Hacker News new | past | comments | ask | show | jobs | submit login
Online Analytics Firm Settles Suit Over Unstoppable User Tracking (wired.com)
60 points by kitcar on Oct 25, 2012 | hide | past | favorite | 25 comments



It's funny how the KISSMetrics guy thinks (thought?) he was doing absolutely nothing wrong. Let's go out to the internet-using public and ask random people, "Do you mind of KISSMetrics tracks you across the web, even if you have cookies turned off?"

Alas, it seems in this case the only people who are aware of KISSMetrics' wrongdoing are security researchers (i.e., curious nerds), lawyers and some journalists. Perhaps if the general public knew, there would be a law.


I thought the point was they weren't tracking you across the web. Did they also have that capability?


The point was they are tracking you, whether you want to be tracked or not. He seemed to think that's OK as long as the tracking wasn't "across the web".

In any event slacross the weblunti\l you do something \like od -An -tx1 /dev/urandom| of=/dev/urhdd bs=bignuml


Why was this title changed to not include kissmetrics anymore?


Forever cookies are pretty bad. I know someone made a library as a proof of concept, but yeah, don't actually use this.


This one? http://samy.pl/evercookie/

Can you explain why one shouldn't use this? Is there a law in US forbidding using Etags for cookies?


I find evercookie a really hilarious example of unintended consequences. I think when the author released it he thought there would be so much uproar that browser vendors would rush to plug all the gaps. But they didn't, so evercookie remains an absolutely awesome tool for unethical marketing companies - he handed it to them on a plate.


There's morals and ethics which should forbid it.


Well, it seems KISSmetrics just had to pay 500K$ for doing just that. That being said, I'm also wondering which specific law they broke.


They broke the one that says 'class action trolls are expensive and time-consuming to deal with'.


[deleted]


I don't recall ever reading anything by Eric Ries saying you should track your customers no matter how hard they try to prevent you from tracking them.


"KISSmetrics tracking techniques worked even if a user had cookies turned off and private browsing mode turned on"

Where can I read more about this 'unstoppable tracking'? (how) can one counter such attempts?


I write about this stuff on my blog. For eg. using Last-Modified for the same effect as the ETag in OP:

http://www.nikcub.com/posts/persistant-and-unblockable-cooki...

also posts with tips and more info in the archives:

http://www.nikcub.com/archive

What I do is I use 3 different browser, 2 is ok. All your 'apps' such as webmail, facebook, etc. you use on one browser. Install Disconnect, AdBlock, NoScript etc. and disable flash, java etc. on the second browser and use that for all your web browsing. Kill the history and cookies on this browser regularly. Don't ever be tempted to 'browse' using the browser you have your apps logged in on.

I have a third browser with flash enabled where I copy paste URLs into if I ever need flash for something, which is less and less often.


"evercookie"[1]

[1] http://samy.pl/evercookie/ etc.


Interesting:

> PRIVACY CONCERN! How do I stop websites from doing this? Great question. So far, I've found that using Private Browsing in Safari will stop ALL evercookie methods after a browser restart.

I wonder if Safari is the only one or if it's just the only one the creator put to the test (i.e. what about Chrome Incognito).


I can confirm that Chrome Incognito doesn't do much. After setting the cookie, and then closing the Incognito window and starting a new one, I could see:

  userData mechanism: undefined
  cookieData mechanism: 677
  localData mechanism: 677
  globalData mechanism: undefined
  sessionData mechanism: 677
  windowData mechanism: 677
  pngData mechanism: 677
  etagData mechanism: 677
  cacheData mechanism: 677
  dbData mechanism: 677
  lsoData mechanism: 677
  slData mechanism: undefined
(where 677 was the number assigned to me and stored in the evercookie)


The important part is restarting the browser after using Incognito.

Works fine.


> (how) can one counter such attempts?

I think I'm mostly safe the way I browse: Firefox with Cookie Monster denying everything (except whitelist), NoScript blocking all javascript (except whitelist), and RequestPolicy blocking all cross site requests (except whitelist).

In theory, this would not protect against the ETag header technique being used if it were being implemented by the site itself, but since I believe it was actually done via a 3rd party request to KISSmetrics' domain, RequestPolicy should block it.


Well, have they stopped doing that or have they not?


Since my other comment got downvoted, people forgot the point. Read how strong this man defended and pretended to be so innocent when he was first accused:

http://webcache.googleusercontent.com/search?q=cache:9lN3hH-...

Kissmetrics is a very shady company, just stay away from them!


There were a few technical aspects that he clearly lied about (like not using Etags for his cookies) but aside from that, is there anything else that makes them "very shady"?

I ask because I'm curious. Other than this episode, I haven't really heard much else about KISSmetrics being a bad company.


Its a shady company because it's unethical and it does whatever it says it doesn't.


[deleted]


I know some seriously shady white Americans... If you have evidence of some cultural phenomenon that validates your claims then that would be interesting to read about, but generalisations of an entire race based on your personal experiences with a few people is... not really appropriate for this website.


> I am not discriminating anyone by their nationality

You say that, yet you go on to generalize over an entire race.


Please stop this. It doesn't belong on HN.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: