Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy The Internet Your Rights Online

Researchers Expose Tracking Service That Can't Be Dodged 173

Worf Maugg writes with this excerpt from Wired: "Researchers at U.C. Berkeley have discovered that some of the net's most popular sites are using a tracking service that can't be evaded — even when users block cookies, turn off storage in Flash, or use browsers' 'incognito' functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics."
This discussion has been archived. No new comments can be posted.

Researchers Expose Tracking Service That Can't Be Dodged

Comments Filter:
  • more importantly... (Score:5, Informative)

    by alphatel ( 1450715 ) * on Saturday July 30, 2011 @11:58AM (#36933560)
    The data collected can be used to track the user over several sites, as the "cram cookies" are persistent through browsing sessions. The only way to remove them is to clear all browser cache data on close and restart the browser. Sounds like privacy invasion to me - although ISPs forced to log user activity [slashdot.org] is far more damning than these transgressions.
    • Wouldn't that mean over several views, not several sites?

      And even more importantly, how does this qualify as "tracking?" I don't see anything in the description of this thing that suggests it looks at what other sites you go to (aside from how you got to theirs, which is hardly an issue) or what you do on them.

      This sounds to me like just a way for devs to examine how their site is used so they can make it more efficient and useful. Calling it "tracking" is practically a smear unless the summary is wholl
      • by slyborg ( 524607 ) on Saturday July 30, 2011 @12:33PM (#36933816)

        How about actually reading the article?

        Kissmetrics has a single identifier that is used and tracked across all sites that use it for an identifiable visitor. It would be stupidly easy to aggregate this data and get a complete profile of a person, esp. considering the sites using it - what shows they watch, when they watch them, what music they listen to and when, combined with geolocation data, where they do these things, and for sites with subscriptions, they will have credit card information and home location and contact information. The researchers have no way of knowing if such information is sold between sites, but if there was no "tracking" application to it, why is the identifier not unique between sites?

        • Re: (Score:2, Interesting)

          by Pieroxy ( 222434 )

          ok, so how do they collect their data if it is not through cookies?

          • by Anonymous Coward

            Using a JS file in the browser cache. (You could have figured that out yourself.)

          • Have you RTFA? The image is quite informative: they put an user id both in a JS file and on that file's ETag. So when the user goes to a different site that also uses KISSmetrics, it'll ask for the same JS file and send the ETag/userid (in the 'If-None-Match' header).

            • by asdf7890 ( 1518587 ) on Saturday July 30, 2011 @01:55PM (#36934330)
              I feel a plugin coming on that will randomise the ID reported this way. Or submits misleading results from sites that are not using the service. Or even shares IDs between users so the tracked information becomes one large blob that doesn't identify the actions of any one person/group...
              • or perhaps a plugin that blocks execution of javascript by default, and only executes it on sites that the user "whitelists" or on request. We could call it "NoScript".

                • Hm, yea. Actually, I wonder: With NoScript, JS isn't run, but is it cached anyway? If so, it wouldn't solve the problem. If not... Great!

                • I run noscript. But that won't guarantee a payload transferred by etag won't get through.

                  And anyway, a method of adding polluted data to their pool rather than adding none at all appeals to my sense of mischief.
                • Then they'll change the JS script to an image, a CSS or HTML files and track you anyway - any of those can have an ETag with your user id.

              • "I feel a plugin coming on that will randomise the ID reported this way."

                Or a plug-in that simply throws up random Google search phrases and randomly clicks links while your computer is idle, thus making any data obtained stained with uselessness and buried in garbage...kind of like my last 4 or 5 "bright ideas".

                • That pushes some "useless" load onto another (innocent, at least in this instance) service though, so would be bad network etiquette. The load from just a couple of us would be as close to nothing as makes no difference, but if many people used such a plugin (and it would take many for it to have any effect on the overall results of the tracking) the load may become significant.
    • by Anonymous Coward

      Just add a line to your hosts files redirecting the KISS***** domains to 127.0.0.1.
      A good hosts file can be downloaded from MVP just google for it.

      • 0.0.0.0 fail faster

      • Or, since the i.js and j.js scripts are usually hosted on the domain you're browsing, just follow KISSmetric's own recommendation:

        For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.

        • How do I use adblock to block KISSmetrics i.js and j.js (or t.js, or whatever) scripts hosted on the domain I'm browsing, and not other scripts that happen to be named the same thing? It's not a very unique name, and adblock is blocking by name only.

          Also I don't see that text on their site (and google can't find it). They do have an "opt out" button, but it's implemented client-side using cookies, which isn't a particularly great solution either.

