A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser's privacy mode. The technique, which worked with sites including Hulu, Spotify and GigaOm, is …
You could also defeat this method by blocking the domain/hostnames involved
Just install "NoScript" (or similar) and job's a good 'un.
Beef TACO (Firefox) & Chromeblock (Google Chrome) have Kiss Metrics in their blocklists, assuming they've not found a way to circumvent these too.
Since they are exploiting HTTP headers (as "xlq" explains very well below), they can technically be any resource at the site. You could even just make it look like a nice safe image, object or other url and then transparently use server-side processing (think Apache mod_rewrite style url rewriting) to pass it to a server "script" or module to do the rest.
Assuming Kissmetrics jealously guard their server-side processing so that it is all conducted on servers from that one main domain, then this could be blocked by domain or hostnames. However, if they either use other domains or the server script can be shared or even if *any* website you visit decides to transparently redirect resource urls to one of Kissmetric's domains, then potentially you could never even realise they are doing it.
If you are truly paranoid, short of disabling all the headers mentioned by xlq and probably significantly slowing your Internet connection since almost nothing would be cached client-side, then the only way to prevent this is as mentioned at the bottom of the article: "block all cookies and clear the browser cache after each site visited".
If this were to become widespread, it pretty much undermines every existing notion of browser privacy control since it directly abuses the HTTP protocol. Truly unpleasant!
@ this thread
many elegant suggestions here, but frankly I'm with the original poster.
Sledgehammer to crack a nut? Maybe...but any company trying to foust this "opt-out" crap on me deserves a hammer...
Even by analytics standards...Bastards.
Hot News: Free sites want money from ads
I'm mixed about this. Often, one is browsing content for free - which is basically funded by advertisers.
Advertisers pay a specific amount, based on what they can expect to get in return. Think of it simply as:
(a) Random ad image
(b) Targeted ad image that should be something the visitor MIGHT be interested in
(c) Focused ad that definitely is "up the alley" of the visitor.
A website (Reg, Ars, etc) must pull in enough money to survive. (a) ads pay the least, (b) more since users are more likely to click, and (c) the most.
I'm on the fence. I have trained myself to ignore virtually all ads (and, yes, when I see the rapid spastic "Click The Monkey", I adblock or RIP it). However, I do click on some - if they are things I'm genuinely interested in.
Like with TiVo; I have often reviewed to watch something that looked interesting. Often, movie trailers that I merely add yo my Netfix queue :)
Yay arms races
The problem is that the adverts get more and more intrusive, and more and more irritating, so people end up writing tools to get rid of them. This ends up throwing the unobtrusive ads out with the awful popunders and flash animations that trot out into the middle of the screen and strobe at you; everyone loses out in the end.
I'd like more sites to offer optional subscriptions. I'm a grown up now with a salary; I'm prepared to part with some of my hard-earned if it turns my favourite bits of the internet back into readable, useable sites.
How much do el reg expect to earn from each reader using ads?
I'm fine with adverts for free sites.
But don't try to data-mine my browsing habits and invade my privacy to display a more relevant advert.
Shouldn't the antivirus/antispyware people...
...add this crap to their definitions and bugger them up big style?
Funding "free" content with advertising is the site owner's choice and theirs alone. If I choose to filter the ads, that is my choice too. There is absolutely no moral obligation on my part to accomodate a web site's chosen business model any more than I am obliged to sit through the ads on a taped TV show (yah, I know I'm dating myself here). If a site can't survive because people block their ads or tracking bugs, obviously their business model is rubbish.
ABP -- ad?
"The problem is that the adverts get more and more intrusive..."
What's an ad?
What a bunch of bloody crooks....
Number 6: Where am I?
Number 2: In the Village.
Number 6: What do you want?
Number 2: We want information.
Number 6: Whose side are you on?
Number 2: That would be telling. We want information... information... information.
Number 6: Who are you?
Number 2: The new Number 2.
Number 6: Who is Number 1?
Number 2: You are Number 6.
Number 6: I am not a number, I am a free man.
Cue demonic laughing from Number 2!
Big number two
"Number 2: That would be telling. We want information... information... information."
'You won't get it'
"By hook or by crook we will!"
at this point Rover bounces in . . .
"We want information... information... information."
"So that must mean that your number is a googolplex?"
Did I miss something
or doesn't blocking https://i.kissmetrics.com/ cut this off at the source?
On a practical note.
Perhaps it is time to start figuring out how to stuff these services with fake hits, wholesale. If the numbers are worthless nobody'll want to shell out for them.
No Java Script
I see an advertising campaign in the offing
Can anyone write a fix?
Is anyone here able to write a Firefox add-on which will switch the stored value to a random new value every so often? That should mess the system up a bit more than just deleting it, though it might be tricky to work out what values would be accepted as valid.
Just use "NoScript"
@the big yin
You are missing the point of this one. If they know they are going to be fed shit, they will be less likely to do this sort of thing.
All you are doing with the standard 'noscript' reply is delaying the problem to a point where noscript wont save you when they have a way round it.
NoScript is coming increasingly under attack
What needs to happen is for NoScript to be able to detect where page markup is being created by document.write (possibly by using regexes to search/replace instances of document.write followed by literal strings and replace them with NULL, or by parsing variables only where used in conjunction with document.write) and converting them back to raw HTML markup without running any other script on the page. Something along the lines of ~= s/document\.write(['|"]//g; perhaps.
Why has the internet turned into a fucking warzone for the greedy and unscrupulous? Why must we constantly be waging an endless arms race to defend our right not to be tracked, spied on, and exploited?
"Why has the internet turned into a fucking warzone for the greedy and unscrupulous? Why must we constantly be waging an endless arms race to defend our right not to be tracked, spied on, and exploited?"
