Perma-cookie wars continue: KISSMetrics sneaks cookies back onto your computer even if you turn off every cookie vector

A group of respected security researchers have published a paper documenting the tactics used by KISSmetrics -- a company that counts Hulu and many other Internet giants among its customers -- to install and read back cookies on your computer even if you don't want them. Using a kind of kitchen-sink approach, KISSmetrics is able to track your computer even if you've got cookies, Flash cookies and other common cookie-setting vectors turned off. It's one thing for companies to say that they only gather information about users who allow such tracking; it's another thing for a company to go to endless lengths to circumvent their users' best attempts to shield themselves from tracking.

“Both the Hulu and KISSmetrics code is pretty enlightening,” Soltani told Wired.com in an e-mail. “These services are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags…) creating a perpetual game of privacy ‘whack-a-mole’.”
“This is yet another example of the continued arms-race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless there’s policy restrictions to prevent it.”
They point to their research that found that when a user visited Hulu.com, they would get a “third-party” cookie set by KISSmetrics with a tracking ID number. KISSmetrics would pass that number to Hulu, allowing Hulu to use it for its own cookie. Then if a user visited another site that was using KISSmetrics, that site’s cookie would get the exact same number as well.
So that makes it possible, the researchers say, for any two sites using KISSmetrics to compare their databases, and ask things like “Hey, what do you know about user 345627?” and the other site could say “his name is John Smith and his email address is this@somefakedomainname.com and he likes these kinds of things.”

Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (paper)

Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged (Wired) (via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Business • cookies • privacy • security

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

dav von TRI

solution stop eating cookies, and using OS that supports this feature.
http://paulbeard.org/wordpress paul beard

Not sure what else this would break but if you’re denying all cookies, locking the file at the filesystem/OS level would prevent anything new from being written. The browser may balk at that or work around it, maybe.

EDIT: meh. Safari just changes the permissions back to allow writing. So it’s not *that* simple.

Seems to me there may be an opportunity for a plugin or something that intercepts these operations and either fakes the handshake so the offending site thinks it was successful or munges the data so that the data it reads/writes is useless. Or maybe a reporting tool that tells you about recent updates to cookie database, maybe that notices similarities to that triangulation as described above is harder to get away with. Not using cookies at all is not much of an option for most people but educating/empowering people is always a good idea.
dav von TRI

hey post url to the white paper, the current url is just the abstract.
http://openid.kibbee.ca/ Kibbee

I think the only interesting thing going on here is that they use the same ID across all the sites they track. This allows sites to share information if they want. But I don’t see how they do any additional tricks to get you to keep the cookies. If you set your browser to delete all cookies upon exit (like I do) then you should be pretty safe. Many of these services (hulu, spotify) have your real information anyway for billing purposes. So it would be easy for them to cross reference users between eachother if they wanted to. Also, did anybody check out the huge list of cookies that boingboing is serving up?
dav von TRI

nevermind there is a link to the pdf, of the entire report, still i wonder how this effects me, if i boot/load browser of a CD, no place to save right? guess some crafty individual would write new bios, but thats a very limited space.
- Just_Ok
  
  nothing is stored on your computer.
GrymRpr

This “Cookie” uses Java Sooo…. Firefox and No script should take care of the issue.
Not using java is another option lol
- Jason Campisi
  
  There is always blocking their services via a good old host file redirect. If you can’t access their “services”, then they can’t track you. Hopefully, it will be added to http://someonewhocares.org/hosts/
http://www.facebook.com/duguk Dug Stokes

From what I’ve read, it doesn’t *just* use Cookies, but also requires ETags. (HTTP Entity Tags).

I believe that disabling Javascript may stop it; but turning off ETags and disabling cookies should definitely stop it.

