More Technical Details in KISSmetrics’ eTag Saga
VAR KMCID=’Z9iGGN1n1-zeVqbgzrlKkl39hiY’; if(typeof(_kmil) == ‘function’)_kmil();
That’s the contents of the global identifier variable KMCID set when a user hit any site using KISSmetrics’ tracking technology (such as Hulu or Spotify) before July 29 and the third-party script https://i.kissmetrics.com/i.js was loaded. The identifier went into a user’s cache and was impervious to user privacy tools such as cookie-blocking and private-browsing modes. Targeting through eTags had not only arrived, but been in practice by major publishers for some time.
Ashkan Soltani, previously a technologist at the Federal Trade Commission Division of Privacy and Identity protection, has published a technical addendum to a recent report accusing KISSmetrics of using eTags for user tracking that found 31 sites (including Hulu, GigaOm, Spotify, SEOmoz and SlideShare.net) using KISSmetrics’ e-Tag code prior to July 29, and 515 sites using KISSmetrics currently “in a fashion that indicates they were likely also have been respawning until this functionality was disabled.”
While KISSmetrics also appeared to be respawning cookies using HTML5 storage space and Flash cookies, the e-Tag accusation is the most serious because it represents tracking companies’ most significant attempt to circumvent user privacy controls, and may have drastic consequences for a behavioral advertising community already under intense federal scrutiny.
But it gets more complicated… And a lot uglier, as Soltani has broken down the very messy details of the matter.
On July 29, Wired’s Ryan Singel detailed the latest findings of privacy researchers Soltani, Chris Hoofnagle, Nathan Good, Mika Ayenson and Dietrich J. Wambach, an update of a 2009 report that discovered numerous publishers respawning HTTP tracking cookies through the use of Adobe Flash cookies (officially known as local shared objects, or LSOs). The new report discovered that the use of Flash Cookies was down, but tracking firm KISSmetrics was empowering numerous publishers to drop cookies in user caches.
Following the report’s release, Scott A. Kamber’s law firm — which has led the charge on about every online privacy lawsuit, including the one that racked up a $2.6 million settlement from Clearspring and Quantcast last year for their use of Flash cookies — filed suit against KISSmetrics, Hulu and a slew of other publishers using KISSmetrics’ e-Tag tracking technology. Although CEO Hitten Shah initially told Singel in the Wired story that the cache cookie assessment was correct, Shah came out with guns blazing in a company blog responding to the charges. In particular, he claimed that KISSmetrics had never used ETags or other “persistent” technologies for tracking purposes.
The Trouble With Unique IDs
Because KISSmetrics uses the same first-party cookie — a unique identifier — for the same user on all websites that use KISSmetrics’ tracking technology, in theory KISSmetrics could track individuals across any of these websites (and make a killing in the expanding third-party data market).
KISSmetrics claims it was not doing this. Even without KISSmetrics as a mediator, publishers could trade or buy information about unique users from one another based on the code — publishers are increasingly annexing their data to provide more alluring targeted audiences so they can garner higher CPMs.
“Since the unique identifiers are included the actual URL and not the cookie headers… I can observe their transmission to KISSmetrics servers and suspect each will generate a log entry on their systems,” Soltani writes. “Unless all log data is immediately deleted or truncated, it’s likely that this cross-domain browsing history is available on their systems, unhashed.” He admits that because he has no access to KISSmetrics’ back-end systems, he can’t be conclusive about this practice.
However, KISSmetrics claims that the use of the same unique (and anonymous) identifier was used to cut down on bandwidth use while increasing performance speed; when the IDs came to KISSmetrics, they were instantly “translated into unique identifiers” for each publishing client.
But that doesn’t defuse Soltani’s other point — the publishers themselves follow track users and share data with or sell to each other against user wishes.
The Big Picture
As the online behavioral advertising industry is struggling to convince the Internet-using public that it can regulate itself, the entry of eTags into the tracking fray was a pretty damning indictment against self-regulation.