  • by Anonymous Coward

    Ghostery claims to block KISSmetrics fully...

  • Where can I get software to defeat it? Or a clear enough description that would allow me to write that software?

    • by ColdWetDog ( 752185 ) on Saturday July 30, 2011 @12:15PM (#36933704) Homepage

      Where can I get software to defeat it? Or a clear enough description that would allow me to write that software?

      According to a link [kissmetrics.com] in the TFA (directly from KissMetrics), just use AdBlock Plus.

      Seems to take a bit of wind out of the summary's sails.

      • by TheLink ( 130905 )
        Yeah I use noscript and adblockplus. I did a search in my browser's cookies for km_ and I didn't find anything. So I don't think their tracking stuff is that "undodgeable".

        Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using. Even if yo
        • by Nursie ( 632944 )

          Adblock can help you with the loading of facebook stuff on other sites, if you want.

          I have mine set up to only allow content of any sort to be loaded from facebook.com (or the fbcdn sites) if I'm actually browsing those sites.

          Google, more difficult I guess, I may not want to block everything from them when it's not first party.

        • I don't think there is an equivalent for Google yet, but there are several options for blocking Facebook having anything to do with the sites you visit (other than facebook itself). Both adblock and script block have relevant options, for instance.

          If you don't want to use adblock or scriptblock, or use a browser that they do not support so can't use them even if you want to, then there is this plugin: http://webgraph.com/resources/facebookblocker/ [webgraph.com] - there are versions for Firefox, Chrome, Opera and Safar
        • RequestPolicy (Score:5, Informative)

          by traindirector ( 1001483 ) on Saturday July 30, 2011 @04:10PM (#36935136)

          Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using.

          That's what RequestPolicy [requestpolicy.com] is for. You can control what images/scripts/content from other domains gets loaded on a site-by-site basis in a way similar to Noscript. It's great in addition to Noscript (not as a replacement).

          For example, when you load Slashdot with RequestPolicy turned on, you don't get any of the static content like images/css because that all seems to be stored on fsdn.com. You can easily select the RequestPolicy icon and tell it to allow requests from slashdot.org to fsdn.com. In a similar manner, you can let google.com load scripts and content from google.com while preventing other domains from doing so.

          It's really the only way to prevent client-side tracking services that haven't yet hit the blacklists. It's more than the average user would be willing to do, but if you really want to stop tracking or you're just interesting in seeing which CDNs and how many off-domain resources sites use, it's worth checking out.

          • by cvtan ( 752695 )
            RequestPolicy works as you say, but how is the average user supposed to know whether to allow fsdn on Slashdot or not? Is fsdn safe or not? Who knows? Some sites have 50 domains that provide content and it is not possible to just disallow everything; the site will be nearly blank. It works, but is difficult to use in practice.
      • by QuestionsNotAnswers ( 723120 ) on Saturday July 30, 2011 @11:05PM (#36936912)

        JavaScript is not needed at all: an etag header can be used to track you across different sites by including say a .CSS or .GIF file served by using a shared "tracking url" at a known site.

        Example:

        In the first request, the response header has ETag: "97a-494505e0c46c0"

        In the second request, the request header has If-None-Match: "97a-494505e0c46c0" - this acts like a cookie.

        If the "tracking" server receives a request with no If-None-Match: header, it replies with the file and sets the ETag to a unique value (exactly equivalent to the "cookie" value). If the server receives a request with the If-None-Match:, the value can be used to track the user... for example the server takes the If-None-Match: value, and returns back the image with the same etag value, and *also* set a cookie with that value in the response header!

      • It's a TRAP!

  • by Anonymous Coward

    It seems their tracking is using some javascript code. Noscript. No problem.

    • by Anonymous Coward
      You obviously didn't read the article. etags aren't javascript based, they're part of the browser caching mechanism. Even if you block the cookie creation script, which allows sites hosting the scripts to recreate the cookies, the actual tracking service is still tracking you.
      • by larry bagina ( 561269 ) on Saturday July 30, 2011 @12:20PM (#36933728) Journal

        Maybe you read a different article. The one I read had almost no technical information, but did have a link to KiSSMetric's explanation [kissmetrics.com], which states:

        When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the person’s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).

        Blocking the javascript files (or blocking cookies and the ETag header) would eliminate the tracking.

        • The first image in TFA is very clear, it shows a piece of JS with the ID, and you can see that it's exactly the same as the ETag.

      • by Anonymous Coward

        eTags aren't special. They have been known about since forever.

