14 DAY TRIAL // A team of researchers from U.C. Berkeley have discovered a web metrics service used by many large websites including Amazon, Hulu and Spotify, which employs tracking methods impossible for users to prevent.
Everyone is familiar with HTTP cookies, the little text files that websites set in order to remember their visitors. Browsers have offered the option to block all cookies for years now, but this is insufficient because companies that benefit from web tracking have found alternative methods.
One of these is Flash Local Storage Objects (LSOs), locations outside of the browser where Flash applications can keep their user-defined settings, for example the volume of a video player or its playlist.
However, LSOs have been abused in the past to store and re-spawn HTTP cookies when they were deleted, a practice that earned them the name of Flash cookies.
A number of large websites including Disney and Hulu, who used tracking technologies from Clearspring and Quantcast, were sued for using Flash cookies. The class action lawsuit was settled for $2.4 million.
However, security researcher Samy Kamkar created a proof-of-concept JavaScript API called "evercookie" to outline the multiple methods which can be used to track users.
In addition to HTTP and Flash cookies, Kamkar's evercookie used HTML 5 session storage, HTML5 local storage, HTML5 global storage, HTML5 database storage (SQLite) and the RGB values of PNG images to store unique identifiers.
U.C. Berkley researchers found a major service called KISSmetrics that employs some of these techniques and more. When analyzing its tracking script, the researchers found that it is using HTTP and Flash cookies, localStorage, IE userData and ETags.
ETags is a tracking method which relies on a signature in the browser header. According to the researchers, this technique has never before been seen on a major website, let alone a service used by many such sites.
"Both the Hulu and KISSmetrics code is pretty enlightening. These services are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags…) creating a perpetual game of privacy ‘whack-a-mole’," Ashkan Soltani, one of the researchers, told Wired.
KISSmetrics founder Hitten Shah defended the company's practices saying they aren't illegal or malicious and pointing out that the gathered data is anonymized. The company also offers an opt-out mechanism to consumers.