Analysis firm Kissmetrics has killed a controversial system that installed unblockable respawning tracking files on user machines.
Spotify and television site Hulu.com were using kissmetrics to track the online movements of visitors but severed ties with the company after researchers revealed the ploy.
A report published by the researchers found the sites were tracking users with Etags - unique identifiers stored in a browser cache - which were not affected by efforts to block cookies. Regular HTTP cookies and HTML5 files, notoriously hard to remove, were also used.
Reseachers said it was the first time the tracking system was used, and said it allowed Etags to be installed regardless of privacy configurations, and had bypassed the Firefox browser’s do-not-track setting.
But it was the second time a company had terminated use of respawning cookies. In 2009, researchers outed a string of websites for respawing deleted Adobe Flash cookies used to track users.
Online tracking firm Quantcast paid out US$2.4 million to setttle a class action suit on the matter.
“… the use of Kissmetrics cache cookie respawning is very similar to the respawning we found in 2009 - hulu.com used a third party to engage in tracking that users do not know about, cannot detect, and effectively cannot block,” said the researchers who discovered both incidents of cookie respawning.
The discovery was made by the same five researchers from Berkeley, Polytechnic and Wyoming universities who outed the cookie re-spawning in 2009.
They said visitors caught by Etag re-spawning could have their movements synchronised to other subscribers of the Kissmetrics service.
“The Etag respawning we observed set a first party cookie on hulu.com. This means that other sites subscribing to the kissmetrics.com service could synchronise these identifiers across their domains,” the researchers said.
They examined 100 of the world’s most popular web sites using two computers running virtualised Linux and FireFox 5.
“Etag tracking and respawning is particularly problematic because the technique generates unique tracking values even where the consumer blocks HTTP, Flash, and HTML5 cookies. In order to block this tracking, the user would have to clear the cache between each website visit.”
Researchers also discovered sites including FoxNews, the New York Times and Twitter were using HTML5 cookies as a robust tracking replacement to transient HTTP cookie data.
The researchers flagged security and privacy concerns with the cache cookies because, unlike HTTP cookies, they did not expire and were considerably larger in size – 5Mb compared to about 4Kb.
"HTML5 storage is more persistent than HTTP cookies [which] expire by default and [require that] developers must use a complex syntax and constantly update the expiration date,” the researchers wrote.
The researchers said they found values in HTML5 cookies that matched information held within HTTP cookies for seven sites including New York Times, Fox News, CNN and Twitter.
“In most of these cases, the matching value was with a third party service, such as meebo.com, kissanalytics.com, and polldaddy.com.”
“HTML5 storage offers many advantages over ordinary cookies, and since it does not involve using a plugin (like Flash), HTML5 may become a more universal tracking mechanism”
Researchers also found more than 5600 HTTP cookies across the 100 sites, of which 4900 were hosted by third parties.
Google-controlled cookies were found on 97 percent of sites, including “popular” US government sites and Flash cookies were found on 37 sites.
Twenty sites had installed more than 150 cookies, including wikia.com (242); legacy.com (230); foxnews.com (185); bizrate.com (175); drudgereport.com (168); myspace.com (151), and time.com (151).