Over the last few days a story has been developing about an undeletable tracking cookie used by KISSmetrics, a website analytics company. This company and more than 20 of its clients have now had a class action lawsuit filed against them. The plaintiffs claim that the Privacy Act and Electronics Communications Privacy Act have been broken, that their personal property (chattel) has been trespassed on, and that the defendants have violated unfair competition law. Anyone who has visited one of the defendants' sites is able to join the class action, and actual damages of up to $10,000 per member of the class are sought. If punitive damages are also awarded this lawsuit could be worth hundreds of millions of dollars.
The concept of an undeletable cookie is not new. For years analytics and advertising companies have been using unconventional Flash Local Shared Object (LSO) cookies, and with the recent advances in web browsers, HTML5 Local Storage is also being used to store tracking data. There's no shortage of non-cookie ways of storing cookies, either: last year, the proof-of-concept evercookie(Opens in a new window) promised no less than eight ways of making sure a cookie cannot be deleted.
Then, last week, KISSmetrics was shunted into the limelight when it was exposed as using HTTP ETags(Opens in a new window) to create undeletable cookies. This wouldn't have been huge news in itself, but KISS provides analytics services for some big sites, including Spotify, Spokeo, AOL's About.me, Etsy, GigaOm, and more than 15 others [PDF]. Spotify immediately went on the record to decry any wrongdoing and removed KISSmetrics' undeletable cookie from its sites, and many of the other sites are also scrambling to rectify the situation.
It was the revelation of ETags, it seems, which finally brought this mother of all anti-tracking lawsuits to fruition. Again, it wouldn't have been such huge news if it was merely KISSmetrics being sued, but the addition of its clients to the suit make this a very exciting and potentially-landmark case.
The crux of the lawsuit rests on the fact that KISSmetrics forcibly extracted private data from the plaintiffs. Whether the plaintiffs agreed to it or not, KISSmetrics and its clients gathered data about them. Basically, it is alleged that HTML5 Local Storage, ETags, Flash LSOs, and maybe other methods, were unconventionally used to garner sensitive data about the plaintiffs. The complaint claims that these storage methods were intentionally used to hide tracking cookies from the user -- and indeed, that none of these storage methods are intended for tracking purposes. Furthermore, even if the user manually opted out of cookies -- either using conventional browser-preferences cookie blocking, or add-ons to block third-party cookies -- ETags still persisted.
In other words, KISSmetrics and its clients are being sued for taking data even when the plaintiffs explicitly stated that they did not want to be tracked -- and the scary thing is, this is actually a strong case. Privacy laws are serious business, and KISSmetrics knowingly created a tracking method that was all but impossible to block. To prove this case has legs, back in December 2010 Quantcast settled(Opens in a new window) a similar class action lawsuit for $2.4 million -- and that didn't include Quantcast's clients.
The question is -- and this is why the lawsuit is important -- are KISSmetrics' clients also responsible for this breach in privacy? It will probably come down to the discovery(Opens in a new window) process, if the complaint reaches that far. Did KISS's clients know about the use of undeletable cookies? Did the clients approve of them, or question their use? If it turns out that any of the clients were even slightly culpable in what effectively amounts to stealing of private data, then this could get very messy indeed.
In a world where the FTC and numerous governmental bodies have ruled on the importance of online privacy, you have to wonder what on earth KISSmetrics was up to. To use undeletable cookies is heinous in its own right, and for KISSmetrics and its clients to not provide another way of opting out of the tracking is truly untenable. There are those that will question the value of the data "stolen" by KISS and its clients -- but if it's not worth anything, why did KISS go to such great extents to make sure its tracking cookies persisted?
Finally, looking forward, the main problem that this lawsuit highlights is the unconventional use of modern web technologies to store tracking data. There isn't anything inherently wrong about using HTML5 Local Storage as a data store, but if it is done secretively and with the explicit intention of circumventing a user's do-not-track preferences, then it becomes a problem. Ultimately, short of demanding that standard, non-nefarious cookies be used (which this lawsuit might result in), the only real solution is for web browsers to provide better ways of interrogating and managing the data stored by Flash and HTML5. ETags are another beast entirely, but they can be blocked with Firefox(Opens in a new window) at least -- and hopefully future versions of Chrome and Internet Explorer will feature similar functionality in future releases.
Read more about undeletable ETag cookies(Opens in a new window) or read the class action complaint [PDF]
