Follow me on Twitter and on Facebook
If you think your browser’s “incognito mode” (AKA “porn mode”) will protect you from being tracked by a website, you shouldn’t feel so confident. A new report outlines a technology available that can track a user, and there’s nothing a user can do about it, aside from avoiding the site.
The technology comes from a company named KISSmetrics. A study was released on Friday by a team of UC Berkeley privacy researchers. Noted privacy researcher Ashkan Soltani, part of the team, said, “The stuff works even if you have all cookies blocked and private-browsing mode enabled. The code itself is pretty damning.”
The technology is different than the previously known Flash cookie (or Local Shared Object) “feature.” That form of browser cookie re-spawning technology was first uncovered in 2009, and eventually led to regulatory inquiries and a class action lawsuit. That suit was settled for $2.4 million and a promise by ad-tracking firms Clearspring and Quantcast to halt use of that method.
One of the sites named in that suit was Hulu, as part of the settlement Hulu was only required to disclose its Flash storage policy to users and provide a link in the policy that would show users how to disable Flash data storage (you can clear data and reset privacy settings for Flash on your computer here).
The new study reprised the original one, and discovered that Hulu has continued to use Flash cookies (as a consumer facing website, rather than an ad-tracking service, Hulu is still able to use the technology), but it also found that cookie re-spawning was taking place via a service hosted at KISSmetrics.com.
This re-spawning used a feature of the browser cache known as ETags to recreate cookies, and the researchers noted that to the best of their knownledge, this was the first use of ETag tracking “in the wild.”
In response to the publication of the report, one high-profile customer of KISSmetrics has already severed ties with the company: Hulu. In addition, Spotify, which recently launched in the U.S., halted use of the technology while it investigates the situation, which falls short of cutting ties with KISSmetrics, but is a move in that direction.
Soltani added “This is yet another example of the continued arms-race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless there’s policy restrictions to prevent it.”
On the positive side, the study found that fewer sites are using Flash cookies and fewer are re-spawning cookies using Flash. Interestingly, of the top 100 sites on the Web that the study looked at, 97 of them had some sort of Google tracking cookie on them. The only three that did not were ups.com, wikipedia.org, and (it makes sense) microsoft.com.