

Online Analytics Firm Settles Suit Over Unstoppable User Tracking - kitcar
http://www.wired.com/threatlevel/2012/10/kissmetrics-tracking/

======
seacond
It's funny how the KISSMetrics guy thinks (thought?) he was doing absolutely
nothing wrong. Let's go out to the internet-using public and ask random
people, "Do you mind of KISSMetrics tracks you across the web, even if you
have cookies turned off?"

Alas, it seems in this case the only people who are aware of KISSMetrics'
wrongdoing are security researchers (i.e., curious nerds), lawyers and some
journalists. Perhaps if the general public knew, there would be a law.

~~~
inthewoods
I thought the point was they weren't tracking you across the web. Did they
also have that capability?

~~~
seacond
The point was they are tracking you, whether you want to be tracked or not. He
seemed to think that's OK as long as the tracking wasn't "across the web".

In any event slacross the weblunti\l you do something \like od -An -tx1
/dev/urandom| of=/dev/urhdd bs=bignuml

------
dchuk
Why was this title changed to not include kissmetrics anymore?

------
btipling
Forever cookies are pretty bad. I know someone made a library as a proof of
concept, but yeah, don't actually use this.

~~~
majke
This one? <http://samy.pl/evercookie/>

Can you explain why one shouldn't use this? Is there a law in US forbidding
using Etags for cookies?

~~~
olalonde
Well, it seems KISSmetrics just had to pay 500K$ for doing just that. That
being said, I'm also wondering which specific law they broke.

~~~
gyardley
They broke the one that says 'class action trolls are expensive and time-
consuming to deal with'.

------
plinkplonk
"KISSmetrics tracking techniques worked even if a user had cookies turned off
and private browsing mode turned on"

Where can I read more about this 'unstoppable tracking'? (how) can one counter
such attempts?

~~~
jonah
"evercookie"[1]

[1] <http://samy.pl/evercookie/> etc.

~~~
evoxed
Interesting:

> PRIVACY CONCERN! How do I stop websites from doing this? Great question. So
> far, I've found that using Private Browsing in Safari will stop ALL
> evercookie methods after a browser restart.

I wonder if Safari is the only one or if it's just the only one the creator
put to the test (i.e. what about Chrome Incognito).

~~~
TeMPOraL
I can confirm that Chrome Incognito doesn't do much. After setting the cookie,
and then closing the Incognito window and starting a new one, I could see:

    
    
      userData mechanism: undefined
      cookieData mechanism: 677
      localData mechanism: 677
      globalData mechanism: undefined
      sessionData mechanism: 677
      windowData mechanism: 677
      pngData mechanism: 677
      etagData mechanism: 677
      cacheData mechanism: 677
      dbData mechanism: 677
      lsoData mechanism: 677
      slData mechanism: undefined
    

(where 677 was the number assigned to me and stored in the evercookie)

~~~
buro9
The important part is restarting the browser after using Incognito.

Works fine.

------
eps
Well, have they stopped doing that or have they not?

------
davidpayne11
Since my other comment got downvoted, people forgot the point. Read how strong
this man defended and pretended to be so innocent when he was first accused:

[http://webcache.googleusercontent.com/search?q=cache:9lN3hH-...](http://webcache.googleusercontent.com/search?q=cache:9lN3hH-
jh-4J:blog.kissmetrics.com/official-kissmetrics-response-to-data-collection-
practices/+kissmetrics+sued&cd=4&hl=en&ct=clnk)

Kissmetrics is a very shady company, just stay away from them!

~~~
JonLim
There were a few technical aspects that he clearly lied about (like _not_
using Etags for his cookies) but aside from that, is there anything else that
makes them "very shady"?

I ask because I'm curious. Other than this episode, I haven't really heard
much else about KISSmetrics being a bad company.

~~~
davidpayne11
Its a shady company because it's unethical and it does whatever it says it
doesn't.

