www.wired.com Open in urlscan Pro
151.101.194.194  Public Scan

Form analysis
1 forms found in the DOM

Name: newsletter-subscribe — POST

<form class="form-with-validation NewsletterSubscribeFormValidation-dsEeXm hFsbmt" id="newsletter-subscribe" name="newsletter-subscribe" novalidate="" method="POST"><span class="TextFieldWrapper-fATMju fYBzJc text-field"
    data-testid="TextFieldWrapper__email"><label class="BaseWrap-sc-UrHlS BaseText-fFrHpW TextFieldLabel-gQcDkL boMZdO cVQgRL lnVWmv text-field__label text-field__label--single-line" for="newsletter-subscribe-text-field-email"
      data-testid="TextFieldLabel__email">
      <div class="TextFieldLabelText-iZAlqq gknmQw">Your email</div>
      <div class="TextFieldInputContainer-fvxQdo fGWXMP"><input aria-describedby="privacy-text" aria-invalid="false" id="newsletter-subscribe-text-field-email" required="" name="email" placeholder="Enter your email"
          class="BaseInput-jMfMHZ TextFieldControlInput-dlIoEs seydY bxCIEB text-field__control text-field__control--input js-bound" type="email" data-testid="TextFieldInput__email" value=""></div>
    </label><button class="BaseButton-azpcp ButtonWrapper-dPwOur iREBFW dvIDTl button button--utility TextFieldButton-hEVqzz TLBVD" data-event-click="{&quot;element&quot;:&quot;Button&quot;}" data-testid="Button" type="submit"><span
        class="ButtonLabel-eAHUfq bCFzBu button__label">SUBMIT</span></button></span>
  <div id="privacy-text" tabindex="-1" class="NewsletterSubscribeFormDisclaimer-dhZnPK gXYMEx"><span>By signing up you agree to our <a href="https://www.condenast.com/user-agreement" data-uri="0e2627a1d52411aad453c2b6ee7714bc">User Agreement</a>
      (including the <a href="https://www.condenast.com/user-agreement#introduction-arbitration-notice" data-uri="236f201ae9ddf3270eb29786d5ec3ffe"> class action waiver and arbitration provisions</a>), our
      <a href="https://www.condenast.com/privacy-policy" data-uri="f7e634538742e22b7f888cac388a5887">Privacy Policy &amp; Cookie Statement</a> and to receive marketing and account-related emails from WIRED. You can unsubscribe at any time.</span>
  </div>
</form>

Text Content

Skip to main content

Open Navigation Menu
Menu
Story Saved

To revist this article, visit My Profile, then View saved stories.

Close Alert
Close

Researchers Expose Cunning Online Tracking Service That Can't Be Dodged
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

Story Saved

To revist this article, visit My Profile, then View saved stories.

Close Alert
Close
Sign In

SUBSCRIBE


GET WIRED


+ A FREE TOTE

SUBSCRIBE


Search
Search
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

 * Podcasts
 * Video
 * Artificial Intelligence
 * Climate
 * Games
 * Newsletters
 * Magazine
 * Events
 * Wired Insider
 * Jobs
 * Coupons

Get WIRED for just $29.99 $10. Plus, get a free tote! Get WIRED for just $29.99
$10. Subscribe now. Subscribe now. Subscribe now.
Get 1 year of WIRED for just $29.99 $10. Get WIRED for just $29.99 $10.

Enjoy unlimited access to WIRED.com and the print edition of the magazine for
less than $1 per month.
Plus, get a free tote!

Plus, get a free tote!

SUBSCRIBE SUBSCRIBE SUBSCRIBE

Already a subscriber? Sign-In



Ryan Singel

Business
Jul 29, 2011 6:24 PM


RESEARCHERS EXPOSE CUNNING ONLINE TRACKING SERVICE THAT CAN'T BE DODGED

Researchers at U.C. Berkeley have discovered that some of the net’s most popular
sites are using a tracking service that can’t be evaded — even when users block
cookies, turn off storage in Flash, or use browsers’ “incognito” functions. The
service, called KISSmetrics, is used by sites to track the number of visitors,
what the […]
 * Facebook
 * Twitter
 * Email
 * Save Story

   To revist this article, visit My Profile, then View saved stories.