        Pretty sure browsers clear them on cache-clearance too.
        If not, shame on browser makers. Every single thing a site is capable of saving should be capable of being deleted, regardless of how small it is.

        • by Anonymous Coward

          I use the "Modify Headers" firefox add-on to filter the If-Match, If-None-Match, If-Modified-Since etc. headers, because they can all be used to store cookie-like bits of data. This has been known about for a while.

          The documentation for evercookie lists the methods it uses for tracking: http://samy.pl/evercookie/ [samy.pl]

          But most of all, Samy is my hero.

        • So, for me this is like a session-cookie, if it even gets loaded: I have my FF cache folder symlinked to a folder in my ram-backed /tmp/ folder(does provide a speed-increase). On shutdown it gets wiped, there goes all my eTags, js and other cached files.

    • javascript tries to hide what its doing in plain site. I disable js for most sites. its evil.

      flash also exists MOSTLY to deliver ads. I have flash disabled and hard linked to /dev/null. no way any flash cookies are saved on my system.

      if I need to view youtube (rarely) I use the cli util 'youtube-dl'. nice side effect: I get to KEEP a local copy of the video, should the 'job creators' (...) decided to pull the content back at some point in the future.

      not even installing the flash plugin for the web save

  • Ghostery FTW (Score:4, Informative)

    by blindbat ( 189141 ) on Saturday July 30, 2011 @12:06PM (#36933624)
    You can use Ghostery to block this and many other tracking scripts. http://www.ghostery.com/download [ghostery.com]
    • It's a real pity that Ghostery isn't free software.

      It has a look-but-don't-touch licence for the source code. Being able to look is better than nothing, but if no one can modify or fork it, then it's unlikely that anyone's reading the source code at all. I wouldn't trust my privacy to something with no community or third-party oversight.

      Here's gnu.org's list of free, mozilla-compatible add-ons:
      http://www.gnu.org/software/gnuzilla/addons.html [gnu.org]

      For privacy, there's only really Noscript and Requestpolicy.

    • by ugen ( 93902 )

      Mod this up. Ghostery is the answer. They deterministically block 100s of trackers (by essentially refusing to load javascript/pages/what have you from their sites/of specific appearance etc).
      Blocks KISSmetrics just fine. Nothing to see here.

    • Ghostery is unacceptable, as it's not free AND open-source. Nobody who cares about their privacy and security should use an inferior product like this.
  • by account_deleted ( 4530225 ) on Saturday July 30, 2011 @12:16PM (#36933706)
    Comment removed based on user account deletion
    • Re: (Score:2, Insightful)

      by BitterOak ( 537666 )

      There are always ways. It only depends on how much effort you want to put into it. You could use proxy servers to mask IP and change them frequently or even jump from one free wifi hotspot to another. You could repeatedly purge all your cache, cookies, history etc after every site you visit.

      If you RTFA, you'll see that this service is using persistent storage on your computer that is NOT contained in your cache, cookies, or browser history. Even using a DIFFERENT BROWSER on the same computer (i.e. Firefox, then Chrome) this site can track you and link your sessions. I regard this a as a browser bug, and it needs to be fixed in the browser. We can't rely on legislation or promises of good behavior from website operators to fix this problem. It really needs to be fixed in the browser, or, i

  • by Anonymous Coward

    So when are the antivirus companies going to block it?, its clearly malware, and are the FBI going to investigate them for "hacking" ?

  • Taking a quick look at the JavaScript they use there doesn't appear to be anything particularly unusual going on such as browser fingerprinting [eff.org], or even as encompassing as evercookie [samy.pl] which can be easily defeated using built in browser options. The only thing that seems different about it is that it attempts to use more storage techniques than other tracking services, browser local storage , e-tag tracking, and ie userdata storage in addition to the common browser and flash cookies. To say that it "can't b
  • According to the KISSmetrics site [kissmetrics.com]:

    For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics.

    Now, I'm no fan of tracking or advertising, but TFS/A sounds like scaremongering to me, I fail to see how this service is any more "unblockable" than other analytics providers such as Google. Moreover, since many people are signed into Google all the time for things like Gmail, I'd say Google has the capabi

    • Re: (Score:2, Insightful)

      by jfengel ( 409917 )

      If I'm understanding their site correctly, it's also blocked by NoScript (or, for that matter, just turning JavaScript off).

      There are many sites that are useless without Javascript, but it's hardly surprising to me that allowing a general-purpose programming language to run on your browser creates privacy problems. Many of those sites don't really need Javascript, and I block as much JS as possible. I've walked away from sites rather than turn on JS; that's both my loss and theirs.

