I would guess it's because I use "Click-To-Enable" for plugins in Chrome. Your battery, sanity and page responsiveness will thank you. (Not suggesting that CtE blocks this, just that much of it's probably an unnecessary result of Flash ads, etc on pages where you're not even using the Flash content)
i personally believe kissmetrics had to fully know they had figured out a way to bypass privacy settings and thought themselves clever for it. Most likely they said the far too often: "It will only be a problem if we are successful and then, hey we are successful"
Can a court really penalize KISSMetrics when the government asks ISPs to track all of this information anyway? What's the difference between KISSMetrics having this info or a random ISP like Sonic.net?
You have choices about the collection and use of your information by third parties
But in fact because of KissMetrics shenanigans, the user did not have the choice which is probably why Hulu is in trouble. I suspect the other defendants have similar clauses that were not followed
Better Privacy and Ghostery plugins are your friends, turn off local storage in about:config -> dom.storage.enabled
Etags is rather clever though, not sure how to ignore those.
added: also remember to turn off third-party cookies in Firefox (it's there but buried in Chrome)
Note to developers: please never, ever, rely on third-party cookies!
Working on a plugin to do that now:
http://github.com/nikcub/parley
(a bit inactive only because I haven't committed to gh since initial commit, but I will be in the next few days)
the last-modified header can also be used to track - it accepts anything. I described it in a comment on the last thread:
cache[url] = data
cache[(url,origin)] = data
This way you don't need to block all 3rd party requests and caching will still work reasonably well for each site.
RequestPolicy is an extension that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit.
Note: I'm an actual quantcast employee, though I started after the aforementioned behavior. I'm not speaking for quantcast. (Seriously -- don't be a dbag and quote this as qc's position or anything. Because if you want qc's position ask our spokesperson.)
[1] http://www.wired.com/epicenter/2010/12/zombie-cookie-settlem...
Most of their arguments are a joke (with the exception of the browser controls circumvention, which I would say is Adobe's fault, and KissMetrics' use of the Adobe cookie to revive deleted cookies). All in all, I think this is a pure abuse of the justice system with a thin veneer of plausibility.
Space Pencil, Inc. D/B/A KissMetrics, Babypips.com, Involver.com, Moo, Inc., Sitening, LLC., Shoedazzle.com Inc., 8tracks Inc., About.me, Friend.ly, Giga Omni Media Inc., Hasoffers.com, Kongregate Inc., Livemocha Inc., RocketTheme, LLC, Fitness Keeper, Inc., Seomoz, Inc., Sharecash, LLC., Slideshare.net, Spokeo, Inc., Spotify USA, Inc., Visual.ly, Conduit USA, FLite, Inc., Tangient, LLC, Etsy Inc, and iVilliage, Inc
edit: corrected below, thanks!
Is this a completely ridiculous lawsuit, considering how many websites use Kissmetrics and other tools?
> Plaintiffs believe their decisions to disclose or not disclose information is their decision to make.
> To avoid being tracked online Plaintiffs used and relied on their browser controls.
> It is contrary to standard practices to use DOM local storage instead of cookies.
If you are going to put down a practice as a "hack" or "repurposing" why not quote the standard?
http://dev.w3.org/html5/webstorage/#user-tracking
Very clearly it states:
> A third-party advertiser (or any entity capable of getting content distributed to multiple sites) could use a unique identifier stored in its local storage area to track a user across multiple sessions, building a profile of the user's interests to allow for highly targeted advertising.
To me: any effort by plaintiffs to protect their privacy is moot, especially attacking local storage practices, when it is known that it can be used for tracking.
W3C puts the control and responsibility back in the user's hand:
> There are a number of techniques that can be used to mitigate the risk of user tracking, all involve user agent/browser settings.
So in my mind:
- Plaintiffs (or their browsers) did not enough to protect their online privacy.
- Plaintiffs complain about the abuse of local storage practices, when tracking through local storage is a very real option.
- Plaintiffs can configure their user agent to not accept these cookies.
As for information sharing between sites: this I could see as bad, if proven. But a KissMetrics-wide unique ID doesn't proof that such information is shared.
Even with all security efforts in place, a user can still be tracked (By IP and browser/system settings), and this data can still be shared. I do e-commerce profiling, and while I don't really need a flash cookie, I also don't really need your permission to scan my own servers logs: it was you who made the decision to disclose that information to me.
> However, user tracking is to some extent possible even with no cooperation from the user agent whatsoever, for instance by using session identifiers in URLs, a technique already commonly used for innocuous purposes but easily repurposed for user tracking (even retroactively). This information can then be shared with other sites, using using visitors' IP addresses and other user-specific data (e.g. user-agent headers and configuration settings) to combine separate sessions into coherent user profiles.