back to article Man reveals secret recipe behind undeletable cookies

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser's privacy mode. The technique, which worked with sites including Hulu, Spotify and GigaOm, is …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Bastards

    Even by analytics standards...Bastards.

  2. Anonymous Coward
    Anonymous Coward

    Blocking ETags...

    You could also defeat this method by blocking the domain/hostnames involved

    1. The BigYin

      It's Javascript

      Just install "NoScript" (or similar) and job's a good 'un.

      1. Monkey Bob
        Big Brother

        Noscript, or...

        Beef TACO (Firefox) & Chromeblock (Google Chrome) have Kiss Metrics in their blocklists, assuming they've not found a way to circumvent these too.

    2. Anonymous Coward
      Devil

      Javascript - but not as you know it

      These is *server-side* Javascript.

      Since they are exploiting HTTP headers (as "xlq" explains very well below), they can technically be any resource at the site. You could even just make it look like a nice safe image, object or other url and then transparently use server-side processing (think Apache mod_rewrite style url rewriting) to pass it to a server "script" or module to do the rest.

      Assuming Kissmetrics jealously guard their server-side processing so that it is all conducted on servers from that one main domain, then this could be blocked by domain or hostnames. However, if they either use other domains or the server script can be shared or even if *any* website you visit decides to transparently redirect resource urls to one of Kissmetric's domains, then potentially you could never even realise they are doing it.

      If you are truly paranoid, short of disabling all the headers mentioned by xlq and probably significantly slowing your Internet connection since almost nothing would be cached client-side, then the only way to prevent this is as mentioned at the bottom of the article: "block all cookies and clear the browser cache after each site visited".

      If this were to become widespread, it pretty much undermines every existing notion of browser privacy control since it directly abuses the HTTP protocol. Truly unpleasant!

    3. Anonymous Coward
      Thumb Up

      @ this thread

      many elegant suggestions here, but frankly I'm with the original poster.

      Sledgehammer to crack a nut? Maybe...but any company trying to foust this "opt-out" crap on me deserves a hammer...

  3. GoGlen
    Big Brother

    Hot News: Free sites want money from ads

    I'm mixed about this. Often, one is browsing content for free - which is basically funded by advertisers.

    Advertisers pay a specific amount, based on what they can expect to get in return. Think of it simply as:

    (a) Random ad image

    (b) Targeted ad image that should be something the visitor MIGHT be interested in

    (c) Focused ad that definitely is "up the alley" of the visitor.

    A website (Reg, Ars, etc) must pull in enough money to survive. (a) ads pay the least, (b) more since users are more likely to click, and (c) the most.

    I'm on the fence. I have trained myself to ignore virtually all ads (and, yes, when I see the rapid spastic "Click The Monkey", I adblock or RIP it). However, I do click on some - if they are things I'm genuinely interested in.

    Like with TiVo; I have often reviewed to watch something that looked interesting. Often, movie trailers that I merely add yo my Netfix queue :)

    1. Ru

      Yay arms races

      The problem is that the adverts get more and more intrusive, and more and more irritating, so people end up writing tools to get rid of them. This ends up throwing the unobtrusive ads out with the awful popunders and flash animations that trot out into the middle of the screen and strobe at you; everyone loses out in the end.

      I'd like more sites to offer optional subscriptions. I'm a grown up now with a salary; I'm prepared to part with some of my hard-earned if it turns my favourite bits of the internet back into readable, useable sites.

      How much do el reg expect to earn from each reader using ads?

      1. RegGuy

        ABP -- ad?

        "The problem is that the adverts get more and more intrusive..."

        What's an ad?

    2. Giles Jones Gold badge

      Ads

      I'm fine with adverts for free sites.

      But don't try to data-mine my browsing habits and invade my privacy to display a more relevant advert.

      1. Wize

        Shouldn't the antivirus/antispyware people...

        ...add this crap to their definitions and bugger them up big style?

    3. Peter Mc Aulay

      Nuts

      Funding "free" content with advertising is the site owner's choice and theirs alone. If I choose to filter the ads, that is my choice too. There is absolutely no moral obligation on my part to accomodate a web site's chosen business model any more than I am obliged to sit through the ads on a taped TV show (yah, I know I'm dating myself here). If a site can't survive because people block their ads or tracking bugs, obviously their business model is rubbish.

