
Class-action complaint against Kissmetrics and others for use of Flash LSO [pdf] - podman
http://gigaom2.files.wordpress.com/2011/08/complaint.pdf
======
axiak
Not just Kissmetrics in the defendents:

Space Pencil, Inc. D/B/A KissMetrics, Babypips.com, Involver.com, Moo, Inc.,
Sitening, LLC., Shoedazzle.com Inc., 8tracks Inc., About.me, Friend.ly, Giga
Omni Media Inc., Hasoffers.com, Kongregate Inc., Livemocha Inc., RocketTheme,
LLC, Fitness Keeper, Inc., Seomoz, Inc., Sharecash, LLC., Slideshare.net,
Spokeo, Inc., Spotify USA, Inc., Visual.ly, Conduit USA, FLite, Inc.,
Tangient, LLC, Etsy Inc, and iVilliage, Inc

~~~
nostromo
Getting sued sucks. Getting your customers sued... ouch.

------
rsingel
For the backstory: <http://www.wired.com/epicenter/2011/08/tracking-lawsuit/>
<http://www.wired.com/epicenter/2011/08/kissmetrics_reversal/>
<http://www.wired.com/epicenter/2011/07/undeletable-cookie/>
[http://www.wired.com/epicenter/2010/12/zombie-cookie-
settlem...](http://www.wired.com/epicenter/2010/12/zombie-cookie-settlement/)

------
almightygod
the takeaway for me is respect privacy and other general laws of the country
you do business in

i personally believe kissmetrics had to fully know they had figured out a way
to bypass privacy settings and thought themselves clever for it. Most likely
they said the far too often: "It will only be a problem if we are successful
and then, hey we are successful"

~~~
phereford
And all of this may be moot anyway with the government trying to track
everything online anyway.
[http://news.cnet.com/8301-31921_3-20084939-281/house-
panel-a...](http://news.cnet.com/8301-31921_3-20084939-281/house-panel-
approves-broadened-isp-snooping-bill/)

Can a court really penalize KISSMetrics when the government asks ISPs to track
all of this information anyway? What's the difference between KISSMetrics
having this info or a random ISP like Sonic.net?

~~~
almightygod
There is an agreement between the user and their ISP, I for one have never
made any agreement with KISSMetrics though I've used sites where they have
tracked my information. Now I do make an agreement between a service like hulu
when I use the site (Terms of Use) but the kicker here is (from their privacy
policy):

 _You have choices about the collection and use of your information by third
parties_

But in fact because of KissMetrics shenanigans, the user did not have the
choice which is probably why Hulu is in trouble. I suspect the other
defendants have similar clauses that were not followed

~~~
phereford
Fair enough. :)

I dont use KISSMetrics so I haven't read up on their ToS or PP. Makes sense
though.

------
ck2
This could backfire massively if the court says "no problem".

Better Privacy and Ghostery plugins are your friends, turn off local storage
in about:config -> dom.storage.enabled

Etags is rather clever though, not sure how to ignore those.

added: also remember to turn off third-party cookies in Firefox (it's there
but buried in Chrome)

Note to developers: please never, ever, rely on third-party cookies!

~~~
nikcub
solution to Etags is to block all third-party requests by default, and let the
user selectively allow for each site they use.

Working on a plugin to do that now:

<http://github.com/nikcub/parley>

(a bit inactive only because I haven't committed to gh since initial commit,
but I will be in the next few days)

the last-modified header can also be used to track - it accepts anything. I
described it in a comment on the last thread:

<http://news.ycombinator.com/item?id=2825564>

~~~
pornel
Better solution to Etag and cache-based tracking in general would be to change
browser cache from:

    
    
       cache[url] = data
    

to

    
    
       cache[(url,origin)] = data
    

(origin is roughly the domain of the referrer)

This way you don't need to block all 3rd party requests and caching will still
work reasonably well for each site.

------
podman
While I don't disagree with some of the claims made, other claims, especially
those about the harm caused to the Plaintiffs and Class Members, are pretty
amusing. They're claiming that it caused economic loss because it resulted in
unauthorized use of bandwidth without payment and that it diminished the
performance of their computers and internet connectivity.

------
lazyeye
Best way to resolve this issue? Just add "kissmetrics.com" to your ADSL modem
router URL blocking filter (assuming your router/modem has this ability). Then
the problem is resolved for all your devices..wireless or otherwise.

------
beagledude
go here and see just how many companies drop flash cookies on you:
[http://www.macromedia.com/support/documentation/en/flashplay...](http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html)

~~~
podman
Not all of them use flash local storage objects maliciously, however. Many of
them use local storage objects to actually track user preferences which is how
they are intended to be used.

~~~
benologist
They're also used extensively in games for a variety of reasons (saved games,
local scores, inventory, etc).

------
ericd
They're claiming 5 million in damages for using something that's cookie-like
that doesn't respect their browser's cookie settings?

~~~
olefoo
If someone is making an effort to avoid being tracked (as is their right) and
you figure out a way to track them anyway, you are at the very least costing
them the effort they put into avoiding being tracked. You are also costing
them whatever value the attach to not being tracked. Some people do put a high
price on their privacy and make strong efforts to protect it online.

~~~
ericd
Perhaps some people do value it that highly, but let's be honest, as with
almost every class action lawsuit, this is about a couple of lawyers who saw
an opportunity to make a lot of money by acting like a white knight for a lot
of people who don't know they are or want to be a part of a lawsuit. The vast
majority of those people that they're championing don't care one whit about
being tracked for the purposes of anonymized analytics (which is what
KissMetrics is all about).