      • But most noscript users allow the "same domain" as the site they are visiting, so the page is usable (navigation, ajax, etc). If i.js and j.js are hosted on the same domain you are visiting (not 3rd party hosted) then noscript may not help you. Even those users that are super-strict about allowing scripts will often temporarily-allow a subdomain for the purpose of using the site. A few temp-allows between some major sites will thus lead to you being tracked across those sites.

  • Looking at my cookies, I see a bunch from different sites which are all called ACOOKIE and all start "C8ctAD" and have other long string matches in the content.

    I wonder if this is doing the same thing.

  • by couchslug ( 175151 ) on Saturday July 30, 2011 @12:56PM (#36933956)

    "How KISSmetrics Tracking Works

    KISSmetrics uses a variety of technologies to track people across the various browsers and computers they use. In doing so, we provide our customers a full view into how their customers interact with their websites.

    Sites who use KISSmetrics may choose to provide us with personally identifiable information for their customers, or they may choose to use anonymized identities.

    Sites have always had the option of using one of our server-side APIs, which do not set cookies or use any other means of identification. As of July 2011, sites may also choose to use only traditional cookie-based KISSmetrics tracking, which means that user information would be cleared whenever the consumer cleared their browser cookies.

    For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.
    The Technical Details

    When a person visits a site that is using the KISSmetrics Javascript API, two javascripts are loaded:

            t.js
            i.js

    t.js is the same for all people who visit a specific site (t.js is unique to each KISSmetrics customer).

    i.js returns a unique âoeidentityâ for each person. This identity is just a random set of characters â" it does not contain an email address, name, IP address, or anything else that would be useful for identifying a person outside of KISSmetrics.

    When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the personâ(TM)s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).

    This means that if a person clears their browser cache or cookies, the random identity is likely to persist and that person will keep being âoeknownâ as a consistent random identity. If the random identity persists in one of these methods, we will reset the others so they all share that same random identity.

    We do not use CSS or other versions of the technique known as history knocking.

    The cached value for i.js is unique to a person, regardless of which site they are visiting. This means that to KISSmetrics, we know a single person by the same randomly-generated identity whether theyâ(TM)re visiting customer site A or customer site B. However, there is no way for our customers to access each others' data or know anything about a person's activities on other sites.

    This is similar to credit card purchases â" Store A knows what you bought at Store A with your Visa. Store B knows what you bought at Store B with your Visa. Visa knows what you bought on Store A and Store B, but does not share that information between vendors. Just like Visa, KISSmetrics does not share any information about your interactions with Site A with Site B or with any third parties.
    The Privacy Details

    KISSmetrics has never, and will never, share personally-identifiable customer information with any third party sites.

    KISSmetrics has never, and will never, share anonymous customer activity of what people did on customer Aâ(TM)s site with customer B.

    Person data is available to the KISSmetrics customer for the lifetime of their relationship with KISSmetrics. When a customer ends their relationship with KISSmetrics, they may request that their data be deleted within 30 days.

    If you have questions, weâ(TM)re happy to answer them at privacy@kissmetrics.com."

    • by Anonymous Coward

      Get everyone to set their key to the same value. >:D

      "This guy's been on 2,500 websites every 6 seconds!"

    • It is currently not available on their website, I got it from Google-cache: Screenshot on ImageBin http://imagebin.org/165710 [imagebin.org]
  • by bgspence ( 155914 ) on Saturday July 30, 2011 @01:14PM (#36934062)

    goto http://www.kissmetrics.com/how-it-works [kissmetrics.com] and get tracked:

    {!-- KISSmetrics for kissmetrics.com -->
    {script type="text/javascript">
        var _kmq = _kmq || [];
        function _kms(u){
            setTimeout(function(){
                var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true;
                s.src = u; f.parentNode.insertBefore(s, f);
            }, 1);
        }
      _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/bd3a8adc30561f08e0ccb9ad3120aa1d14b25d05.1.js');
    {/script>

    with my htttp://i.kissmetrics.com/i.js :
    var KMCID='IEkB3hUXZTz9zHRV1r51WjJJlB8';if(typeof(_kmil) == 'function')_kmil();

    • Then the good stuff is here:

      '//doug1izaerwt3.cloudfront.net/bd3a8adc30561f08e0ccb9ad3120aa1d14b25d05.1.js

    • write a dpi signature to block js files from cloudfront.net that create a script element for insertion. got it. thanks!

  • So there you go. NoScript->no KISSmetrics. "Can't be dodged"? Nonsense. For those who canot live without JS it should be trivial for a plugin to detect and delete their scripts. As usual the evil "tracking" requires the active cooperation of your browser.

