www.wired.com
Open in
urlscan Pro
151.101.66.194
Public Scan
Submitted URL: http://www.wired.com/epicenter/2011/07/undeletable-cookie/
Effective URL: https://www.wired.com/2011/07/undeletable-cookie/
Submission: On November 08 via api from CA — Scanned from CA
Effective URL: https://www.wired.com/2011/07/undeletable-cookie/
Submission: On November 08 via api from CA — Scanned from CA
Form analysis 1 forms found in the DOM
Name: newsletter-subscribe — POST
<form class="form-with-validation NewsletterSubscribeFormValidation-dsEeXm hFsbmt" id="newsletter-subscribe" name="newsletter-subscribe" novalidate="" method="POST"><span class="TextFieldWrapper-fATMju fYBzJc text-field"
data-testid="TextFieldWrapper__email"><label class="BaseWrap-sc-UrHlS BaseText-fFrHpW TextFieldLabel-gQcDkL boMZdO cVQgRL lnVWmv text-field__label text-field__label--single-line" for="newsletter-subscribe-text-field-email"
data-testid="TextFieldLabel__email">
<div class="TextFieldLabelText-iZAlqq gknmQw">Your email</div>
<div class="TextFieldInputContainer-fvxQdo fGWXMP"><input aria-describedby="privacy-text" aria-invalid="false" id="newsletter-subscribe-text-field-email" required="" name="email" placeholder="Enter your email"
class="BaseInput-jMfMHZ TextFieldControlInput-dlIoEs seydY bxCIEB text-field__control text-field__control--input js-bound" type="email" data-testid="TextFieldInput__email" value=""></div>
</label><button class="BaseButton-azpcp ButtonWrapper-dPwOur iREBFW dvIDTl button button--utility TextFieldButton-hEVqzz TLBVD" data-event-click="{"element":"Button"}" data-testid="Button" type="submit"><span
class="ButtonLabel-eAHUfq bCFzBu button__label">SUBMIT</span></button></span>
<div id="privacy-text" tabindex="-1" class="NewsletterSubscribeFormDisclaimer-dhZnPK gXYMEx"><span>By signing up you agree to our <a href="https://www.condenast.com/user-agreement" data-uri="0e2627a1d52411aad453c2b6ee7714bc">User Agreement</a>
(including the <a href="https://www.condenast.com/user-agreement#introduction-arbitration-notice" data-uri="236f201ae9ddf3270eb29786d5ec3ffe"> class action waiver and arbitration provisions</a>), our
<a href="https://www.condenast.com/privacy-policy" data-uri="f7e634538742e22b7f888cac388a5887">Privacy Policy & Cookie Statement</a> and to receive marketing and account-related emails from WIRED. You can unsubscribe at any time.</span>
</div>
</form>Text Content
Skip to main content Open Navigation Menu Menu Story Saved To revist this article, visit My Profile, then View saved stories. Close Alert Close Researchers Expose Cunning Online Tracking Service That Can't Be Dodged * Backchannel * Business * Culture * Gear * Ideas * Science * Security Story Saved To revist this article, visit My Profile, then View saved stories. Close Alert Close Sign In SUBSCRIBE GET WIRED + A FREE TOTE SUBSCRIBE Search Search * Backchannel * Business * Culture * Gear * Ideas * Science * Security * Podcasts * Video * Artificial Intelligence * Climate * Games * Newsletters * Magazine * Events * Wired Insider * Jobs * Coupons Get WIRED for just $29.99 $10. Plus, get a free tote! Get WIRED for just $29.99 $10. Subscribe now. Subscribe now. Subscribe now. Get 1 year of WIRED for just $29.99 $10. Get WIRED for just $29.99 $10. Enjoy unlimited access to WIRED.com and the print edition of the magazine for less than $1 per month. Plus, get a free tote! SUBSCRIBE SUBSCRIBE SUBSCRIBE Already a subscriber? Sign-In Ryan Singel Business Jul 29, 2011 6:24 PM RESEARCHERS EXPOSE CUNNING ONLINE TRACKING SERVICE THAT CAN'T BE DODGED Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the […] * Facebook * Twitter * Email * Save Story To revist this article, visit My Profile, then View saved stories. In this screenshot provided by U.C. Berkeley's Chris Hoofnagle, the IDs numbers for all three cookies are exactly the same. * Facebook * Twitter * Email * Save Story To revist this article, visit My Profile, then View saved stories. Researchers at U.C. Berkeley have discovered that some of the net's most popular sites are using a tracking service that can't be evaded -- even when users block cookies, turn off storage in Flash, or use browsers' "incognito" functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from -- and the company says it does a more comprehensive job than its competitors such as Google Analytics. But the researchers say the site is using sneaky techniques to prevent users from opting out of being tracked on popular sites, including the TV streaming site Hulu.com. The discovery of KISSmetrics tracking techniques comes as federal regulators, browser makers, privacy activists and ad tracking companies are trying to define what tracking actually is. The FTC called on browser makers to add a "Do Not Track" setting that essentially lets users tell websites to leave them alone -- though it doesn't block tracking on its own. It's more like a "privacy, please" sign on a hotel door. One of the big questions surrounding Do Not Track is about web analytics software, which sites use to determine what's popular on their site, how many unique visitors a site has a month, where users are coming from, and what pages they leave