More Technical Details in KISSmetrics’ eTag Saga
VAR KMCID=’Z9iGGN1n1-zeVqbgzrlKkl39hiY’; if(typeof(_kmil) == ‘function’)_kmil();
That’s the contents of the global identifier variable KMCID set when a user hit any site using KISSmetrics’ tracking technology (such as Hulu or Spotify) before July 29 and the third-party script https://i.kissmetrics.com/i.js was loaded. The identifier went into a user’s cache and was impervious to user privacy tools such as cookie-blocking and private-browsing modes. Targeting through eTags had not only arrived, but been in practice by major publishers for some time.
Ashkan Soltani, previously a technologist at the Federal Trade Commission Division of Privacy and Identity protection, has published a technical addendum to a recent report accusing KISSmetrics of using eTags for user tracking that found 31 sites (including Hulu, GigaOm, Spotify, SEOmoz and SlideShare.net) using KISSmetrics’ e-Tag code prior to July 29, and 515 sites using KISSmetrics currently “in a fashion that indicates they were likely also have been respawning until this functionality was disabled.”
While KISSmetrics also appeared to be respawning cookies using HTML5 storage space and Flash cookies, the e-Tag accusation is the most serious because it represents tracking companies’ most significant attempt to circumvent user privacy controls, and may have drastic consequences for a behavioral advertising community already under intense federal scrutiny.
But it gets more complicated… And a lot uglier, as Soltani has broken down the very messy details of the matter.
On July 29, Wired’s Ryan Singel detailed the latest findings of privacy researchers Soltani, Chris Hoofnagle, Nathan Good, Mika Ayenson and Dietrich J. Wambach, an update of a 2009 report that discovered numerous publishers respawning HTTP tracking cookies through the use of Adobe Flash cookies (officially known as local shared objects, or LSOs). The new report discovered that the use of Flash Cookies was down, but tracking firm KISSmetrics was empowering numerous publishers to drop cookies in user caches.
Following the report’s release, Scott A. Kamber’s law firm — which has led the charge on about every online privacy lawsuit, including the one that racked up a $2.6 million settlement from Clearspring and Quantcast last year for their use of Flash cookies — filed suit against KISSmetrics, Hulu and a slew of other publishers using KISSmetrics’ e-Tag tracking technology. Although CEO Hitten Shah initially told Singel in the Wired story that the cache cookie assessment was correct, Shah came out with guns blazing in a company blog responding to the charges. In particular, he claimed that KISSmetrics had never used ETags or other “persistent” technologies for tracking purposes.
The Trouble With Unique IDs
Because KISSmetrics uses the same first-party cookie — a unique identifier — for the same user on all websites that use KISSmetrics’ tracking technology, in theory KISSmetrics could track individuals across any of these websites (and make a killing in the expanding third-party data market).
KISSmetrics claims it was not doing this. Even without KISSmetrics as a mediator, publishers could trade or buy information about unique users from one another based on the code — publishers are increasingly annexing their data to provide more alluring targeted audiences so they can garner higher CPMs.
“Since the unique identifiers are included the actual URL and not the cookie headers… I can observe their transmission to KISSmetrics servers and suspect each will generate a log entry on their systems,” Soltani writes. “Unless all log data is immediately deleted or truncated, it’s likely that this cross-domain browsing history is available on their systems, unhashed.” He admits that because he has no access to KISSmetrics’ back-end systems, he can’t be conclusive about this practice.
However, KISSmetrics claims that the use of the same unique (and anonymous) identifier was used to cut down on bandwidth use while increasing performance speed; when the IDs came to KISSmetrics, they were instantly “translated into unique identifiers” for each publishing client.
But that doesn’t defuse Soltani’s other point — the publishers themselves follow track users and share data with or sell to each other against user wishes.
The Big Picture
As the online behavioral advertising industry is struggling to convince the Internet-using public that it can regulate itself, the entry of eTags into the tracking fray was a pretty damning indictment against self-regulation.
Given the zeal with which companies continue to develop tracking technology that circumvents user-initiated privacy controls, how can the online advertising industry be trusted to regulate itself regarding user data?
As Bob Garfield put it in AdAge, “Nice work, morons. Way to strangle the goose that lays the golden egg.”
Google has been tracking me across websites for years and serving up ads accordingly (why else would I get a dedicated hosting ad on a model airplane site?) So why haven’t they been sued yet? Answer: Deep Pockets. The same reason Open Cart didn’t sue Amazon a decade ago!
Leave a Comment
- UPDATED: Twitter Officially Launches Tailored Audiences Program
- veeseo Launches Speech-to-Text Content Recognition Engine for Video Advertising
- Today’s Burning Question: Massive Hack Attack Reaction
- Dell Software Exec: Strong Password Would Not Have Stopped Latest Hack
- If You Waited for Black Friday/Cyber Monday, You Were Probably Too Late
Adknowledge Announces Launch of ‘AdStation International’KANSAS CITY, Mo., November 25, 2013 (ADOTAS) – Adknowledge is pleased to announce the launch of AdStation International, a global [...] more...
- UPDATED: Twitter Officially Launches Tailored Audiences Program December 6th 2013 ADOTAS – Twitter brought its tailored audiences ad program out [...] more »
- veeseo Launches Speech-to-Text Content Recognition Engine for Video Advertising December 6th 2013 ADOTAS — Video marketing company veeseo announced this week a [...] more »
- Today’s Burning Question: Massive Hack Attack Reaction December 5th 2013 ADOTAS – Today we’re featuring reactions from industry leaders to yesterday’s [...] more »
- Dell Software Exec: Strong Password Would Not Have Stopped Latest Hack December 5th 2013 ADOTAS — In response to Today’s Burning Question about reports [...] more »
- If You Waited for Black Friday/Cyber Monday, You Were Probably Too Late December 5th 2013 ADOTAS – While holiday shoppers have been conditioned to believe [...] more »
- Digital First Ventures, RealMatch Partner to Power JobsInTheUS.com December 5th 2013 NEW YORK, December 5, 2013 (ADOTAS) – Digital First Ventures, [...] more »
- Celtra Hires Ex-Adobe Exec Taplin as EVP of Global Sales December 5th 2013 CAMBRIDGE, Mass. – December 5, 2013 – Celtra Inc., the industry leader [...] more »
- Making Holiday Marketing Magic in 2013 December 6th 2013
- 5 New Video Ads You Should Watch Right Now December 6th 2013
- How Interactive Video is Helping Brands Engage with Their Customers December 5th 2013
- Is Putting Digital First Still Paramount for Advertisers? December 5th 2013
- Revenge of the Data Nerds: Who Will Be the Next Heartthrob of the B2B Data Market? December 4th 2013
- Manager Planner - Digital Vendor Marketing
- Brand Manager
- Publisher Services Manager
- Social Media Manager (Part-Time)
- Social Media Manager
- Text Marketing News December 6, 2013 | Text Marketing Companies: [...] veeseo Launches Speech-to-Text Content Recognition Engine for Video … – ADOTAS [...]
- Dell Software Exec: Strong Password Would Not Have Stopped Latest Hack: [...] — In response to Today’s Burning Question about reports of the latest major cyberattack,
- Zimmerman Advertising Has What White Castle Craves – ADOTAS | Zimmerman News: [...] more here: Google Zimmerman News In [...]
- Online Video Quality Matters More Than You Think | Video Industry | OneScreen: [...] so. In fact, branded videos are getting shared 50 times more in 2013 than