Online Tracking Service isn't Thwarted by Deleted Cookies and Other Privacy Measures
Online Tracking Service isn't Thwarted by Deleted Cookies and Other Privacy Measures
Posted 08/01/2011 at 6:28am
| by Paul Lilly
11
Comments
Print
Maintaining privacy as you surf the Web isn't rocket science, it's just a matter of knowing what you're doing and taking the proper steps to make sure sites aren't in hot pursuit. Manually deleting your browser cookies is one way to ensure a bit of privacy, and so is enabling your broswer's "Do Not Track" mechanism. If you're really worried about leaving behind bread crumbs, there's always so-called incognito browsing modes. Unfortunately, none of these work as well as you think.
Researchers at U.C. Berkeley recently discovered that many popular websites are using a tracking service that sidesteps users' attempts to block cookies, turn off storage in Flash, or enable private browsing modes, Wired.com reports. The service is called KISSmetrics, and according to the researchers, it uses suspect techniques to thwart privacy controls. As the researchers explain it, if a user visits Hulu.com, they receive a third-party cookie set by KISSmetrics with a tracking ID number. KISSmetrics then passes that number to Hulu so that it can be used for its own cookie. When that user visits another site using KISSmetrics, that site's cookie would get the same ID number.
This method makes it possible for multiple sites using KISSmetrics to compare their databases and share information about the user, such as name, email address, and things the user likes, the researchers claim. What's more, the researchers found sites using KISSmetrics service can track users regardless of which browser they used or whether they deleted their cookies. KISSmetrics simply recreates them.
"Both the Hulu and KISSmetrics code is pretty enlightening," privacy researcher and one of the study's authors, Ashkan Soltani, told Wired.com. "These services are using practically every known method to circumvent user attempts to protect their privacy (cookies, Flash cookies, HTML5, CSS, cache cookies/Etags...) creating a perpetual game of privacy 'whack-a-mole'."
KISSmetrics maintains it's not doing anything underhanded and says it simply does a better job than its competitors, such as Google Analytics. The way KISSMetrics explains it, if a user visited Hulu.com through an ad on Facebook, and then later visited Hulu.com from Google using a different browser on the same computer, and at some pointed signed up for the premium service, KISSmetrics could relay to Hulu the user's path to purchase without knowing who that person is. The tracking would still be in place even if a user deleted cookies, because the code that stores the unique ID resides in places other than just cookies.
Hulu and Spotify, two high-profile websites that ranked among the thousands of sites using KISSmetrics, terminated their relationship with KISSmetrics after Wired.com brought all this to their attention. However, many top sites still user the service, according to the researchers.
More like this
11
Comments
Comments are closed on this article
Mighty BOB!
August 02, 2011 at 7:20am
Or you could just block the KISS cookie from ever being set in the first place. Am I the only one who has their Firefox cookie setting set to 'ask me every time'?
Of course that can't stop any of their server-side tracking that Eoraptor mentioned.
jonnyohio
August 01, 2011 at 9:18am
As a web programmer the only way i know they can do this is either using the ip address of the user and storing info in a database or using spyware installed on the users system without them knowing it. Using ip addresses works because even if your ip is dynamic you are assigned a unique one by your provider when your modem connects. You normally will keep the same ip for a period of time. Since many people have high speed always on connections their ip will be the same even if they delete their cookies and they can use it to identify a returning visitor. There would be no way to tell how accurate data like that would be using it to span multiple sites so i hope these companies arent spending too much money on the service. And if they are using spyware well thats just plane wrong.
Eoraptor
August 01, 2011 at 12:54pm
Not really, it's a lot simpler than that. All they have to do is get one session cookie into your system and stamp you with a UIN just once that fingerprints your browser setup and that you utilize X site with a saved login. (or whatever term they use for the number the KISS service assigns). From then on, they can use any number of methods to track you, including browser fingerprinting, subsequent cookie plants, subsequent logins, behavioral analisys, flash cookies, redundant zombie cookies, and so on. They're probably using a matrix of all of the above to ensure they own your ass on advertising data no matter what countermeassures you utilize.
I am not familiar enough with mac or linux to say how they work, but remember, windows automatically transmits certain data about your rig with every request, including browser mime type, windows build, IP address, etc. Throw on top of that a mask of whatever plugins or modes you are using, and you've got an almost wholly unique browser finger print assuming you use the same machine all the time, all without the need for a second cookie; since this tracking system is actually "in the cloud" and every service using it is independantly capable of rebuilding your cookie and reinserting it into your machine and synchronizing that data with all other KISS user sites, as either standard or flash or zombie every time it sees that browser fingerprint pop up.
The only way to defeat it would be to build a new virtual machine or sandboxed browser every time you surf, along with JAP or another proxy anonymizer. Even then, humans are creatures of habit, and that's what schemes like this count on, that you'll use the same plugins, browsers, and sites in your sandbox each time.
Truly we have seen the future, and it is big brother.
MrHasselblad
August 01, 2011 at 7:22am
Chances are that even your "home version" of your isp is selling your entire browsing history - even with your name (and much more) attached. Use internet at work? Then the same applies there as well - add onto that - that your employer might very well be selling you out as well. Going WiFi - then both the company that is giving you the free access and also the isp are both selling your data. Which is why having a WiFi access point can be quite profitable.
Even in the united states of america there is basically no such thing as privacy for adults
JoetheMobster
August 01, 2011 at 7:09am
the picture is a clip of the movie called "The Shining" but someone has photoshopped cookie monster from sesame street into the picture.
Blues22475
August 01, 2011 at 7:07am
Are there not any ways to bypass this (aside from staying away from those sites)?
Joe The Plummer
August 01, 2011 at 10:44am
Yes disable Javascript. Use Firefox with the NoScript plugin and you'll be fine.
macumber
August 01, 2011 at 6:59am
Not been a good Monday morning but that photo got a smile outta me.
Tiak
August 01, 2011 at 6:53am
I had to read this just because of the picture... that is hilarious, what's it from, specifically?
israel09
August 01, 2011 at 7:06am
It's from the shining , just image search , "Cookie monster shining"
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy2 days 2 hours ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj2 days 2 hours ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E4 days 2 min ago
