the takeaway for me is respect privacy and other general laws of the country you do business in
i personally believe kissmetrics had to fully know they had figured out a way to bypass privacy settings and thought themselves clever for it. Most likely they said the far too often: "It will only be a problem if we are successful and then, hey we are successful"
Can a court really penalize KISSMetrics when the government asks ISPs to track all of this information anyway? What's the difference between KISSMetrics having this info or a random ISP like Sonic.net?
There is an agreement between the user and their ISP, I for one have never made any agreement with KISSMetrics though I've used sites where they have tracked my information. Now I do make an agreement between a service like hulu when I use the site (Terms of Use) but the kicker here is (from their privacy policy):
You have choices about the collection and use of your information by third parties
But in fact because of KissMetrics shenanigans, the user did not have the choice which is probably why Hulu is in trouble. I suspect the other defendants have similar clauses that were not followed
RequestPolicy is an extension that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit.
While I don't disagree with some of the claims made, other claims, especially those about the harm caused to the Plaintiffs and Class Members, are pretty amusing. They're claiming that it caused economic loss because it resulted in unauthorized use of bandwidth without payment and that it diminished the performance of their computers and internet connectivity.
Best way to resolve this issue?
Just add "kissmetrics.com" to your ADSL modem router URL blocking filter (assuming your router/modem has this ability).
Then the problem is resolved for all your devices..wireless or otherwise.
Not all of them use flash local storage objects maliciously, however. Many of them use local storage objects to actually track user preferences which is how they are intended to be used.
I would guess it's because I use "Click-To-Enable" for plugins in Chrome. Your battery, sanity and page responsiveness will thank you. (Not suggesting that CtE blocks this, just that much of it's probably an unnecessary result of Flash ads, etc on pages where you're not even using the Flash content)
If someone is making an effort to avoid being tracked (as is their right) and you figure out a way to track them anyway, you are at the very least costing them the effort they put into avoiding being tracked. You are also costing them whatever value the attach to not being tracked. Some people do put a high price on their privacy and make strong efforts to protect it online.
Perhaps some people do value it that highly, but let's be honest, as with almost every class action lawsuit, this is about a couple of lawyers who saw an opportunity to make a lot of money by acting like a white knight for a lot of people who don't know they are or want to be a part of a lawsuit. The vast majority of those people that they're championing don't care one whit about being tracked for the purposes of anonymized analytics (which is what KissMetrics is all about).
Most of their arguments are a joke (with the exception of the browser controls circumvention, which I would say is Adobe's fault, and KissMetrics' use of the Adobe cookie to revive deleted cookies). All in all, I think this is a pure abuse of the justice system with a thin veneer of plausibility.
While I don't disagree that many class action lawsuits are lawyers looking for a pay day, I think there is still value in litigation like this.
Class action lawsuits help to ensure that defendants can't get away with doing a small amount of damage to each plaintiff, but a very large amount of damage as a whole. There simply would not be an incentive to bring this sort of litigation if not for this, and companies would likely get away with these kinds of only-slightly-harmful practices. By bringing this sort of class action, the damages can be large enough that the defendant is forced to rethink their actions and make a change in their behavior.
Without class action, the damages would be small enough that the company could ignore it (because so few people were suing), or the legal system would be flooded with an inordinate number of duplicate cases in order to bring an appreciable amount of damage to the defendants.
That said, it would be nice to see some sort of restriction on legal fees, or on who is allowed to bring class action suits (perhaps only consumer advocacy groups, as is true elsewhere in the world).
I think that might be a good solution (to have consumer protection/advocacy groups be the only ones who can bring forward class actions). As it is, many of them are promoted and put together by lawyers who have no actual interest in the case other than the large percentage of the settlement that they end up with.
Because it means that they will pursue cases irrespective of its usefulness to society, which means that many of these cases are actually net damaging to society. That is a problem.
I'm in the middle of a somewhat heated difference of opinion on whether we use evercookie for a site I'm working on. This will help my arguments sound less peace & love-y.
This brings up an interesting point about tracking services. If a user selects 'Do Not Track' in their browser (Providing it supports it), does that mean do not track them at all? Or do not track them as a unique user? May sites still use software like Webalizer/AWStats or similar to track users, it would be very complicated to set those up not to track users that send the 'do not track' headers
For all startups in general, probably not much, for kiss clients? Probably a lot. If I used kiss the first thing I'd be doing is removing their service from my site
> A third-party advertiser (or any entity capable of getting content distributed to multiple sites) could use a unique identifier stored in its local storage area to track a user across multiple sessions, building a profile of the user's interests to allow for highly targeted advertising.
To me: any effort by plaintiffs to protect their privacy is moot, especially attacking local storage practices, when it is known that it can be used for tracking.
W3C puts the control and responsibility back in the user's hand:
> There are a number of techniques that can be used to mitigate the risk of user tracking, all involve user agent/browser settings.
So in my mind:
- Plaintiffs (or their browsers) did not enough to protect their online privacy.
- Plaintiffs complain about the abuse of local storage practices, when tracking through local storage is a very real option.
- Plaintiffs can configure their user agent to not accept these cookies.
As for information sharing between sites: this I could see as bad, if proven. But a KissMetrics-wide unique ID doesn't proof that such information is shared.
Even with all security efforts in place, a user can still be tracked (By IP and browser/system settings), and this data can still be shared. I do e-commerce profiling, and while I don't really need a flash cookie, I also don't really need your permission to scan my own servers logs: it was you who made the decision to disclose that information to me.
> However, user tracking is to some extent possible even with no cooperation from the user agent whatsoever, for instance by using session identifiers in URLs, a technique already commonly used for innocuous purposes but easily repurposed for user tracking (even retroactively). This information can then be shared with other sites, using using visitors' IP addresses and other user-specific data (e.g. user-agent headers and configuration settings) to combine separate sessions into coherent user profiles.
KISS is still independent and unlikely to be able to afford the legal fees to fight it to the bitter end, increasing the trolls chances of getting quick settlement dollars. I hope KISS pays them in pennies.
Actually, probably not. Some companies have already been caught with their hands in the cookie jar, sued, and settled. See eg [1]. I'd bet most companies have looked at that and decided not to do anything similar.
Note: I'm an actual quantcast employee, though I started after the aforementioned behavior. I'm not speaking for quantcast. (Seriously -- don't be a dbag and quote this as qc's position or anything. Because if you want qc's position ask our spokesperson.)
What about individual sites that use evercookie for their own purposes, even if it's not for tracking? There's still the lack of respect for browser settings and "wasted bandwidth" as they claim... but it's not necessarily (perceived) as "malicious".
Space Pencil, Inc. D/B/A KissMetrics, Babypips.com, Involver.com, Moo, Inc., Sitening, LLC., Shoedazzle.com Inc., 8tracks Inc., About.me, Friend.ly, Giga Omni Media Inc., Hasoffers.com, Kongregate Inc., Livemocha Inc., RocketTheme, LLC, Fitness Keeper, Inc., Seomoz, Inc., Sharecash, LLC., Slideshare.net, Spokeo, Inc., Spotify USA, Inc., Visual.ly, Conduit USA, FLite, Inc., Tangient, LLC, Etsy Inc, and iVilliage, Inc