By Andrew Cohen
Some top websites continue to use tracking mechanisms that are difficult to elude—even when users take steps to opt out—according to a new survey led by Berkeley Law’s Director of Information Privacy Programs Chris Hoofnagle.
One service identified in the report, KISSmetrics, helps companies create targeted advertising by monitoring a site’s visitors: what pages they visit, where they clicked from, and what they’ve purchased based upon the user’s cache. This type of tracking mechanism using Flash cookies and is resistant to most users’ attempts to preserve privacy.
In a related 2009 study, Hoofnagle coordinated a scan of the 100 most-visited websites. More than half were using Flash cookies, and some advertising networks were “respawning” cookies that users deleted. Litigation ensued, a combined $3.5 million settlement was reached, and Flash cookies were condemned by regulators, advocates, and business leaders.
“The political consensus was, if you don’t want to be tracked you can take steps to opt out,” said Hoofnagle, a senior fellow at the Berkeley Center for Law & Technology. “Most people figured this type of activity would stop, but our follow-up survey showed otherwise.”
The new data showed that 37 sites were using Flash cookies in some way—down from 54 in 2009. Also, two sites were found to be respawning cookies with Flash. Two lawsuits have already been filed, with more expected to follow.
Hulu.com was identified in both surveys as respawning cookies. The site was using its own code and a second mechanism provided by KISSmetrics. As a result of the report, a spokeswoman told Wired.com that Hulu has stopped using KISSmetrics pending further investigation.
“All of this is about is whether your technical actions, your privacy-seeking behavior, will be affected by advertisers,” Hoofnagle said. “It’s a major issue that will get more and more attention in the months ahead.”
While standard HTTP cookies can’t save more than four kilobytes of data, Flash cookies—which are stored outside the browser—save up 100 kilobytes by default. Hoofnagle found that KISSmetrics was effective even when users had actively blocked their cookies and enabled private-browsing mode.
The research survey, available here, took eight weeks to complete. It was conducted by two UC Berkeley students and supervised by Hoofnagle and two graduate students.
Their findings showed Hulu visitors would get a “third-party” cookie set by KISSmetrics, with a tracking ID number. KISSmetrics would relay that number to Hulu. If a user visited another site that ran KISSmetrics, that site’s cookies would receive the same ID number and could share information with Hulu about the user’s email address, browsing history, and preferences.
“Cookie backup and respawning should be a non-practice,” Hoofnagle said. “Hulu’s website mentioned that the company uses Flash, but that’s all. Is that sufficient notice? I’d argue no, because the concept is too hard to explain. You have to walk people through what a cookie is, how it can be deleted, and other related functions. That’s beyond what people should be expected to grasp when browsing online.”