Because people use it, and that is what people do. If you were greedy and unscrupulous, and you had an idea for making money using the Internet, you would put it into practice - that's what it means to be greedy and unscrupulous.
Bar room Lawyers assemble!
Would this not be a blatant breach of European law then?
Someone sue them please
I'm not against tracking site visitors, I do it myself, but when you track people over so many sites such that you can build a pretty accurate profile of the person, presumably to chuck relevant ads at them, well that's just creepy.
And resurrecting data when the user has tried to consciously delete it isn't just creepy, it's wrong.
This is where that sodding EU cookie law goes wrong; a site owner having a look at anonymous metrics on one site that they own is a far cry from this sort of thing, and it can't all be lumped together in one piece of legislation.
Redirecting the kissmetrics traffic?
Why not just reassign the Kissmetrics.com url to 127.0.0.1 in your hosts file?
Or block their IP range in your Firewall?
Re: Redirecting the kissmetrics traffic?
Not so simple. The IP range in question is Amazon WS which I doubt you want to block completely. I have kissmetrics.com in the squidGuard blacklists already but that's trivial to circumvent if they start hosting that script locally or adding A records pointing to that host on the client DNS.
Bit of a bugger, really. I'm tempted to create a ClamAV signature matching that script's content and use Squid's Clam redirector. That would stop it dead - until they change the script. Snort might also come in handy...
..... doesn't make it clear how users go about opting out tracking."
heck, as far as I am concerned, I don't even need to know about KISSmetrics, the website that I am _visiting_ should be the one that give me the option to opt-out.
This highlights another issue...
...it should be "opt-in to tracking" not "out-out of being stalked".
Reminds me of Phorm
All of these parasites are the same - their business model relies on it being 'opt-out' because nobody in their right mind would opt into it.
This sort of thing should be made a criminal offence under international law - in my opinion, data gathering of this sort, which as you point out, is akin to stalking, violates the human right to a private life. Like piracy on the high seas, these pathetic excuses for human beings should be shot on sight.
That would be great if true...
Can some alpha-geek confirm or refute?
xlq (below) seems to provide a refutation. Will no one rid me of this turbulent technique?
Can't be deleted, tracks usage, user knows nothing about it. - Sounds like a trojan to me.
The ETag (entity tag) value is part of the HTTP protocol and is used for caching. It represents the version of a particular resource. On the first request, the browser stores the ETag value it received. On a subsequent request, the browser will send an If-None-Match header with the old ETag value, to avoid downloading the page again if the ETag value is the same.
All you have to do is use a unique identifier for the entity tag and the browser will later return it, just like a cookie. This isn't new. It's one of the methods evercookie (http://samy.pl/evercookie/) uses.
There are a few Firefox add-ons that you can use to prevent this. One that I use is "Modify Headers", which can be set to filter the If-Match, If-None-Match, If-Modified-Since, If-Unmodified-Since, etc. headers. (Yes, the last modification date can also be used for tracking.)
ETAGs are useful
as a way of not continuously downloading the same image/... but getting a new version if it changes. So disabling ETAGs effectively makes the Internet run more slowly for you since your browser won't cache so well.
What I really dislike about this is the cross site tracking. I can accept a site remembering me while I visit it but don't want the next site to know anything about what I did elsewhere.
Chocolate Cookie (harmless)
Have a cookie for that, good post, I hadn't thought of using the last modified date, but you're right that'd work too.
Ta for that, wasn't sure. It worse though.
Any data sent back to their server could potentially be used to gather such intel. Anything big enough to store a unique id.
Modify Headers won't help.
I said that I use the "Modify Headers" add-on to prevent this.
I found out today that the Modify Headers add-on doesn't actually work with cache-related headers like If-None-Match because Firefox inserts those headers before the add-on has a chance to filter them. That'll teach me not to check things!
Now I've installed and configured privoxy to filter those headers instead. It definitely works now.
Just wanted to point that out, so as not to leave misinformation in my name.
...hosts file already blocks this.
isn't anywhere to be found on their website. What distasteful people behind this.
I've said it before and I'll say it again
Adblock, Cookie Monster, Better Privacy, flashblock, maybe NoScript (I don't bother).
Set your browser to flush the cache on exit.
Evercookie doesn't work against this setup. I see very few ads on the net. If a site needs session cookies to work I can enable them temporarily or permanently as needed. If a site I trust (el reg) wants them I can enable them.
I can stop facebook logos loading when I'm not on facebook.com, kill scripts that slow everything down unnecessarily, generally make the internet a nicer place to be. If a site wants to track me then they can. I'm just not going to let my browser help them.
Article late or just scaremongering?
From Soltani's own website, near the top of the page linked - "Hulu and KISSmetrics have both ceased respawning as of July 29th 2011."
So was this article supposed to have been published a month ago or is it just scaremongering? And, what happened to the death of the Reg icon?
Scriptblock vs Adblock
I know it's not addressing the root problem, but if they track you to display ads at you, why not just install adblock and block the ads?
Of course, there are more sinister purposes that tracking can be used for, so see the above posters ideas. I'd also chuck in blocking the relevant KISS hosts at the firewall - all ports, incoming or outgoing.
Agree with other - HTF can this be opt-out, when you don't even know if you're being stalked? They can GTF with that...
Edit the file??
I can only find IETAG.DLL on my machine in /Microsoft/Shared. Is this the file we are talking about?
As it is a DLL could we open it with Resource Hacker and edit out the unique identifying information?
As with any DLL
If you can't figure out what it's for, you should delete it.
What's the system32 folder for again?
AC may delete the wrong DLL, much safer to delete *.DLL
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity