Traffic Tracking Leads to Legal Woes

LOS ANGELES — Behaviorally targeted advertising is taking a blow from privacy advocates, with a series of lawsuits against top companies tracking surfers persistently.

According to a report in Wired, researchers at U.C. Berkeley have revealed a range of highly popular websites that are employing an advanced visitor tracking service that can’t be blocked,  “even when users block cookies, turn off storage in Flash, or use browsers’ ‘incognito’ functions.”

Wired says that the service, known as KISSmetrics, boasts of more accurate and comprehensive tracking than is done by its competitors, including Google Analytics, “tracking the number of visitors, what the visitors do on the site, and where they come to the site from.”

The company reportedly did this through a number of technologies, including the use of ETags and deleted cookie reconstitution, following visitors across multiple domains.

Similar to fingerprints, the ETag, or entity tag, is according to Wikipedia, “one of several mechanisms that HTTP provides for cache validation, and which allows a client to make conditional requests. This allows caches to be more efficient, and saves bandwidth, as a web server does not need to send a full response if the content has not changed.”

Optimistic concurrency control is another cited benefit of ETags, as they prevent simultaneous updates of a single resource from overwriting each other — such as when several parties are working on the same document, or website design, at the same time.

But according to a pair of California residents, they can also be abused as a form of website visitor tracking, which unlike cookie-based systems, is not normally “flushed” or blocked and therefore poses a privacy concern — while violating federal wiretapping and California laws.

The latest suit, by John Kim and Dan Schutzman, which targets KISSmetrics and 25 alleged client companies including GigaOm, iVillage and Spotify, claims that the pair “expected their browser controls to block or delete cookies, preventing them from being tracked online, profiled, and served behaviorally targeted advertisements.”

The action follows a separate suit filed last week against KISSmetrics and Hulu, contending that the companies allegedly violated federal and state laws through their use of ETag tracking technology; a technology which KISSmetrics has distanced itself from.

KISSmetrics CEO Hiten Shah responded to the suits and the allegations surrounding the company’s data collection practices in a written statement, claiming that KISSmetrics “has never shared any information about a user with any third party [and] does not track users across different websites, nor do we have the ability to do so.”

Hoping to eliminate concerns over its business practices, KISSmetrics clarified that it only uses first-party cookies for tracking, does not use ETags or other persistent cookies or objects for tracking purposes and has added stringent support for the “Do Not Track” header, along with a consumer-level opt-out for those who wish to be entirely removed from all KISSmetrics tracking.

While these cases have just begun, their message is clear: the use of unauthorized, persistent cookies or other objects intended to mitigate cache clearing and browser-enacted privacy restrictions, particularly without disclosure, may be a risky way to go.