ADOTAS – History repeats itself — back in summer 2009 when privacy researcher Ashkan Soltani and friends put out a damning report about online tracking practices with Adobe Flash cookies (aka local shared objects) that undermined user privacy controls through the use of respawning HTTP cookies, class action lawsuits were leveled against Quantcast, Clearspring and Specific Media. Quantcast and Clearspring settled for $2.6 million and promised never to engage in the practice again, while the suit against Specific was dismissed earlier this year.
Flash forward to summer 2011 and Soltani’s crew released another report, this time reporting on the same old Flash Cookies practices but also discovering the use of ETags in tracking and respawning. On cue, Scott A. Kamber and his law firm filed a complaint against Hulu and analytics operation KISSmetrics for their respawning games.
Name sound familiar? Scott Kamber was also on the plantiffs’ bench for the suits against Quantcast, Clearspring and Specific. Kamber Law was also responsible for the class action suit against Facebook over its Beacon advertising services that resulted in a $9.6 million settlement. His law firm has filed suits against Interclick for demographic profiling, Google over its toolbar and Apple over mobile apps sending advertisers unique device IDs. He’s all over data privacy issues like butter on toast, the biggest gun in this niche legal town. Ad tech companies have suggested he’s a suit-happy shyster, but his track record isn’t bad — check out this interview with Kamber by PaidContent.
And Kamber has just filed again — another class action suit (PDF) against KISSmetrics, with codefendants AOL, Spotify, GigaOm, Spokeo, SlideShare, Hasoffers.com, Kongregate.com, Livemocha.com, and even more. Since Soltani whispered (all right, he tweeted) to us the other day that his crew found more than 400 websites with KISSmetrics’ ETag tracking code, Kamber had the pick of the litter when it came to selecting media companies to sue. Other ad tech and analytics companies were also named in the suit, including SEOmoz, Conduit, Flite and visual.ly
Given that Hulu seems to have been caught red-handed using KISSmetrics’ technology to respawn HTTP cookies as well as Flash cookies (the same thing that Quantcast and Clearspring settled over), we’d put our money on a settlement. It’s the other class action suit that should be interesting, since Kamber claims KISSmetrics and defendants’ “rogue tracking” with ETags and Flash Cookies is a violation of the Electronic Communications Act, the Computer Crime Law of the California Penal Code and the Unfair Competition Law in the California Business and Professional Code, as well as a trespass on personal property.
Respawning is a definite no-no because it goes directly against user wishes, but tracking outside of HTTP cookies is a murky area — perhaps the outcome of this case will present clearer borders.
Presenting the Arguments
At the heart of the suit is the argument that the defendants tracking efforts bypassed browser privacy efforts:
In a response to the Soltani report and the lawsuits, KISSmetrics CEO Hiten Shah claims that his company has never used ETags or other “persistent” technologies for tracking purposes and that its technology cannot track users across multiple websites — it’s just a small company (17 people!). He says that Soltani’s work is full of speculation and distortion of KISSmetrics’ business, while suggesting that Kamber’s firm (which isn’t named) has bullied settlements out of other ad tech companies.
Interestingly, Shah comments: “Mr. Soltani also claims that it is somehow improper to use any technology other than browser cookies to track website activity. In fact, countless online companies, including other major analytics providers, use a variety of different technologies to provide these services, including the persistent technologies Mr. Soltani targets in his paper.”
Alas, Wired’s Ryan Singel says that KISSmetrics reworded the “How It Works” page to make no reference to the ETag technology; according to the site, KISSmetrics only uses first-party cookies. Shah acknowledges that the company has added support for “Do Not Track” technology last weekend.
The Gap Between DNT and OBA Self-Reg
This class-action lawsuit basically sits right in the gap between “Do Not Track” advocacy and industry self-regulation initiatives regarding online behavioral advertising. The idea behind self-regulation is that users can opt out of behavioral targeting through tracking cookies. However, tracking cookies are still used for internal advertiser and publisher metrics, such as frequency capping and understanding visitor behavior. This was something the kids at the Stanford Security Lab didn’t understand when they accused companies signed up with the National Advertising Initiative of tracking despite an opt out.
You can doubt the validity of the claim that advertisers turn off the behavioral targeting functions when users click on the Ad Choice icon and opt out, but industry self-regulation initiatives do have enforcement mechanisms (though how “tough” they are regarding violations isn’t clear — feel free to illuminate the punishment for non-compliance).
Media companies and ad tech service providers claim they want to use Flash Cookies, ETags and other “persistent” tracking tools to have longer-lasting beacons for analytics purposes, not behavioral targeting. They would therefore claim it’s harmless tracking.
The privacy advocate argument is that there’s no nuance — tracking is tracking, and the use of Flash Cookies or ETags is especially heinous because they circumvent user privacy controls.
Who is right, who is wrong? That’s not my place to decide — we’ll see what the legal system says. But the decision will have ramifications for the data privacy landscape, offering a precedent on whether online tracking is a tiered system.