  4. Silverburn
    Thumb Down

    Grrrr...

    What a bunch of bloody crooks....

  5. Anonymous Coward
    Anonymous Coward

    Did I miss something

    or doesn't blocking https://i.kissmetrics.com/ cut this off at the source?

  6. Anonymous Coward
    Anonymous Coward

    On a practical note.

    Perhaps it is time to start figuring out how to stuff these services with fake hits, wholesale. If the numbers are worthless nobody'll want to shell out for them.

  7. Anonymous Coward
    Boffin

    Indeed

    Number 6: Where am I?

    Number 2: In the Village.

    Number 6: What do you want?

    Number 2: We want information.

    Number 6: Whose side are you on?

    Number 2: That would be telling. We want information... information... information.

    Number 6: Who are you?

    Number 2: The new Number 2.

    Number 6: Who is Number 1?

    Number 2: You are Number 6.

    Number 6: I am not a number, I am a free man.

    Cue demonic laughing from Number 2!

    1. Elmer Phud

      Big number two

      "Number 2: That would be telling. We want information... information... information."

      'You won't get it'

      "By hook or by crook we will!"

      at this point Rover bounces in . . .

    2. Matthew 3

      "We want information... information... information."

      "So that must mean that your number is a googolplex?"

  8. John G Imrie
    Happy

    No Java Script

    No ETag

    I see an advertising campaign in the offing

  9. Christoph
    Boffin

    Can anyone write a fix?

    Is anyone here able to write a Firefox add-on which will switch the stored value to a random new value every so often? That should mess the system up a bit more than just deleting it, though it might be tricky to work out what values would be accepted as valid.

    1. The BigYin

      No need

      Just use "NoScript"

      1. Wize

        @the big yin

        You are missing the point of this one. If they know they are going to be fed shit, they will be less likely to do this sort of thing.

        All you are doing with the standard 'noscript' reply is delaying the problem to a point where noscript wont save you when they have a way round it.

        1. Steven Roper
          Mushroom

          NoScript is coming increasingly under attack

          As a long-time user of NoScript, I've seen a disturbingly increasing number of sites recently that, when you visit them, simply display nothing but a "Please enable Javascript to view this site" message - even when the content of the page is merely non-interactive HTML, in which Javascript is completely unnecessary. Such sites are in most cases simply using Javascript's document.write() command to create the markup instead of putting it directly in HTML.

          This is obviously an attack on NoScript users to force them to enable Javascript so that the site operators can run more insidious scripts (including possible malware injectors) besides the markup writer.

          My usual response has been simply to leave the site, blacklist the domain, fire off an email to the WHOIS admin to the effect that I will not be doing business with them, and try another site; but the number of sites doing this shit is increasing exponentially. Eventually we'll have no choice but to always allow Javascript if we want to use the net at all.

          What needs to happen is for NoScript to be able to detect where page markup is being created by document.write (possibly by using regexes to search/replace instances of document.write followed by literal strings and replace them with NULL, or by parsing variables only where used in conjunction with document.write) and converting them back to raw HTML markup without running any other script on the page. Something along the lines of ~= s/document\.write(['|"]//g; perhaps.

          A possibly easier solution might be to have an option to only allow execution of document.write and variable assignments but no other Javascript commands. Either way, we need something, and we need it soon, to bypass the efforts of these fucking bastards who use unnecessary Javascript to display plain HTML in their attempts to force people to allow Javascript.

          Why has the internet turned into a fucking warzone for the greedy and unscrupulous? Why must we constantly be waging an endless arms race to defend our right not to be tracked, spied on, and exploited?

          1. Michael Wojcik Silver badge

            obvious, really

            "Why has the internet turned into a fucking warzone for the greedy and unscrupulous? Why must we constantly be waging an endless arms race to defend our right not to be tracked, spied on, and exploited?"

            Because people use it, and that is what people do. If you were greedy and unscrupulous, and you had an idea for making money using the Internet, you would put it into practice - that's what it means to be greedy and unscrupulous.