In this screenshot provided by U.C. Berkeley's Chris Hoofnagle, the IDs numbers
for all three cookies are exactly the same.

 * Facebook
 * Twitter
 * Email
 * Save Story

   To revist this article, visit My Profile, then View saved stories.



Researchers at U.C. Berkeley have discovered that some of the net's most popular
sites are using a tracking service that can't be evaded -- even when users block
cookies, turn off storage in Flash, or use browsers' "incognito" functions.

The service, called KISSmetrics, is used by sites to track the number of
visitors, what the visitors do on the site, and where they come to the site from
-- and the company says it does a more comprehensive job than its competitors
such as Google Analytics.



But the researchers say the site is using sneaky techniques to prevent users
from opting out of being tracked on popular sites, including the TV streaming
site Hulu.com.



The discovery of KISSmetrics tracking techniques comes as federal regulators,
browser makers, privacy activists and ad tracking companies are trying to define
what tracking actually is. The FTC called on browser makers to add a "Do Not
Track" setting that essentially lets users tell websites to leave them alone --
though it doesn't block tracking on its own. It's more like a "privacy, please"
sign on a hotel door. One of the big questions surrounding Do Not Track is about
web analytics software, which sites use to determine what's popular on their
site, how many unique visitors a site has a month, where users are coming from,
and what pages they leave from.

In response to inquiries from Wired.com, Hulu cut ties with KISSmetrics on
Friday.



UPDATE 5:00 PM Friday: Spotify, another KISSmetrics customer named in the
report, said that it was concerned by the story:



"We take the privacy of our users incredibly seriously and are concerned by this
report," a spokeswoman said by e-mail. "As a result, we have taken immediate
action in suspending our use of KISSmetrics whilst the situation is
investigated." /UPDATE



"Hulu has suspended our use of KISSmetrics’ services pending further
investigation," a spokeswoman told Wired.com. "Hulu takes our users’ privacy
very seriously. We have no further comment at this time."

KISSmetrics is a 17-person start-up founded in 2008 and based in the San
Francisco Bay Area. Founder Hitten Shah confirmed that the research was correct,
but told Wired.com Friday morning that there was nothing illegal about the
techniques it was using.

"We don't do it for malicious reasons. We don't do it for tracking people across
the web," Shah said. "I would be having lawyers talk to you if we were doing
anything malicious."

Shah says KISSmetrics is used by thousands of sites to track incoming users, and
it does not sell or buy data about those visitors, according to Shah. After this
story was published, the company tweeted a link that explains how its tracking
works.

So if a user came to Hulu.com from an ad on Facebook, and then later, using a
different browser on the same computer, visited Hulu.com from Google, and then
at some point signed up for the premium service, KISSmetrics would be able to
tell Hulu all about that user's path to purchase (without knowing who that
person was). That tracking trail would remain in place even if a user deleted
her cookies, due to code that stores the unique ID in places other than in a
traditional cookie.

Trending Now



Former Secret Service Agent Explains How to Detect Counterfeit Money



Most Popular
 * science
   Anthony Fauci’s Sign-Off Message
   
   Steven Levy

 * security
   ‘Dark Ships’ Emerge From the Shadows of the Nord Stream Mystery
   
   Matt Burgess

 * business
   The Reason for Meta's Massive Layoffs? Ghosts in the Machine
   
   Chris Stokel-Walker

 * gear
   Our Favorite Gadgets for Plant Parents
   
   Karen Hugg

 * 





The research was published Friday by a team UC Berkeley privacy researchers that
includes veteran privacy lawyer Chris Hoofnagle and noted privacy researcher
Ashkan Soltani.

