Internet user privacy concerns are back in U.S. court again; the civil case revolves around little known tracking methods being used to gather users’ browsing histories, without their knowledge or consent, and potentially affects every Internet user.
The lawsuit alleges KISSmetrics, a California based website analytics company, violated the 1986 Electronic Communications Privacy Act by intentionally exploiting user software to bypass browser security settings with the intent of intercepting and disclosing user information.
The class action lawsuit filed by the Kamber Law firm in the U.S. District Court of California in August, names KISSme-trics and 24 of its customers, including AOL, Spokeo and Spotify.
The lawsuit says, “While it is generally reasonable to expect a website to use cookies for tracking, the Website Defendants and Kissmetrics created numerous, alternative, ‘shadow’ mechanisms for tracking … by exploiting Plaintiff and Class Members’ browsers and other software in ways that consumers did not reasonably expect.”
These so-called shadow mechanisms, exploit browser cookies, ETags and Flash or HTML5 Local Storage, so tracking of the user’s browsing history persists, regardless of whether the user deletes stored cookies and selects to block history tracking, in their browser settings.
By manipulating these common Internet software tools, a website can download files to a user’s computer that restores or “respawns” deleted cookies, upon opening a browser.
Kimberly Blazek, 22, a fifth-year Eastern Michigan University student double-majoring in Japanese and international affairs, said she surfs the web frequently, but has never heard of KISSmetrics or Internet users being tracked by respawing cookies.
“To be honest I’m not that surprised with what I know about the Internet. But obviously it’s not something that makes me feel very comfortable. It’s almost like … if I want to use the Internet I have to you know, just deal with [privacy concerns]; that sort of feeling behind it, but of course I’m not happy with it. It brings up safety issues,” Blazek said.
She said Internet user privacy is a problem that software engineers and lawmakers need to address collectively.
“I feel like it’s a bit of both,” Blazek said. “I feel like, I don’t know how to put it in words. I feel like it would almost be, what’s the word? I don’t want to say useless, but if the software doesn’t protect the user and [the] legislative [body] doesn’t protect the people, I feel like it’s asking for trouble either way.”
Blazek said she noticed more and more websites frequently using methods to link a user’s profile from a different website account.
“I have an account with Hulu.com and it had me automatically signed in, without me even trying to sign in, because it was connected to my Facebook,” Blazek said.
The KISSmetrics website offers its customers data on Internet user behaviors, including home pages viewed, Facebook connections, friend referrals, downloads, mailing list subscriptions, account registrations, logins, product pages viewed and service cancellations or downgrades.
Companies like Spokeo, that use data-mining services provided by businesses like KISSmetrics, sift through “public” information on the Internet to compile user profiles, which contain personal information, such as: full name and birthdate; phone number and address, including a Google Map picture of the residence; marital status and size of household; email address, including reverse lookup; social networking and blog site information; family members; photos and videos of the user; personal interests and occupation; religious and political views; race; and economic status.
Hiten Shah, CEO and co-founder of KISSmetrics, did not respond to comment requests for this article.
But Shah did speak about the lawsuit in August with Wired.com, a daily technology news website, saying his company respects user privacy and that KISSmetrics isn’t the only Internet business to use ETags to replace cookies.
“KISSmetrics has never shared any information about a user with any third party, including with any customer, other than the one that interacted with that user,” Shah said to Wired.com. “Our business model is uniquely pro-privacy precisely because our tools enable insights without sharing any user information across websites. And without developing or storing user profiles across sites, and that for this reason, KISSmetrics offers key differences from third parties that link up user data across the Internet.”
MeMe Jacobs Rasmussen, vice president, associate general counsel and chief privacy officer for Adobe, creators of Flash, said in a letter, to the Office of the Secretary Federal Trade Commission, that Adobe doesn’t condone websites exploiting Flash Local Storage to violate users’ privacy.
“We are aware of one use of Flash Local Storage that is inconsistent with the user’s expectations. This is the practice of using Local Storage to back up browser cookies for the purpose of restoring them after they have been deleted by the user. This restoration happens without the user’s knowledge and express consent. Adobe condemns this type of misuse of Local Storage,” Rasmussen wrote in the letter.
The subject of Internet user privacy prompted a study in 2009 and one in 2011, by students at University of California, Berkeley. The second report, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning, was released Friday, July 29; Kamberlaw filed the KISSmetrics lawsuit on Monday, Aug. 1.
Mika Ayenson, one of five authors of the 2011 report, said the subject of the study was one of numerous privacy related research topics proposed by his advisor Chris Hoofnagle, Director of Information Privacy Programs at Berkeley.