    • > ...it should be trivial for a plugin to detect and delete their scripts.

      And in fact Ghostery already does so.

  • Question:
    Would modifying my MacAddress stop this kind of tracking?

    • This has nothing to do with your MAC address, which is not accessible to Web sites in any case.

      • by PacoSF ( 2423754 )

        Thanks. for clarifying this for me.

        The Wired article mentioned -- "That tracking trail would remain in place even if a user deleted her cookies, due to code that stores the unique ID in places other than in a traditional cookie"

        I wasn't sure if this unique ID was synonymous with MAC address.

      • by Lennie ( 16154 )

        Actually, someone did create a Java-applet ones used for getting the MAC addresses of website visitors.

      • It likely is if you happen to connect over IPv6...
  • This sort of thing is why the EU's half-witted privacy rules on cookies miss the point.

    The thing to control is the tracking of users (particularly without their consent), and the storage and onward transmission/sale of user-information - not some particular technology that is being used to do that at any given stage in the evolution of the web.

    Of course, if your legislative process is owned by the corporate world, or your voters believe in the rights of corporations, rather than citizens, that is unlikely to happen.

    • Nobody has any tracking information about you that your browser didn't actively give them, and your browser is entirely under your control.

  • On our site we did a comparison between our local stats and Google analytics, we found that so many people are blocking them ithere was a skew that fluctuated between 5 to 15% from day to day....

    We now run OWA which does a pretty good job.

  • 1 - Anonymous redirection, something like TOR
    2 - Forbid anything of theirs to run on your computer.

    And then, for #3. Find out who is using it and boycott their companies products/services.

  • The main trick used was to persistently store data via Flash. The article did say that other persistent storage techniques were used (SQLite, localStorage, etc .. technologies iOS has as well) but one less, and a very commonly used technique, is rendered useless if you're on an iPhone or iPad.

  • by devleopard ( 317515 ) on Saturday July 30, 2011 @02:32PM (#36934546) Homepage

    It's called a web browser.

    EFF has shown that you free transmit all sorts of info, that taken as a whole, can uniquely identify you. [slashdot.org]

    Visit it yourself [eff.org] and see where you're at: it told me my fingerprint was unique out of over 1.6M browsers already checked.

    You can block pieces - such as using NoScript, or Tor - but then you only *reduce* your uniqueness

    • by schwnj ( 990042 )
      That's what I thought this article would be about. It looks to me that the font list provides the most identifying information. Anyone know a way to tell your browser to not report your installed fonts?
    • I went to that site and it said


      Your browser fingerprint appears to be unique among the 1,684,880 tested so far.

      HAHA! ... Wait, what?

      • All it said to me was "Please wait..."

      • Your browser fingerprint appears to be unique among the 1,684,880 tested so far.

        Yeah right, that's what they whisper in your ear, telling you you are the only special one in the whole universe... until you find the web site has been seeing lots of other browsers, frequently, and without protection.

        Ew!

    • by evanh ( 627108 )

      It says 1 in 168000 for me so, I guess that's about 100 identical Linux setups detected; along with Firefox auto-deleting cookies and NoScript blocking both JS and flash.

      On a Windoze box that would be 10x bigger pool again. Gonna have to do better to track me.

  • just how many entries does kissmetrics.com have for Lynx? [wikipedia.org]

  • I was kind of hoping this was Google's doing - I was looking forward to the hilarity of watching Slashdotters' verbal and logical contortions while attempting to explain why it's actually a good thing...

  • The guy in charge says they are not doing anything illegal, so I feel a whole lot better. Sort of like when a bank says they're not doing anything illegal when they send you the 12th set of final mortgage papers and then tell you there's a mistake (for the 12th time) and you have to submit everything again and they've already charged you $80000 in fees... Nope, no problem there.
  • Since this uses specific js-tech/js-functions, is there a way to block specific js-functions ? e.g block calls to ajax by specific websites, cuz a website could easily mask as something useful but make calls to java functions that could be used for mischief.

  • As someone who writes "visibility software" let me just say, there is absolutely no way you will ever have privacy on the web. You can use TOR, or TOR like services, if you don't mind TOR servers being the ones that track you. You can use VPN's if you don't mind the people selling VPN connectivity tracking you. If your traffic is not encrypted or terminates at an untrusted site it is visible. Oh. And just so you know. Encrypted packets carry your mac address because there isn't changes to the headers

After all is said and done, a hell of a lot more is said than done.

Working...