  10. Whitter
    Boffin

    Bar room Lawyers assemble!

    Would this not be a blatant breach of European law then?

  11. Trygve Henriksen

    Redirecting the kissmetrics traffic?

    Why not just reassign the Kissmetrics.com url to 127.0.0.1 in your hosts file?

    Or block their IP range in your Firewall?

    1. Chronos
      Unhappy

      Re: Redirecting the kissmetrics traffic?

      Not so simple. The IP range in question is Amazon WS which I doubt you want to block completely. I have kissmetrics.com in the squidGuard blacklists already but that's trivial to circumvent if they start hosting that script locally or adding A records pointing to that host on the client DNS.

      Bit of a bugger, really. I'm tempted to create a ClamAV signature matching that script's content and use Squid's Clam redirector. That would stop it dead - until they change the script. Snort might also come in handy...

  12. Anonymous Coward
    Mushroom

    Someone sue them please

    I'm not against tracking site visitors, I do it myself, but when you track people over so many sites such that you can build a pretty accurate profile of the person, presumably to chuck relevant ads at them, well that's just creepy.

    And resurrecting data when the user has tried to consciously delete it isn't just creepy, it's wrong.

    This is where that sodding EU cookie law goes wrong; a site owner having a look at anonymous metrics on one site that they own is a far cry from this sort of thing, and it can't all be lumped together in one piece of legislation.

  13. Anonymous Coward
    Big Brother

    "KISSmetrics' recently updated privacy policy.....

    ..... doesn't make it clear how users go about opting out tracking."

    and why exactly is the opt-out details being put in the "privacy policy"? Are they expecting each consumer to go to their site and read the policy just so that they can opt-out? Shouldn't the opt-out option be clear _and_ easy to find?

    heck, as far as I am concerned, I don't even need to know about KISSmetrics, the website that I am _visiting_ should be the one that give me the option to opt-out.

    1. The BigYin

      This highlights another issue...

      ...it should be "opt-in to tracking" not "out-out of being stalked".

      1. Loyal Commenter Silver badge
        Mushroom

        Reminds me of Phorm

        All of these parasites are the same - their business model relies on it being 'opt-out' because nobody in their right mind would opt into it.

        This sort of thing should be made a criminal offence under international law - in my opinion, data gathering of this sort, which as you point out, is akin to stalking, violates the human right to a private life. Like piracy on the high seas, these pathetic excuses for human beings should be shot on sight.

  14. Mike Johnson

    Simple solution

    As the data is stored by Javascript, I would have thought that the wonderful 'NoScript' plugin for Firefox would nicely protect you from this kind of unwilling tracking. If you don't allow Javascript from kissmetrics.com to run, then they can't get the ETag value!.

    1. Marky W
      Meh

      That would be great if true...

      Can some alpha-geek confirm or refute?

      1. Marky W
        Unhappy

        Well, darn

        xlq (below) seems to provide a refutation. Will no one rid me of this turbulent technique?

  15. zaax

    Virus

    Can't be deleted, tracks usage, user knows nothing about it. - Sounds like a trojan to me.

  16. xlq
    Meh

    Blocking JavaScript won't help.

    The ETag (entity tag) value is part of the HTTP protocol and is used for caching. It represents the version of a particular resource. On the first request, the browser stores the ETag value it received. On a subsequent request, the browser will send an If-None-Match header with the old ETag value, to avoid downloading the page again if the ETag value is the same.

    All you have to do is use a unique identifier for the entity tag and the browser will later return it, just like a cookie. This isn't new. It's one of the methods evercookie (http://samy.pl/evercookie/) uses.

    There are a few Firefox add-ons that you can use to prevent this. One that I use is "Modify Headers", which can be set to filter the If-Match, If-None-Match, If-Modified-Since, If-Unmodified-Since, etc. headers. (Yes, the last modification date can also be used for tracking.)

    1. alain williams Silver badge

      ETAGs are useful

      as a way of not continuously downloading the same image/... but getting a new version if it changes. So disabling ETAGs effectively makes the Internet run more slowly for you since your browser won't cache so well.

