More Technical Details in KISSmetrics’ eTag Saga


ADOTAS – It looks like what appears on screen when a cat runs across the keyboard:

VAR KMCID=’Z9iGGN1n1-zeVqbgzrlKkl39hiY’; if(typeof(_kmil) == ‘function’)_kmil();

That’s the contents of the global identifier variable KMCID set when a user hit any site using KISSmetrics’ tracking technology (such as Hulu or Spotify) before July 29 and the third-party script was loaded. The identifier went into a user’s cache and was impervious to user privacy tools such as cookie-blocking and private-browsing modes. Targeting through eTags had not only arrived, but been in practice by major publishers for some time.

Ashkan Soltani, previously a technologist at the Federal Trade Commission Division of Privacy and Identity protection, has published a technical addendum to a recent report accusing KISSmetrics of using eTags for user tracking that found 31 sites (including Hulu, GigaOm, Spotify, SEOmoz and using KISSmetrics’ e-Tag code prior to July 29, and 515 sites using KISSmetrics currently “in a fashion that indicates they were likely also have been respawning until this functionality was disabled.”

While KISSmetrics also appeared to be respawning cookies using HTML5 storage space and Flash cookies, the e-Tag accusation is the most serious because it represents tracking companies’ most significant attempt to circumvent user privacy controls, and may have drastic consequences for a behavioral advertising community already under intense federal scrutiny.

But it gets more complicated… And a lot uglier, as Soltani has broken down the very messy details of the matter.

Quick Flashback

On July 29, Wired’s Ryan Singel detailed the latest findings of privacy researchers Soltani, Chris Hoofnagle, Nathan Good, Mika Ayenson and Dietrich J. Wambach, an update of a 2009 report that discovered numerous publishers respawning HTTP tracking cookies through the use of Adobe Flash cookies (officially known as local shared objects, or LSOs). The new report discovered that the use of Flash Cookies was down, but tracking firm KISSmetrics was empowering numerous publishers to drop cookies in user caches.

Following the report’s release, Scott A. Kamber’s law firm — which has led the charge on about every online privacy lawsuit, including the one that racked up a $2.6 million settlement from Clearspring and Quantcast last year for their use of Flash cookies — filed suit against KISSmetrics, Hulu and a slew of other publishers using KISSmetrics’ e-Tag tracking technology. Although CEO Hitten Shah initially told Singel in the Wired story that the cache cookie assessment was correct, Shah came out with guns blazing in a company blog responding to the charges. In particular, he claimed that KISSmetrics had never used ETags or other “persistent” technologies for tracking purposes.

The weekend after the initial Wired story appeared, KISSmetrics amended its privacy policy to work with browser do-not-track technology and removed any references to the eTag technology from the “How It Works” page. As of July 31, Hulu and KISSmetrics had ceased respawning cookies.

The Trouble With Unique IDs

Because KISSmetrics uses the same first-party cookie — a unique identifier — for the same user on all websites that use KISSmetrics’ tracking technology, in theory KISSmetrics could track individuals across any of these websites (and make a killing in the expanding third-party data market).

KISSmetrics claims it was not doing this. Even without KISSmetrics as a mediator, publishers could trade or buy information about unique users from one another based on the code — publishers are increasingly annexing their data to provide more alluring targeted audiences so they can garner higher CPMs.

“Since the unique identifiers are included the actual URL and not the cookie headers… I can observe their transmission to KISSmetrics servers and suspect each will generate a log entry on their systems,” Soltani writes. “Unless all log data is immediately deleted or truncated, it’s likely that this cross-domain browsing history is available on their systems, unhashed.” He admits that because he has no access to KISSmetrics’ back-end systems, he can’t be conclusive about this practice.

However, KISSmetrics claims that the use of the same unique (and anonymous) identifier was used to cut down on bandwidth use while increasing performance speed; when the IDs came to KISSmetrics, they were instantly “translated into unique identifiers” for each publishing client.

But that doesn’t defuse Soltani’s other point — the publishers themselves follow track users and share data with or sell to each other against user wishes.

The Big Picture

As the online behavioral advertising industry is struggling to convince the Internet-using public that it can regulate itself, the entry of eTags into the tracking fray was a pretty damning indictment against self-regulation.

Given the zeal with which companies continue to develop tracking technology that circumvents user-initiated privacy controls, how can the online advertising industry be trusted to regulate itself regarding user data?

As Bob Garfield put it in AdAge, “Nice work, morons. Way to strangle the goose that lays the golden egg.”



  1. Google has been tracking me across websites for years and serving up ads accordingly (why else would I get a dedicated hosting ad on a model airplane site?) So why haven’t they been sued yet? Answer: Deep Pockets. The same reason Open Cart didn’t sue Amazon a decade ago!


Please enter your comment!
Please enter your name here