from. In response to inquiries from Wired.com, Hulu cut ties with KISSmetrics on Friday. UPDATE 5:00 PM Friday: Spotify, another KISSmetrics customer named in the report, said that it was concerned by the story: "We take the privacy of our users incredibly seriously and are concerned by this report," a spokeswoman said by e-mail. "As a result, we have taken immediate action in suspending our use of KISSmetrics whilst the situation is investigated." /UPDATE "Hulu has suspended our use of KISSmetrics’ services pending further investigation," a spokeswoman told Wired.com. "Hulu takes our users’ privacy very seriously. We have no further comment at this time." KISSmetrics is a 17-person start-up founded in 2008 and based in the San Francisco Bay Area. Founder Hitten Shah confirmed that the research was correct, but told Wired.com Friday morning that there was nothing illegal about the techniques it was using. "We don't do it for malicious reasons. We don't do it for tracking people across the web," Shah said. "I would be having lawyers talk to you if we were doing anything malicious." Shah says KISSmetrics is used by thousands of sites to track incoming users, and it does not sell or buy data about those visitors, according to Shah. After this story was published, the company tweeted a link that explains how its tracking works. So if a user came to Hulu.com from an ad on Facebook, and then later, using a different browser on the same computer, visited Hulu.com from Google, and then at some point signed up for the premium service, KISSmetrics would be able to tell Hulu all about that user's path to purchase (without knowing who that person was). That tracking trail would remain in place even if a user deleted her cookies, due to code that stores the unique ID in places other than in a traditional cookie. Trending Now How Public Cameras Recognize and Track You Most Popular * science The Fibonacci Numbers Hiding in Strange Spaces Leila Sloman * gear This Safe, Sturdy Cat Decor Won't Shed In Your Living Room Medea Giordano * business Elon Musk Is Overloaded Will Knight * gear Give Your Back a Break With Our Favorite Office Chairs Julian Chokkattu * The research was published Friday by a team UC Berkeley privacy researchers that includes veteran privacy lawyer Chris Hoofnagle and noted privacy researcher Ashkan Soltani. "The stuff works even if you have all cookies blocked and private-browsing mode enabled," Soltani said. "The code itself is pretty damning." The researchers were reprising a study from 2009 which discovered that some of the net's biggest sites were using technology from online ad tracking firms Clearspring and Quantcast to re-create users' cookies after users deleted them. The technique involved using a little known property of Flash to hold onto unique ID numbers. Then, if a user deleted her cookies, the companies would check in the secondary stash for the user ID, and use it to resurrect the traditional HTML cookies. That finding led to inquiries from regulators and a class action lawsuit alleging that websites and the tracking companies were unfairly monitoring users. That suit was settled for $2.4 million in cash and a promise by Clearspring and Quantcast not to use that method again. One of the sites named in that suit was Hulu, but its part of the settlement only required that the company tell users if it was using Flash to store cookies and provide a link in the policy that would show users how to turn off Flash data storage. However with KISSmetrics running, even knowing how to do that wouldn't have saved a user from persistent tracking. This go-round the researchers' report found only two sites that were recreating cookies after users deleted them -- and Hulu.com was the only one doing so for tracking users across the entire site. SEE WHAT’S NEXT IN TECH WITH THE FAST FORWARD NEWSLETTER From artificial intelligence and self-driving cars to transformed cities and new startups, sign up for the latest news. Your email SUBMIT By signing up you agree to our User Agreement (including the class action waiver and arbitration provisions), our Privacy Policy & Cookie Statement and to receive marketing and account-related emails from WIRED. You can unsubscribe at any time. The researchers dug into Hulu.com's tracking code and discovered the KISSmetrics code. Using it, Hulu was able to track users regardless of which browser they used or whether they deleted their cookies. KISSmetrics used a number of methods to recreate cookies, and the persistent tracking can only be avoided by erasing the browser cache between visits. They also say that Shah's defense that the system is not used to track people around the web doesn't hold up. "Both the Hulu and KISSmetrics code is pretty enlightening," Soltani told Wired.com in an e-mail. "These services are using practically every known method to circumvent user attempts to protect their privacy (Cookies, Flash Cookies, HTML5, CSS, Cache Cookies/Etags...) creating a perpetual game of privacy 'whack-a-mole'." "This is yet another example of the continued arms-race that consumers are engaged in when trying to protect their privacy online since