      What I really dislike about this is the cross site tracking. I can accept a site remembering me while I visit it but don't want the next site to know anything about what I did elsewhere.

    2. Antony Riley
      Thumb Up

      Chocolate Cookie (harmless)

      Have a cookie for that, good post, I hadn't thought of using the last modified date, but you're right that'd work too.

    3. Lee Palmer
      Thumb Up

      Ta for that, wasn't sure. It worse though.

      Any data sent back to their server could potentially be used to gather such intel. Anything big enough to store a unique id.

    4. xlq
      Unhappy

      Modify Headers won't help.

      I said that I use the "Modify Headers" add-on to prevent this.

      I found out today that the Modify Headers add-on doesn't actually work with cache-related headers like If-None-Match because Firefox inserts those headers before the add-on has a chance to filter them. That'll teach me not to check things!

      Now I've installed and configured privoxy to filter those headers instead. It definitely works now.

      Just wanted to point that out, so as not to leave misinformation in my name.

  17. This post has been deleted by its author

  18. Matthew Collier
    Stop

    mvps.org...

    ...hosts file already blocks this.

  19. Anonymous Coward
    Anonymous Coward

    The opt-out

    isn't anywhere to be found on their website. What distasteful people behind this.

  20. David Hicks
    Thumb Up

    I've said it before and I'll say it again

    Adblock, Cookie Monster, Better Privacy, flashblock, maybe NoScript (I don't bother).

    Set your browser to flush the cache on exit.

    Evercookie doesn't work against this setup. I see very few ads on the net. If a site needs session cookies to work I can enable them temporarily or permanently as needed. If a site I trust (el reg) wants them I can enable them.

    I can stop facebook logos loading when I'm not on facebook.com, kill scripts that slow everything down unnecessarily, generally make the internet a nicer place to be. If a site wants to track me then they can. I'm just not going to let my browser help them.

  21. Dave Murray
    FAIL

    Article late or just scaremongering?

    From Soltani's own website, near the top of the page linked - "Hulu and KISSmetrics have both ceased respawning as of July 29th 2011."

    So was this article supposed to have been published a month ago or is it just scaremongering? And, what happened to the death of the Reg icon?

  22. Anonymous Coward
    Thumb Up

    Scriptblock vs Adblock

    I know it's not addressing the root problem, but if they track you to display ads at you, why not just install adblock and block the ads?

    Of course, there are more sinister purposes that tracking can be used for, so see the above posters ideas. I'd also chuck in blocking the relevant KISS hosts at the firewall - all ports, incoming or outgoing.

    Agree with other - HTF can this be opt-out, when you don't even know if you're being stalked? They can GTF with that...

  23. Anonymous Coward
    Facepalm

    Edit the file??

    I can only find IETAG.DLL on my machine in /Microsoft/Shared. Is this the file we are talking about?

    As it is a DLL could we open it with Resource Hacker and edit out the unique identifying information?

    1. Loyal Commenter Silver badge
      Devil

      As with any DLL

      If you can't figure out what it's for, you should delete it.

      1. Field Marshal Von Krakenfart
        Devil

        butt shirley

        AC may delete the wrong DLL, much safer to delete *.DLL

      2. Anonymous Coward
        Facepalm

        What's the system32 folder for again?

        Oh right!

      3. Anonymous Coward
        FAIL

        O really?

        Spoke like a true moron. Yes delete all dlls, frigging fool.

        1. Blain Hamon
          Devil

          Well, it did solve the problem.

          He'll no longer be tracked on that computer now, will he?

          We need a BOFH icon here.

  24. Synja

    How can you honestly consider yourself to have a right to privacy over public actions?

    I'm not taking sides, but just pointing something out.

    Once you get over the notion that web browsing is something happening in your home (where you do have a legal right to privacy), and realize that you (your data at least) is leaving the house and visiting public servers which have every right to track you while visiting the sites.

    Analogy: If you go to the grocery store, can you honestly complain when they ask you to remove the ski mask from your face so the security camera can get a good look at you? If you don't agree with the advertising or tracking, do not use the site, it's that simple. (I don't have a Google+ for this reason) If I run a website, I have every right as a private businessperson to run that site in any way I see fit providing I comply with sales and content laws, and of course disclose certain things.

