If you're a client of Kissmetrics, your visitors have a cookie scoped to your domain with the visitor's universal Kissmetrics ID. All of the database segregation in the world won't prevent any two or more Kissmetrics clients from collating visitor data on that universal ID, sent in every header on every pageview. Whether any clients are actually doing that, I have no clue. But claiming that permuting that universal ID into client-specific ones rendered when the clients view data actually protects visitors from said collation is just wrong.

See Wired's screenshot here: http://www.wired.com/images_blogs/epicenter/2011/07/Screen-S...

(comment deleted)
I don't see what's silly about the explanation considering it's about efficiency and performance. As a KISSmetrics customer I can tell you the focus is on funnels and key data; not on an internal cookie ID so that we can collude with other companies.
So you'd decline to collude with another company who approached you? What if they offered to pay?
Of course not. Customer data isn't something I would ever share.

Companies that choose to do so will do it regardless of whether they're directly paid for it. It's not a tech problem and it's not something they need a 3rd party vendor for.

Why would kissmetrics want to provide a way for their customers to link users by the means of that cookie id?

To me this seems like an oversight rather than malicious intent.

But it's a huge oversight and the kind of thing the designers would have come across when designing the system. They decided to use the shared id, either with the assumption that no clients will ever collaborate and share data or they just don't take privacy seriously enough. Not necessarily malicious, but way too careless in privacy related matters.
If the report "significantly distorts our technology and business practices," why are they making such significant changes to their technology and business practices as a result?
To assuage folks who don't understand technology and will assume they are guilty until they "make big changes".
I understand technology, and I'm pretty skeezed out by their use of Etags...

Also, if they truly think they're innocent, why wouldn't they just educate their userbase? Seems odd to make such drastic architectural changes just because of a perceptual problem.

Their userbase is not who's suing them.
> why wouldn't they just educate their userbase? <

If you were competing against better funded companies - one of which may be behind these lawsuits (hey, this is business) - how much time would you spend educating? Wouldn't you rather just be selling and making money?

No need for conspiracy theories - other companies have nothing to do with it.

One law firm in particular is behind this lawsuit. This type of thing is their bread and butter.

Ah, but it is all about perception. The same thing happened at reddit a few times.

The mob decided someone was guilty, we investigated, found absolutely no wrongdoing. Told the community, they didn't care. They would only be happy with swift, visible action.

Comparing the relatively thoughtful discussion on this topic among the web development community to the reddit mob is not particularly fair or accurate.
I would have to say you're naive for thinking the two are much different.

Any group, no matter how civil and educated, can dislove pretty quickly into mob mentality.

Your cynicism is not well borne out on this message board.
This board is a very rare exception on the internet, and even it descends into its own form of lynch mobbery (with a more elevated tone than most lynch mobs).
Jeremy, sorry but you are mistaken.

The report -- http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1898390 -- was technically correct. In fact, it's KISSmetrics that's distorting what the report said.

Shah writes "Mr. Soltani’s paper speculates that KISSmetrics tracks customers across websites based on his observation of a shared identifier on different customer websites."

Soltani's paper and my story about it said nothing of the sort.

Both point out that KISSmetrics technology gives a user the same unique ID on different sites, a technological choice that would allow its clients to compare their databases -- independent of KISSmetrics -- and share data about users.

I find the recent blog post odd, because on Friday, Shah told me it was accurate and that the techniques were legal.

Ideally they'd be able to say "we messed up, we're making the necessary changes" but can't do that with a lawsuit pending.

I don't see any good reasons why they can't simply use cookies and acknowledge that some folks will delete them.

I know Hiten personally, and I know that Kissmetrics operates in a most ethical fashion.

I would trust them over most any analytics company any day.

It's a shame that this meritless lawsuit even exists.

Heck, if jedberg trusts them then I'm convinced. (no sarcasm)
I just started using Kissmetrics, and it's odd that this was the most reassuring thing I've read from this.
Trying to prevent the deletion of cookies used to uniquely identify and track their customers' users is ethical?
Yeah as far as I'm concerned, the cross-site tracking thing is a straw man.

They used evercookie-ish methods to track people who don't want to be tracked. That's unethical, full stop.

Can you please reconcile something to me: Kissmetrics operates in a most ethical fashion but they prevent deletion of cookies in order to track my browsing? Do they think I'm stupid?

Or let me ask the other way: Is it ethical to prevent deletion of cookies in order to track my browsing and intentionally hide the fact that they are doing that?

What Kiss does is explicitly violating user intent -- ethical people assume that when cookies go away, the user is making a decision.

From the paper summary : "The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and “Private Browsing Mode” is enabled." Resuscitating cookies the user has cleared is simply wrong.

And you have an expansive definition of "ethical".

Cookies disappear all the time for reasons that have nothing to do with users nuking them. Users rarely delete their cookies, a vanishing cookie isn't an obvious indicator of privacy concerns.

I should caveat this by saying that I wouldn't use an evercookie, though. While most vanishing cookies aren't privacy related, it's clear that a few are. We avoid all sorts of behaviors on the web to keep from treading on a few toes.

Can you please elaborate this statement that "Cookies disappear all the time for reasons that have nothing to do with users nuking them"? I'm genuinely interested to understand in which cases cookies disappear.

EDIT: But it is possible to detect case when cookies are intentionally deleted. Correct?

Sure. It's common for server or client side scripts to overwrite cookies, or cookie expirations. When you embed something that depends on cookies in a third party site, you have very little you can do to keep the site owner from nuking it unintentionally.

Browsers frequently eat cookies for no good reason. Safari has been the biggest offender in my experience, but I've seen it in several.

These are two really common issues I've personally dealt with, I know there are more but I can't think of them off the top of my head.

EDIT: No, I'm not aware of any way to detect how/why a cookie has been deleted. It just vanishes.

I don't know anyone at the company, but I do read their blog, follow on twitter, etc. and think they're probably great guys. But this tweet just said it all for me:

"Consumers who wish to opt out of all KISSmetrics tracking can use the free tools http://adblockplus.org & https://easylist.adblockplus.org/

It's completely absurd that people have to download anything to not be tracked - whether the data is anonymous, not shared between clients, etc. As mentioned, they are purposely defeating user intent. What about the next company after KISSmetrics that isn't as "ethical" w/ user data? That's why this type of thing needs to be stopped dead.

EDIT: little more clarity

Hiten is a standup guy, a friend to startups everywhere, and a class act all around. I look forward to him kicking their asses in court.
(comment deleted)

  Mr. Soltani also claims that it is somehow improper to use
  any technology other than browser cookies to track website
  activity. In fact, countless online companies, including
  other major analytics providers, use a variety of different
  technologies to provide these services, including the
  persistent technologies Mr. Soltani targets in his paper. 
That's not a justification for doing it too. It's merely a lame excuse for unethical behavior.

Also, I don't care if the guys at KISSmetrics are nice, kitten-loving jolly good fellows - that has absolutely zero relevance to the case at hand.