Read mostly from the Slashdot article; there’s plenty of suggestions there: http://yro.slashdot.org/story/11/07/30/1458235/Researchers-Expose-Tracking-Service-That-Cant-Be-Dodged
http://www.facebook.com/duguk Dug Stokes

Javascript, not Java.
JayByrd

About par for the course, seeing how Rupert Murdoch’s NewsCorp is a major owner of Hulu.
Benjamin Katz

Perhaps there’s a technological muddling solution — the equivalent of sharing a grocery store rewards card over hundreds of people. The marketers get to claim great tracking numbers & we get the protection of completely confusing their data.

I’m thinking a “Cookie-trader.” One day I’m a stock brocker from NY, the next a stay at home parent from Quebec and the third day, a 12-year kid from Japan.
Ambiguity

Kind of sleazy, but you have to admire their technical chops!

I agree with Grym: Judicious use of NoScript+Firefox will help with this issue. If you’re not even running JS and flash for the domain, that closes a lot of the vectors. Not entirely sure about the HTML5, though…
freshyill

How the hell are people still confusing java and javascript? Is it still 1996? Have the last 15 years all happened in my head?
justawriter

There has to be a DMCA violation in there someplace, doesn’t here? With all the circumventing, installing and internal poking around and the DMCA’s overreaching definitions of well, everything security related, I don’t see how the creators of this superduper cookie couldn’t be sued from here to Christmas. It would be nice to see one of the Devil’s tools used for angel work for once.
http://nibrahim.net.in/ Noufal Ibrahim

Why not just alias kissmetrics.com to 127.0.0.1 in the local hosts file and move on? They can’t track you if your computer never connects to their website can they?
kktkkr

Want to stop supercookies? Uninstall everything, format the drive, reinstall everything and continue. Repeat for every site you visit. I do that every time I clean my room.

(Which browser will be the first to add tracking sites to automatic domain blacklisting?)
- http://twitter.com/sqlrob Rob
  
  That’s actually trivial to do nowdays.
  
  KVM / VMWare / Virtual Box image that reverts on close, done.
Kompani

Could I charge Kissmetric.com for taking this information if I have not freeley given it. Like charging rent for a piece of software / cookie being on my property that has not got my permission to be there? If everyone charged say £1/$1 per week for this privelage I’m sure they would soon stop.
semiotix

Fark.com, the original Wired article, and a few other places I read have comments about the stuff covered here.

It’s kind of amazing how many people are saying “Pfff, that’s nothing, all you have to do is ______.” Except they’re all saying something different, and none of them seem to be bothered that none of the computer scientists in the article can see a way around it.

I’m just saying, guys.
RJ

Federated Media, Boing Boing and Disqus also have tracking systems in place. If you refuse the Disqus tracking bug, for instance, you can’t see or add comments to Boing Boing or other participating sites. Once I log in to Disqus, my ID can then be linked to my presence on Facebook, Twitter and Google. At that point, access to personal info is easy to obtain and the targeted marketing process can begin.

KISSmetrics is on the cutting edge of sleaze, but Boing Boing isn’t exactly as pure as the driven snow, either. It would be easy to sound like a hypocrite if you complain too loudly about tracking.
- Cowicide
  
  But do you see where Boing Boing is attempting to go out of their way to track people who don’t want to be tracked?
  
  I actually appreciate that now I don’t have to sign in each time I visit BB. There’s a huge difference between convenience and connivance.
- BarBarSeven
  
  You are ridiculous. The issue is not cookies in general but methods used to circumvent users choices to avoid cookie tracking. 100% different. I am using Disqus right now but not with my Facebook or Twitter ID but with a 100% separate BoingBoing account. Anyone can do this. If you are so paranoid about privacy, then why don’t you do that? If the issue is convenience or laziness, that is not an apt discussion because you are choosing laziness in ease of login to violate the privacy on one hand that you oddly seem so inclined to violate on the other.
- thatbob
  
  It’s true. I had to allow Pop Ups and Third Party Cookies in order to make this comment. Will I remember to turn those features off before I go do something else? Maybe today, but probably not every day.
- .
  