    Getting back to the grocery store analogy, how is the information that gets stored via Internet any different than what the grocery store sees on their security camera? You pull up in the same car (browser), waddle in to purchase your case of twinkies (browse content), and pay with cash (don't log in) so that nobody will know that YOU are the 400lb guy with curly black hair and a Ford Taurus who likes twinkies.

    To be honest, I'd rather have ads that I might actually *like* appear on my preferred sites, instead of the recent influx of ads having to do with being Mormon. I'm going to see advertising anyway, at least this way, I get something that might be interesting.

    1. Anonymous Coward
      Anonymous Coward

      Missing the point

      Does the grocery store do this?

      * Have someone write down your license plate number when you arrive.

      * inventory what you buy, as well as what products you seem to look at.

      * catalog those results and store them for later analysis.

      How about this?

      * share that information with someone at your local pub (oh look, they Ford Taurus with plate XYZW1234 is here, from his shopping habits at the store, he's a family man, but today he picked up a box of tampons, so let's try to sell him an additional beer).

      You are correct about not going to the site if you disagree with its tracking policy. Here's the rub: they're NOT telling you what they're doing.

      AC, even though I'm beginning to doubt it will do me any good :-)

      1. J 3
        Big Brother

        @Missing the point

        "* inventory what you buy, as well as what products you seem to look at.

        * catalog those results and store them for later analysis."

        Actually, yes, they appear to do that, at least here in Merka. Except for the "what products you seem to look at" (as far as I know, wouldn't be surprised...).

        If you pay with a credit card, or, worse, use one of those "loyalty cards" things that give "discounts" (i.e. remove the artificial increase in price).

        It's easy to know: go return/exchange a product to, say, Target or Apple. If you paid with CC, all they need is your CC to accept it, you don't need a receipt. It happened to me recently: my 6th gen nano (crap, but got as a gift from the GF...) broke the other day. I went to the Apple Store to exchange it, and had no receipt (but since the thing was released less than year ago, it must be under warranty). The guy got the serial number, and got me a new one. The receipt had my GF's name written on it, date it was bought, etc. When I told her that, she mentioned she had the same happen to her at Target. So, yeah, they do inventory what you buy, and I'm sure they use it later, and they don't ask for permission to collect nor keep the data -- at least I haven't been asked to sign anything.

        Of course it's easy to not use either, pay cash... much easier to circumvent the disgusting web tracking those guys are doing.

        1. steve 124

          apples / oranges

          This would only be a suitable example if Target had someone in a trenchcoat covertly following you and writing down on a notepad everything you looked at, picked up and put down, or put in your cart and then decided not to buy. That wouldn't be cool and neither is this.

    2. Mike Moyle

      @ synja

      "Analogy: If you go to the grocery store,..."

      In this particular case, the problem isn't that the grocery store knows what you buy... It's more analogous to that annoying neighbor that you try to avoid -- the one that always buttonholes you with a new "sure thing" that he's always trying to get you to sign up for -- that knows what you bought at the grocery store, the bed-n-bath store, the pharmacy, the newsstand, and that "club" in the next town that you go to on Saturday nights.

      I don't see where I have any obligation to give him any of that info.

      Hmmm... I'm not a programmer but, OTOH, AppleScript has a random number generator... I may have to dust off my scripting and see if I could set up one that tells the browser to write a random number to that line in the cache every three minutes... Something to think about in what I laughingly refer to as my free time...

    3. Saul Dobney

      Europe is very different

      In continental Europe there's this thing called Privacy written into various national constitutions and actually European Human Rights directives, which says even stuff which is apparently public is still subject to privacy rules. The exception is if you can show an explicit public interest. A shop tracking a customer does not have a public interest defence - the only way allowed in certain European countries is for the customer to have agreed to the data collection (explicit opt-in). Even if you think the information is public. Without the opt-in the shop is not allowed to do it. The principle is that organisations/businesses hold the minimum information. Information being public is not a defence.

      As you're in America, I'll give you some time to pick your lower jaw off the floor.