Most of their arguments are a joke (with the exception of the browser controls
circumvention, which I would say is Adobe's fault, and KissMetrics' use of the
Adobe cookie to revive deleted cookies). All in all, I think this is a pure
abuse of the justice system with a thin veneer of plausibility.

~~~
noonat
While I don't disagree that many class action lawsuits are lawyers looking for
a pay day, I think there is still value in litigation like this.

Class action lawsuits help to ensure that defendants can't get away with doing
a small amount of damage to each plaintiff, but a very large amount of damage
as a whole. There simply would not be an incentive to bring this sort of
litigation if not for this, and companies would likely get away with these
kinds of only-slightly-harmful practices. By bringing this sort of class
action, the damages can be large enough that the defendant is forced to
rethink their actions and make a change in their behavior.

Without class action, the damages would be small enough that the company could
ignore it (because so few people were suing), or the legal system would be
flooded with an inordinate number of duplicate cases in order to bring an
appreciable amount of damage to the defendants.

That said, it would be nice to see some sort of restriction on legal fees, or
on who is allowed to bring class action suits (perhaps only consumer advocacy
groups, as is true elsewhere in the world).

~~~
ericd
I think that might be a good solution (to have consumer protection/advocacy
groups be the only ones who can bring forward class actions). As it is, many
of them are promoted and put together by lawyers who have no actual interest
in the case other than the large percentage of the settlement that they end up
with.

~~~
TorKlingberg
And why is that a problem? I don't mind lawyers making money when they are
doing something useful.

~~~
ericd
Because it means that they will pursue cases irrespective of its usefulness to
society, which means that many of these cases are actually net damaging to
society. That is a problem.

------
nostromo
I thought this would be related to the story last week about KissMetrics using
etags for tracking (<http://www.wired.com/epicenter/2011/07/undeletable-
cookie/>) -- but it's not. Maybe that will bring another lawsuit entirely.

edit: corrected below, thanks!

~~~
rsingel
It is. The suit alleges both ETags and LSO.

------
kingofspain
I'm in the middle of a somewhat heated difference of opinion on whether we use
evercookie for a site I'm working on. This will help my arguments sound less
peace & love-y.

------
samarudge
This brings up an interesting point about tracking services. If a user selects
'Do Not Track' in their browser (Providing it supports it), does that mean do
not track them at all? Or do not track them as a unique user? May sites still
use software like Webalizer/AWStats or similar to track users, it would be
very complicated to set those up not to track users that send the 'do not
track' headers

------
bystander47
What does this all mean? How does it impact startups and anyone else that runs
a web site, and how can we avoid getting sued?

Is this a completely ridiculous lawsuit, considering how many websites use
Kissmetrics and other tools?

~~~
almightygod
For all startups in general, probably not much, for kiss clients? Probably a
lot. If I used kiss the first thing I'd be doing is removing their service
from my site

------
blauwbilgorgel
What I didn't understand about this lawsuit is the following angles:

> Plaintiffs believe their decisions to disclose or not disclose information
> is their decision to make.

> To avoid being tracked online Plaintiffs used and relied on their browser
> controls.

> It is contrary to standard practices to use DOM local storage instead of
> cookies.

If you are going to put down a practice as a "hack" or "repurposing" why not
quote the standard?

<http://dev.w3.org/html5/webstorage/#user-tracking>

Very clearly it states:

> A third-party advertiser (or any entity capable of getting content
> distributed to multiple sites) could use a unique identifier stored in its
> local storage area to track a user across multiple sessions, building a
> profile of the user's interests to allow for highly targeted advertising.

To me: any effort by plaintiffs to protect their privacy is moot, especially
attacking local storage practices, when it is known that it can be used for
tracking.

W3C puts the control and responsibility back in the user's hand:

> There are a number of techniques that can be used to mitigate the risk of
> user tracking, all involve user agent/browser settings.

So in my mind:

\- Plaintiffs (or their browsers) did not enough to protect their online
privacy.

\- Plaintiffs complain about the abuse of local storage practices, when
tracking through local storage is a very real option.

\- Plaintiffs can configure their user agent to not accept these cookies.

As for information sharing between sites: this I could see as bad, if proven.
But a KissMetrics-wide unique ID doesn't proof that such information is
shared.

Even with all security efforts in place, a user can still be tracked (By IP
and browser/system settings), and this data can still be shared. I do
e-commerce profiling, and while I don't really need a flash cookie, I also
don't really need your permission to scan my own servers logs: it was you who
made the decision to disclose that information to me.

> However, user tracking is to some extent possible even with no cooperation
> from the user agent whatsoever, for instance by using session identifiers in
> URLs, a technique already commonly used for innocuous purposes but easily
> repurposed for user tracking (even retroactively). This information can then
> be shared with other sites, using using visitors' IP addresses and other
> user-specific data (e.g. user-agent headers and configuration settings) to
> combine separate sessions into coherent user profiles.

------
benologist
Wonder why they single out Kiss, you can bet anything they're doing the entire
ad industry is doing too.

~~~
gcarswell
KISS is still independent and unlikely to be able to afford the legal fees to
fight it to the bitter end, increasing the trolls chances of getting quick
settlement dollars. I hope KISS pays them in pennies.

