Researchers Expose Tracking Service That Can't Be Dodged 173
Worf Maugg writes with this excerpt from Wired:
"Researchers at U.C. Berkeley have discovered that some of the net's most popular sites are using a tracking service that can't be evaded — even when users block cookies, turn off storage in Flash, or use browsers' 'incognito' functions. The service, called KISSmetrics, is used by sites to track the number of visitors, what the visitors do on the site, and where they come to the site from — and the company says it does a more comprehensive job than its competitors such as Google Analytics."
more importantly... (Score:5, Informative)
Javascript tracking? lol (Score:1, Informative)
It seems their tracking is using some javascript code. Noscript. No problem.
Ghostery FTW (Score:4, Informative)
Re:MOST importantly... (Score:4, Informative)
Where can I get software to defeat it? Or a clear enough description that would allow me to write that software?
According to a link [kissmetrics.com] in the TFA (directly from KissMetrics), just use AdBlock Plus.
Seems to take a bit of wind out of the summary's sails.
Re:Javascript tracking? lol (Score:4, Informative)
Maybe you read a different article. The one I read had almost no technical information, but did have a link to KiSSMetric's explanation [kissmetrics.com], which states:
When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the person’s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).
Blocking the javascript files (or blocking cookies and the ETag header) would eliminate the tracking.
For those too lazy to look for themselves: (Score:5, Informative)
"How KISSmetrics Tracking Works
KISSmetrics uses a variety of technologies to track people across the various browsers and computers they use. In doing so, we provide our customers a full view into how their customers interact with their websites.
Sites who use KISSmetrics may choose to provide us with personally identifiable information for their customers, or they may choose to use anonymized identities.
Sites have always had the option of using one of our server-side APIs, which do not set cookies or use any other means of identification. As of July 2011, sites may also choose to use only traditional cookie-based KISSmetrics tracking, which means that user information would be cleared whenever the consumer cleared their browser cookies.
For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.
The Technical Details
When a person visits a site that is using the KISSmetrics Javascript API, two javascripts are loaded:
t.js
i.js
t.js is the same for all people who visit a specific site (t.js is unique to each KISSmetrics customer).
i.js returns a unique âoeidentityâ for each person. This identity is just a random set of characters â" it does not contain an email address, name, IP address, or anything else that would be useful for identifying a person outside of KISSmetrics.
When i.js loads, we set ETags and HTTP headers to tell the browser to cache the value of i.js for as long as possible. We also set the personâ(TM)s random identity in a first-party cookie and as a third-party cookie on our domain (i.kissmetrics.com).
This means that if a person clears their browser cache or cookies, the random identity is likely to persist and that person will keep being âoeknownâ as a consistent random identity. If the random identity persists in one of these methods, we will reset the others so they all share that same random identity.
We do not use CSS or other versions of the technique known as history knocking.
The cached value for i.js is unique to a person, regardless of which site they are visiting. This means that to KISSmetrics, we know a single person by the same randomly-generated identity whether theyâ(TM)re visiting customer site A or customer site B. However, there is no way for our customers to access each others' data or know anything about a person's activities on other sites.
This is similar to credit card purchases â" Store A knows what you bought at Store A with your Visa. Store B knows what you bought at Store B with your Visa. Visa knows what you bought on Store A and Store B, but does not share that information between vendors. Just like Visa, KISSmetrics does not share any information about your interactions with Site A with Site B or with any third parties.
The Privacy Details
KISSmetrics has never, and will never, share personally-identifiable customer information with any third party sites.
KISSmetrics has never, and will never, share anonymous customer activity of what people did on customer Aâ(TM)s site with customer B.
Person data is available to the KISSmetrics customer for the lifetime of their relationship with KISSmetrics. When a customer ends their relationship with KISSmetrics, they may request that their data be deleted within 30 days.
If you have questions, weâ(TM)re happy to answer them at privacy@kissmetrics.com."
Re:more importantly... (Score:5, Informative)
Or, since the i.js and j.js scripts are usually hosted on the domain you're browsing, just follow KISSmetric's own recommendation:
For consumers who do not wish to be tracked by KISSmetrics, the freely available AdBlock Plus extension will prevent their information from being tracked by KISSmetrics. Learn more about AdBlock Plus.
You're already using unblockable tracking (Score:4, Informative)
It's called a web browser.
EFF has shown that you free transmit all sorts of info, that taken as a whole, can uniquely identify you. [slashdot.org]
Visit it yourself [eff.org] and see where you're at: it told me my fingerprint was unique out of over 1.6M browsers already checked.
You can block pieces - such as using NoScript, or Tor - but then you only *reduce* your uniqueness
RequestPolicy (Score:5, Informative)
Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using.
That's what RequestPolicy [requestpolicy.com] is for. You can control what images/scripts/content from other domains gets loaded on a site-by-site basis in a way similar to Noscript. It's great in addition to Noscript (not as a replacement).
For example, when you load Slashdot with RequestPolicy turned on, you don't get any of the static content like images/css because that all seems to be stored on fsdn.com. You can easily select the RequestPolicy icon and tell it to allow requests from slashdot.org to fsdn.com. In a similar manner, you can let google.com load scripts and content from google.com while preventing other domains from doing so.
It's really the only way to prevent client-side tracking services that haven't yet hit the blacklists. It's more than the average user would be willing to do, but if you really want to stop tracking or you're just interesting in seeing which CDNs and how many off-domain resources sites use, it's worth checking out.
Blocking JavaScript does not defeat ETAGs (Score:4, Informative)
JavaScript is not needed at all: an etag header can be used to track you across different sites by including say a .CSS or .GIF file served by using a shared "tracking url" at a known site.
Example:
In the first request, the response header has ETag: "97a-494505e0c46c0"
In the second request, the request header has If-None-Match: "97a-494505e0c46c0" - this acts like a cookie.
If the "tracking" server receives a request with no If-None-Match: header, it replies with the file and sets the ETag to a unique value (exactly equivalent to the "cookie" value). If the server receives a request with the If-None-Match:, the value can be used to track the user... for example the server takes the If-None-Match: value, and returns back the image with the same etag value, and *also* set a cookie with that value in the response header!
No such thing as privacy on the web. The end. (Score:2, Informative)
As someone who writes "visibility software" let me just say, there is absolutely no way you will ever have privacy on the web. You can use TOR, or TOR like services, if you don't mind TOR servers being the ones that track you. You can use VPN's if you don't mind the people selling VPN connectivity tracking you. If your traffic is not encrypted or terminates at an untrusted site it is visible. Oh. And just so you know. Encrypted packets carry your mac address because there isn't changes to the headers for last hop so TOR and VPN services can tell you what kind of nic your machine is using. Following the trail from manufacturer to retailer to you takes less than 8 hours. If you haven't gone at least 3 hops of encrypted traffic YOU are visible.