"The stuff works even if you have all cookies blocked and private-browsing mode
enabled," Soltani said. "The code itself is pretty damning."

The researchers were reprising a study from 2009 which discovered that some of
the net's biggest sites were using technology from online ad tracking firms
Clearspring and Quantcast to re-create users' cookies after users deleted them.
The technique involved using a little known property of Flash to hold onto
unique ID numbers. Then, if a user deleted her cookies, the companies would
check in the secondary stash for the user ID, and use it to resurrect the
traditional HTML cookies.



That finding led to inquiries from regulators and a class action lawsuit
alleging that websites and the tracking companies were unfairly monitoring
users. That suit was settled for $2.4 million in cash and a promise by
Clearspring and Quantcast not to use that method again.

One of the sites named in that suit was Hulu, but its part of the settlement
only required that the company tell users if it was using Flash to store cookies
and provide a link in the policy that would show users how to turn off Flash
data storage. However with KISSmetrics running, even knowing how to do that
wouldn't have saved a user from persistent tracking.

This go-round the researchers' report found only two sites that were recreating
cookies after users deleted them -- and Hulu.com was the only one doing so for
tracking users across the entire site.


SEE WHAT’S NEXT IN TECH WITH THE FAST FORWARD NEWSLETTER

From artificial intelligence and self-driving cars to transformed cities and new
startups, sign up for the latest news.
Your email

SUBMIT
By signing up you agree to our User Agreement (including the class action waiver
and arbitration provisions), our Privacy Policy & Cookie Statement and to
receive marketing and account-related emails from WIRED. You can unsubscribe at
any time.

The researchers dug into Hulu.com's tracking code and discovered the KISSmetrics
code. Using it, Hulu was able to track users regardless of which browser they
used or whether they deleted their cookies. KISSmetrics used a number of methods
to recreate cookies, and the persistent tracking can only be avoided by erasing
the browser cache between visits.

They also say that Shah's defense that the system is not used to track people
around the web doesn't hold up.

"Both the Hulu and KISSmetrics code is pretty enlightening," Soltani told
Wired.com in an e-mail. "These services are using practically every known method
to circumvent user attempts to protect their privacy (Cookies, Flash Cookies,
HTML5, CSS, Cache Cookies/Etags...) creating a perpetual game of privacy
'whack-a-mole'."

"This is yet another example of the continued arms-race that consumers are
engaged in when trying to protect their privacy online since advertisers are
incentivized to come up with more pervasive tracking mechanisms unless there's
policy restrictions to prevent it."

They point to their research that found that when a user visited Hulu.com, they
would get a "third-party" cookie set by KISSmetrics with a tracking ID number.
KISSmetrics would pass that number to Hulu, allowing Hulu to use it for its own
cookie. Then if a user visited another site that was using KISSmetrics, that
site's cookie would get the exact same number as well.

Most Popular
 * science
   Anthony Fauci’s Sign-Off Message
   
   Steven Levy

 * security
   ‘Dark Ships’ Emerge From the Shadows of the Nord Stream Mystery
   
   Matt Burgess

 * business
   The Reason for Meta's Massive Layoffs? Ghosts in the Machine
   
   Chris Stokel-Walker

 * gear
   Our Favorite Gadgets for Plant Parents
   
   Karen Hugg

 * 





So that makes it possible, the researchers say, for any two sites using
KISSmetrics to compare their databases, and ask things like "Hey, what do you
know about user 345627?" and the other site could say "his name is John Smith
and his email address is this@somefakedomainname.com and he likes these kinds of
things."



Shah did not respond to a follow-up e-mail seeking clarification on his first
answers.

KISSmetrics is used by a number of prominent websites, which Wired.com is not
naming until we have time to contact them.

Berkeley researcher Soltani, who consulted for the Wall Street Journal's
reporting on privacy, notes that the code includes function names like "cram
cookie."

One of the techniques used involves using something called ETags in the browser
cache, a once-theoretical technique that's never before been seen in the wild on
a major site, according to the researchers.