  Disqus and Boing Boing are session cookies only for me, so there is no persistance. I have always had firefox set to prompt me for cookies so I can make long term cookies into session cookies.Kissmetrics has been blocked for ages on my machine.
- http://boingboing.net/ Rob Beschizza
  
  It’s true that we have tracking (google analytics, chartbeat and whatever comes through the ad network), but these guys are deliberately preventing people from making the decision not to be tracked. You’re welcome to block our ads, traffic stats and so forth and we make no efforts to stymie such efforts.
  However, I was thinking of making it so the site serves a little picture saying “Thanks for not blocking our ads!” but only for people who are blocking ads.
  - Ambiguity
    
    By my count, this very comment page loads javascript from 20 different domains.
    
    I don’t purposefully block ads — after all, the viewers are your “product,” and it’s how you generate revenue to run the site. And a certain amount of tracking is reasonable too: for example, I always allow Google analytics to load, because that’s useful information for you, and it doesn’t really compromise my privacy.
    
    But you have to keep in mind that figuring out who’s tracking you and what’s happening to your privacy is pretty much impossible. 20 domains for a single site? And how many sites do I visit?
    
    So really, it’s become that there’s no way to really be a good “customer” on the Internet. If you want to protect your privacy while still working with the content providers you’ve set yourself to an impossible task. Either you trust the intentions of 20 different domains, or you block all content and then selectively allow that which allows the site to function. And when you do that… well, in the same way that privacy takes it in the shorts from the wide net cast be the advertisers, your ability to serve ads may end up getting caught in your user’s wide net.
    
    It’s an arms race really, and I see no end in site
- http://www.facebook.com/larratt Shannon Larratt
  
  The one good thing though about the move to Disqus is that (and I hope time doesn’t prove me wrong) is that under the old system there is a very good chance that your comment would never have been read by the public due to a moderation policy that very aggressively censored anything critical of the site. So from a political point of view, there is good and bad that’s come from Disqus… But I think that it’s not just BB and KISS these days aggressively tracking via dubious methods… it’s everyone… all the kettles are very, very black. The only solution I’ve seen that seems like it would work is the one that blocks traffic to KISS’s sites, but this would be easy for them to solve by just routing the tracking traffic through the webserver making the blocking impossible. I’m sure this would happen quite quickly should enough people choose to block the tracking.
  
  I think the best we can hope for is transparency. Tracking isn’t going away.
http://www.jjsaul.com Jim Saul

Those suggesting technical workarounds… those are very informative, useful ideas. But the deeper point is the “whack-a-mole”/arms-race aspect. This company is behaving more like a botnet trojan in their determination to undermine every counter you try. It sort of defeats the idea that you have a right to opt out of such tracking. Because of their broad install base, not only are you unknowingly using their clients, but they are sharing info between sites.

Even if you use a system that wipes between boots, the tracking connects your sessions together to complete the data. If you get a new IP every time as well, wanna bet your browser feeds enough data points about your software stack and hardware specs to generate a good pattern match to your file in their DB?

Yes, yes, we all know there’s no privacy on the internet. But do you really behave in accordance with this knowledge? Are you comfortable that your elderly loved ones are equipped for this kind of technical gamesmanship?tl,dr: everyone is watching your grandmother masturbate.
jccalhoun

It is too bad that the wired article isn’t clearer about what is going on. They mention ETags: http://en.wikipedia.org/wiki/HTTP_ETag
Which looks like the site basically sends every user a unique hash number of an image or something and as an attempt to have smarter caching your browser sends that hash back to the site to see if the image on the site has changed. The site then knows that you are the same person as the first person they sent the unique hash number to.
Xof

People being craven shouldn’t surprise anyone, of course, but it does require a special kind of moral lacuna to say, “Hm, people don’t want to be tracked by us, and are taking active precautions against it. How can we defeat their attempts?”
alllie

I find this article pretty hypocritical since boingboing’s new comment contractor requires a poster to allow them to put a cookie on us or no posting. I’m very disappointed in this change in boingboing. Bad boingboing.
Telegram Sam

Hulu is also the only website I’ve encountered that takes offense if an IP address was running a non-exit Tor relay several months previously.

