Online Tracking Service isn't Thwarted by Deleted Cookies and Other Privacy Measures

Paul Lilly

Maintaining privacy as you surf the Web isn't rocket science, it's just a matter of knowing what you're doing and taking the proper steps to make sure sites aren't in hot pursuit. Manually deleting your browser cookies is one way to ensure a bit of privacy, and so is enabling your broswer's "Do Not Track" mechanism. If you're really worried about leaving behind bread crumbs, there's always so-called incognito browsing modes. Unfortunately, none of these work as well as you think.

Researchers at U.C. Berkeley recently discovered that many popular websites are using a tracking service that sidesteps users' attempts to block cookies, turn off storage in Flash, or enable private browsing modes, reports . The service is called KISSmetrics, and according to the researchers, it uses suspect techniques to thwart privacy controls. As the researchers explain it, if a user visits, they receive a third-party cookie set by KISSmetrics with a tracking ID number. KISSmetrics then passes that number to Hulu so that it can be used for its own cookie. When that user visits another site using KISSmetrics, that site's cookie would get the same ID number.

This method makes it possible for multiple sites using KISSmetrics to compare their databases and share information about the user, such as name, email address, and things the user likes, the researchers claim. What's more, the researchers found sites using KISSmetrics service can track users regardless of which browser they used or whether they deleted their cookies. KISSmetrics simply recreates them.

"Both the Hulu and KISSmetrics code is pretty enlightening," privacy researcher and one of the study's authors, Ashkan Soltani, told "These services are using practically every known method to circumvent user attempts to protect their privacy (cookies, Flash cookies, HTML5, CSS, cache cookies/Etags...) creating a perpetual game of privacy 'whack-a-mole'."

KISSmetrics maintains it's not doing anything underhanded and says it simply does a better job than its competitors, such as Google Analytics. The way KISSMetrics explains it, if a user visited through an ad on Facebook, and then later visited from Google using a different browser on the same computer, and at some pointed signed up for the premium service, KISSmetrics could relay to Hulu the user's path to purchase without knowing who that person is. The tracking would still be in place even if a user deleted cookies, because the code that stores the unique ID resides in places other than just cookies.

Hulu and Spotify, two high-profile websites that ranked among the thousands of sites using KISSmetrics, terminated their relationship with KISSmetrics after brought all this to their attention. However, many top sites still user the service, according to the researchers.

Around the web