“By doing a follow up of the 2009 Flash Cookies Paper, we were able to expand on an important consumer privacy related topic, that exposes surreptitious tracking practices,” Ayenson said.
He said cyber security is a passion of his and user privacy is of major concern.
“It’s not in my best interest for a profile to be generated about places I’ve been around the web, things I’ve seen or any information I consider to be personal,” Ayenson said.
He went on to say Internet privacy is both a software and legislative issue.
“Legislation is the framework that will protect users, software provides a means to that end,” Ayenson said.
Ashkan Soltani, a contributing author to both Berkeley reports, did not respond to requests for comment.
But Soltani discussed the first Berkeley report with journalist Ryan Singel in 2009, saying the real issue is user privacy not whether to regulate browser cookies.
“If users don’t want to be tracked, and there is a problem with tracking, then we should regulate tracking, not regulate cookies,” Soltani said to Singel.
In March, Soltani testified before the U.S. Senate Committee on Commerce, Science and Transportation, during the State of Consumer Privacy hearing to examine Internet commercial practices in collecting, using and disseminating consumer information.
Soltani told the committee the reason why online tracking is so effective, and why it raises privacy concerns, is that third-party entities can monitor users behavior across multiple unrelated websites.
“In our [2009] study, one advertising service could track a user’s Web browsing activity, down to approximately 90 percent of the websites we examined. This company is not alone in its reach; widgets from a single social networking company currently gather data across several million websites,” Soltani said to the committee.
Council for the Plaintiff Scott Kamber did not reply to requests for comment for this article.
However, Kamber spoke in January with Joe Mullin of paid-Content.org, which is operated by ContentNext Media, which in turn is owned by Guardian News and Media Limited; the organization’s website said it “provides global coverage on the economics of digital content.”
Kamber and Mullin were discussing a similar user privacy civil case that Kamberlaw filed in December 2010 against the Internet ad agency interclick.
Kabmer told Mullin the role of his firm is to voice consumer concern over Internet companies lack of self-regulation regarding user privacy.
“The alternative is, if you have companies that do not address these problems, and lawsuits don’t do it, then they’ll be saddled with government regulation,” Kamber said to Mullin.
Kamber told Mullin the lawsuits are meant to redress the harm done to consumers, not to eradicate advertising revenue or harm the companies.
“Our country permits class actions, and we are using laws that apply quite nicely in these contexts … We’re just trying to ensure the work done by corporations, is not at the expense of their customers,” Kamber said to Mullin.
Paul Majeske, associate professor of communication technology at EMU, said if the use of deceptive tracking tactics persists, he would support a policy to force disclosure from websites that track a user’s history.
“When [respawning] is used to take data for illegal or unethical use I don’t like it at all … Those who are interested in capturing your browsing history and want to get around a users efforts to delete cookies need to be stopped, or at least be put on notice,” he said.
Majeske added that websites storing files on user equipment could become more problematic, as more users move toward mobile devices, which have smaller storage capacity than desktop or laptop computers.
“I hate the fact that nearly every website I connect to dumps potentially dozens of files into my temporary storage area; it is the great unspoken practice,” he said.
Majeske said Internet users can help secure their information by deleting browser cookies frequently; cleaning the registry weekly; setting the browser to delete all temporary files on exit; and clearing the history cache.
Because of design variations in browsers and operating systems on the market today, there is no catch-all set of instructions for these processes; it’s best to contact the manufacturer for instructions.
The World Wide Web Consortium (W3C), a group of international organizations that develop Web standards, formed a Tracking Protection Working Group, to address user privacy issues inherent to the current systems in use.
Matthias Schunter, technical leader of IBM’s Zurich research laboratory, spoke in November with BBC News about the W3C work group, which he co-chairs.
Schunter said the group is attempting to improve and standardize browser privacy controls.
“Currently websites need to implement all these different protocols,” Schunter said to BBC News. “There’s no standard way to respect privacy preferences. We want to standardize all these protocols so they talk the same language and then tell websites what to do with them.”
The work group is collaborating on the tracking protection specifications with big companies, such as Adobe, Apple, AT&T, Facebook, Google, Microsoft and Stanford University.
But the W3C group has no power to enforce website and software vendor compliance; the Do-not-track browser feature informs every website and advertiser visited to not track the history, but honoring the user’s request is voluntary and is not regulated.
Ayenson said W3C’s proposal is a good idea and that adopting browser standards would help, but specifications alone would not solve all of the issues.
“This proposal will protect a user, as much as they’re willing to protect themselves,” Ayenson said. “If a user is oblivious to [browser] notifications, then the web privacy tools won’t do much. Users must be aware of the threat that exists and [be] completely informed on ways to protect themselves. It is also important to note, that proper legislation is necessary to protect users.”
