A group of respected security researchers have published a paper documenting the tactics used by KISSmetrics -- a company that counts Hulu and many other Internet giants among its customers -- to install and read back cookies on your computer even if you don't want them. Using a kind of kitchen-sink approach, KISSmetrics is able to track your computer even if you've got cookies, Flash cookies and other common cookie-setting vectors turned off. It's one thing for companies to say that they only gather information about users who allow such tracking; it's another thing for a company to go to endless lengths to circumvent their users' best attempts to shield themselves from tracking.
“Both the Hulu and KISSmetrics code is pretty enlightening,” Soltani told Wired.com in an e-mail. “These services are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags…) creating a perpetual game of privacy ‘whack-a-mole’.”Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (paper)
“This is yet another example of the continued arms-race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless there’s policy restrictions to prevent it.”
They point to their research that found that when a user visited Hulu.com, they would get a “third-party” cookie set by KISSmetrics with a tracking ID number. KISSmetrics would pass that number to Hulu, allowing Hulu to use it for its own cookie. Then if a user visited another site that was using KISSmetrics, that site’s cookie would get the exact same number as well.
So that makes it possible, the researchers say, for any two sites using KISSmetrics to compare their databases, and ask things like “Hey, what do you know about user 345627?” and the other site could say “his name is John Smith and his email address is firstname.lastname@example.org and he likes these kinds of things.”