Given the zeal with which companies continue to develop tracking technology that circumvents user-initiated privacy controls, how can the online advertising industry be trusted to regulate itself regarding user data?
As Bob Garfield put it in AdAge, “Nice work, morons. Way to strangle the goose that lays the golden egg.”
Google has been tracking me across websites for years and serving up ads accordingly (why else would I get a dedicated hosting ad on a model airplane site?) So why haven’t they been sued yet? Answer: Deep Pockets. The same reason Open Cart didn’t sue Amazon a decade ago!
Leave a Comment
- MediaBrix Launches In-Game Ad SDK for Intel’s Latest Platform
- Fiverr® Updates iPhone App: Puts Over 3 Million Gigs® in the Palm of Your Hand
- BroadbandTV CEO is Named Young Global Leader by the World Economic Forum
- Intent Media Hires Noted Travel Industry Exec Noreen Henry as VP of Business Development
- Ampush Appoints Rick Cotton as Chief Revenue Officer
- MediaBrix Launches In-Game Ad SDK for Intel’s Latest Platform March 12th 2014 NEW YORK, March 12, 2014 (ADOTAS) — MediaBrix, the leading [...] more »
- Fiverr® Updates iPhone App: Puts Over 3 Million Gigs® in the Palm of Your Hand March 12th 2014 NEW YORK, March 12, 2014 — Fiverr®, the world’s largest [...] more »
- BroadbandTV CEO is Named Young Global Leader by the World Economic Forum March 11th 2014 VANCOUVER, March 11, 2014 (ADOTAS) – Shahrzad Rafati, founder and CEO [...] more »
- Intent Media Hires Noted Travel Industry Exec Noreen Henry as VP of Business Development March 11th 2014 NEW YORK, March 11, 2014 (ADOTAS) — Intent Media, an [...] more »
- Ampush Appoints Rick Cotton as Chief Revenue Officer March 11th 2014 SAN FRANCISCO, March 11, 2014 (ADOTAS) – Ampush, a leading [...] more »
- Facebook Exchange Partner Perfect Audience Taps into Google Merchant Accounts for Retargeting March 11th 2014 ADOTAS – You may already know that Facebook Exchange (FBX) [...] more »
- Covario Names Jeff MacGurn Senior Vice President March 11th 2014 SAN DIEGO, March 11, 2014 (ADOTAS) -– Covario, a leading independent [...] more »
- Big-Budget TV Ads Alone Aren’t Enough: Use Programmatic to Tell Your Brand Story March 12th 2014
- 5 Keys to Capitalizing on the Mobile Gaming Phenomenon March 11th 2014
- The Programmatic Future: Automation Poised to Dominate Video Ad Buying March 10th 2014
- You Have My Data, Now Stop Retargeting Me! March 7th 2014
- The Top 5 New Video Ads: Snickers, Pepsi, HUVr, Hugo Boss March 7th 2014
- Marketing Operations Manager - Healthcare
- Director Digital Engagements
- Website Designer
- Online Account Manager
- Online Media Buyer
- Adknowledge Acquires Video Syndicator Giant Media - Responsivemts | Responsivemts: [...] Fans Among Farmers, Filmmakers#Selfie Music Video Dominates With Help From Social Media InfluencersAdknowledge Acquires
- Today’s Burning Question: Instagram’s $100 Million Ad Deal with Omnicom - Responsivemts | Responsivemts: [...] Tech Companies Must Improve EncryptionThe (Important) SXSW Panels You Missed, Explained by CartoonsToday’s Burning
- Bitly Adds New Leadership, Partners with Moz for Inbound Link Marketing Intelligence - Responsivemts | Responsivemts: [...] Live Video: Edward Snowden at SXSWSheryl Sandberg Teams Up With Beyonce to Ban
- Finding Your Brand Advocates, Are You Ready for Super Bowl Sunday? - Inside CXM: [...] Theresa Trevor, Adotas, offers 5 simple rules to motivate brand advocates: [...]