advertisers are incentivized to come up with more pervasive tracking mechanisms unless there's policy restrictions to prevent it." They point to their research that found that when a user visited Hulu.com, they would get a "third-party" cookie set by KISSmetrics with a tracking ID number. KISSmetrics would pass that number to Hulu, allowing Hulu to use it for its own cookie. Then if a user visited another site that was using KISSmetrics, that site's cookie would get the exact same number as well. Most Popular * science The Fibonacci Numbers Hiding in Strange Spaces Leila Sloman * gear This Safe, Sturdy Cat Decor Won't Shed In Your Living Room Medea Giordano * business Elon Musk Is Overloaded Will Knight * gear Give Your Back a Break With Our Favorite Office Chairs Julian Chokkattu * So that makes it possible, the researchers say, for any two sites using KISSmetrics to compare their databases, and ask things like "Hey, what do you know about user 345627?" and the other site could say "his name is John Smith and his email address is this@somefakedomainname.com and he likes these kinds of things." Shah did not respond to a follow-up e-mail seeking clarification on his first answers. KISSmetrics is used by a number of prominent websites, which Wired.com is not naming until we have time to contact them. Berkeley researcher Soltani, who consulted for the Wall Street Journal's reporting on privacy, notes that the code includes function names like "cram cookie." One of the techniques used involves using something called ETags in the browser cache, a once-theoretical technique that's never before been seen in the wild on a major site, according to the researchers. The research also found that many top websites have adopted new ways to track users using HTML5 and that Google tracking cookies are present on 97 of the top sites, including government sites such as IRS.gov. A screenshot of a browser cache cookie, which researchers say has never been seen in the wild before. Further resources: * The actual Flash/HTML5/Cache/Etags respawning code used by KISSmetrics on Hulu: code, pastebin * Hulu's own code to respawn cookies: code, see it on ShowMyCode by entering http://www.hulu.com/guid.swf?v2 * The full report from the Berkeley researchers * An image from Ashkan Soltani showing tracking ID being set in a browser even with cookies blocked and in 'private' browsing mode. See Also:- You Deleted Your Cookies? Think Again * Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies * Ad Firm Sued for Allegedly Re-Creating Deleted Cookies * Online Tracking Firm Settles Suit Over Undeletable Cookies Ryan, a former writer for Wired's Epicenter blog, is the editor of the Threat Level blog. Staff Writer * Twitter * Twitter Topicsprivacy More from WIRED Apple’s App Review Fix Fails to Placate Developers After bad press about its App Store rules, Apple added a way to challenge app rejections. Creators say projects still get blocked for no good reason. Shubham Agarwal The Strange Death of the Uyghur Internet China's muslim minority used to have its own budding cluster of websites, forums, and social media. Now that's been erased Masha Borak These Remote Tech Workers Secretly Juggle Multiple Jobs Working from home makes it easier to take on several full-time posts. The extra cash is nice—but simultaneous Zoom meetings can be tricky. Megan Carnegie Would You Sell Your Vacation Days for Cash? More startups are inviting workers to trade their unused PTO, a perk that can also benefit employers. It may also worsen US workers’ vacation deficit. Caitlin Harrington Europe Prepares to Rewrite the Rules of the Internet The Digital Markets Act will force Big Tech platforms to break open their walled gardens in 2023, says the EU’s new ambassador to Silicon Valley. Khari Johnson Amazon Workers Lose Another Union Vote as Management Digs In Three warehouses have voted on joining the Amazon Labor Union, but organizers prevailed in only one—and the retail giant’s heavily funded opposition continues. Caitlin Harrington Elon Musk Now Owns Twitter After trying and failing to escape his $44 billion deal to buy the platform, Musk is in control and set to make major changes. Vittoria Elliott If Musk Starts Firing Twitter's Security Team, Run What's next for the social network is anyone's guess—but here's what to watch as you wade through the privacy and security morass. Lily Hay Newman ONE YEAR FOR $29.99 $10.00 GET WIRED SUBSCRIBE WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives—from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries. * Facebook * Twitter * Pinterest * YouTube * Instagram * Tiktok More From WIRED * Subscribe * Newsletters * FAQ * Wired Staff * Press Center * Coupons * Editorial Standards * Prime Day Contact * Advertise * Contact Us * Customer Care * Jobs * RSS * Accessibility Help * Condé Nast Store * Condé Nast Spotlight * Cookies Settings © 2022 Condé Nast. All rights reserved. Use of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Your California Privacy Rights. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices Select international siteUnited StatesLargeChevron * UK * Italia * Japón