The research also found that many top websites have adopted new ways to track
users using HTML5 and that Google tracking cookies are present on 97 of the top
sites, including government sites such as IRS.gov.

A screenshot of a browser cache cookie, which researchers say has never been
seen in the wild before.

Further resources:

 * The actual Flash/HTML5/Cache/Etags respawning code used by KISSmetrics on
   Hulu: code, pastebin
 * Hulu's own code to respawn cookies: code, see it on ShowMyCode by entering
   http://www.hulu.com/guid.swf?v2
 * The full report from the Berkeley researchers
 * An image from Ashkan Soltani showing tracking ID being set in a browser even
   with cookies blocked and in 'private' browsing mode.

See Also:- You Deleted Your Cookies? Think Again

 * Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies
 * Ad Firm Sued for Allegedly Re-Creating Deleted Cookies
 * Online Tracking Firm Settles Suit Over Undeletable Cookies




Ryan, a former writer for Wired's Epicenter blog, is the editor of the Threat
Level blog.
Staff Writer
 * Twitter
 * Twitter

Topicsprivacy
More from WIRED
Why Meta Is Tanking—and How Zuckerberg Can Fix It
Plus: Facebook’s early days, Covid in Ukraine, and the world on fire.

Steven Levy

Clearview Stole My Face and the EU Can't Do Anything About It
One man’s battle to reclaim his face shows regulators across the bloc are
failing to reprimand the US face search engine.

Morgan Meaker

Inside Meta’s Oversight Board: 2 Years of Pushing Limits
Mark Zuckerberg set up the panel to investigate how his company handles
controversial posts. Now its members want to transform how social platforms
work.

Steven Levy


Big Tech’s Layoffs Will Fuel the Industry's Future
Plus: The dotcom recovery, a history-making online purchase, and the highway to
climate hell.

Steven Levy

Meta’s VR Headset Harvests Personal Data Right Off Your Face
Cameras inside the device that track eye and face movements can make an avatar’s
expressions more realistic, but they raise new privacy questions.

Khari Johnson

The Strange Death of the Uyghur Internet
China's muslim minority used to have its own budding cluster of websites,
forums, and social media. Now that's been erased

Masha Borak

Twitter Is on a Collision Course With Europe
Layoffs leave only two people in the company’s Brussels office, just as Europe
prepares to enforce sweeping new tech rules.

Morgan Meaker

The $1 Billion Alex Jones Effect
The Infowars host now knows the cost of “free speech”—but does the landmark
judgment signal a crackdown on disinformation?

Chris Stokel-Walker







ONE YEAR FOR $29.99 $10.00
GET WIRED

SUBSCRIBE
WIRED is where tomorrow is realized. It is the essential source of information
and ideas that make sense of a world in constant transformation. The WIRED
conversation illuminates how technology is changing every aspect of our
lives—from culture to business, science to design. The breakthroughs and
innovations that we uncover lead to new ways of thinking, new connections, and
new industries.
 * Facebook
 * Twitter
 * Pinterest
 * YouTube
 * Instagram
 * Tiktok

More From WIRED

 * Subscribe
 * Newsletters
 * FAQ
 * Wired Staff
 * Press Center
 * Coupons
 * Editorial Standards
 * Prime Day

Contact

 * Advertise
 * Contact Us
 * Customer Care
 * Jobs

 * RSS
 * Accessibility Help
 * Condé Nast Store
 * Condé Nast Spotlight
 * Cookies Settings

© 2022 Condé Nast. All rights reserved. Use of this site constitutes acceptance
of our User Agreement and Privacy Policy and Cookie Statement and Your
California Privacy Rights. WIRED may earn a portion of sales from products that
are purchased through our site as part of our Affiliate Partnerships with
retailers. The material on this site may not be reproduced, distributed,
transmitted, cached or otherwise used, except with the prior written permission
of Condé Nast. Ad Choices

Select international siteUnited StatesLargeChevron
 * UK
 * Italia
 * Japón