“Based on your IP address, we noticed you are trying to access Hulu through an anonymous proxy tool. Hulu is not currently available outside the U.S. If you’re in the U.S., you’ll need to disable your anonymizer to access videos on Hulu.”

“Non-exit” meaning that Hulu wouldn’t have received anonymous traffic identifying itself as from the suspected IP address when it was running a Tor relay. The pretext for remaining blacklisted appears simply that the IP address had once been found listed in Tor network status, regardless of the indicated exit configuration.

If you’re running a non-exit Tor relay, and changing IP addresses periodically, it’s doubtful you’ll ever receive an abuse complaint. Yeah, maybe you’re helping some pro-democracy activist in Belarus avoid being picked up by the KGB. But you need to know: you’re very likely interfering with Hulu’s commercial revenue from innocent bystanders who just wanna watch The Bachelorette.

Do you really want that on your conscience?
Thomas Zaraat

I use the Ghostery add-on and I have to allow an exception for Disqus or white-list Boing-boing to even -see- these comments.

Even then I can’t post unless I also allow Disqus to dump a third-party cookie upon me

Meh.
- t3kna2007
  
  Can someone explain Ghostery’s business model and how that allows them to protect user privacy? Who is paying them to do what they do, and why?
  
  ABP, NoScript, and RequestPolicy were created by people who, as far as I can tell, cared about not having to wait for/look at ads, not having browser weaknesses exploited, and not having sites track you as you make your way across the web. Ghostery seemed to start that way, but then it got bought and I can’t really tell where they stand now.
  - Thomas Zaraat
    
    All I know is what the faq on their site says: http://www.ghostery.com/faq
    
    It sounds like they (Evidon) want to be like the Better Business Bureau.
    
    If worst comes to worst someone could always reverse engineer their add-on.
RJ

@beschizza

And that’s really the big difference; KISSmetrics is occupying a grey area between aggressive marketing and malicious exploitation, while Disqus (and many others) withhold content until the user submits to a cookie, ETag or LSO being set. In other worse, a shakedown is worse than bribery.
awjt

Privacy is not the same as anonymity! I want people to know who I am, but I don’t want ‘em calling me all the friggin’ time, interrupting dinner. That’s the difference.
Guest

That Gene Simmons will do anything for a buck.
nosehat

That Etags trick is actually really clever. It’s dishonest as hell–gaming the system to deliberately circumvent what the user has explicitly requested if they’ve turned off cookies–but in the abstract it’s a really clever hack.

It looks like they sat down and looked at the sum total of all the information traded between server and client, and looked for ways any of that could be re-purposed or exploited to track users.

So they took a simple protocol designed to save bandwidth and make browser cacheing smarter. This has nothing to do with cookies, flash, or javascript, so the only way you can protect yourself from Etag tracking would be to disable live caching on your browser (which you can’t do on Firefox without messing around with the config file, something an average user will balk at). If you do disable live caching entirely, your experience of the web will be considerably slower, and you will use a lot more bandwidth. In other words, this solution would probably suck for you more than it would suck for them. An intermediate solution would be to wipe your cache every time you close your browser, and Firefox does have a setting for this on the Preferences menu if you drill down a bit.

I’d rather see a little add-on that scrambles every Etag sent back to a KISSMetrics site (hulu, etc). If even a few people used this, their database of unique users would quickly balloon to the point of uselessness. ;)
http://twitter.com/DupeMax Max Dupenet

You can opt-out on their website http://www.kissmetrics.com/user-privacy. They claim this would work across all KISSmetrics-enabled websites. Does anyone know if the global opt-out really works?