  25. Toby 2
    Coat

    Its just adverts...

    surely weather they are more targeted or not you can just ignore them? the technique only has effect if multiple sites are using the same technique (obv.) so information obtained (unless your buying WMDs or something, then you should use TOR) would only ever be relevant to advertisers... Just ignore the adverts, targeted or otherwise!!

  26. Anonymous Coward
    Anonymous Coward

    Not paranoid enough ...

    Yes, you can ignore ads, even 'targeted' ads.

    However, browser history can contain more telling personal information that can be used in more pernicious ways. Suppose an employer buys the browser history of their employees. They have layoffs coming up. Lets see now. Worker A has been browsing speed shoppes for racing bicycle parts. Worker B has been searching for homeopathic cancer remedies. I wonder which one the accountants would recommend to be laid off?

    This needs to stop.

    1. Anonymous Coward
      Anonymous Coward

      Yes, exactly right!

      Excerpt from http://www.scroogle.org/doctorow.html

      "He should have seen it coming, of course. The U.S. government had lavished $15 billion on a program to fingerprint and photograph visitors at the border, and hadn't caught a single terrorist. Clearly, the public sector was not equipped to Do Search Right.

      The DHS officer had bags under his eyes and squinted at his screen, prodding at his keyboard with sausage fingers. No wonder it was taking four hours to get out of the god damned airport.

      "Evening," Greg said, handing the man his sweaty passport. The officer grunted and swiped it, then stared at his screen, tapping.

      [ . . . ]

      "Tell me about your hobbies. Are you into model rocketry?"

      "What?"

      "Model rocketry."

      "No," Greg said, "No, I'm not." He sensed where this was going.

      The man made a note, did some clicking. "You see, I ask because I see a heavy spike in ads for rocketry supplies showing up alongside your search results and Google mail."

      Greg felt a spasm in his guts. "You're looking at my searches and e-mail?" He hadn't touched a keyboard in a month, but he knew what he put into that search bar was likely more revealing than what he told his shrink.

      "Sir, calm down, please. No, I'm not looking at your searches," the man said in a mocking whine. "That would be unconstitutional. We see only the ads that show up when you read your mail and do your searching. I have a brochure explaining it. I'll give it to you when we're through here."

      "But the ads don't mean anything," Greg sputtered. "I get ads for Ann Coulter ring tones whenever I get e-mail from my friend in Coulter, Iowa!"

      The man nodded. "I understand, sir. And that's just why I'm here talking to you. Why do you suppose model rocket ads show up so frequently?"

      [ . . . ]

    2. Anonymous Coward
      Anonymous Coward

      @Anonymous Coward

      "Worker B has been searching for homeopathic cancer remedies."

      Honestly, I'd fire worker B for being an idiot. At least worker A seems to have mechanical aptitude and a desire to win.

  27. steve 124

    Blacklisted

    Thanks for the info El Reg! I'm adding the associated IPs to my firewall blacklist. Let's see em respawn cookies on my network now! :)

  28. RW
    Unhappy

    Advertising: an enormous con

    It amuses me endlessly to see the lengths to which marketers will go in pursuit of maybe, just possibly, once in a very long while, a sale by one of those using their services to advertise.

    Only speaking for myself, but I use adblock so I see few ads, and those I do see I pay no attention to.

    The con is really that marketers claim that targeted ads improve sales. That's not true. Today I may be interested in ginormous nipple rings, tomorrow in an antiquated book on Latin grammar, and the day after in Dog only knows what.

    Or to use a more prosaic example, suppose I'm looking for underwear. I have a very clear idea what I want, I know exactly which brand and model will fill the bill, and any adverts to the contrary are just so much wasted effort. What *will* influence me are the web pages that give full, objective information and are clear about sizing, fabric, country of origin, colors, styles, price, and availability. But once I've bought my gaunch, that's it. Throwing more ads at me does nothing, because I have enough rags to shelter my ever lovin' bod from the lust-filled gaze of onlookers, and need no more.

    Then there's ebay: in my pursuit of the perfect undies, I found the brand and model, and set up a moderately complex search string to find ebay listings for those and no others. Ebay then, in its blind pursuit of money, altered their search facility so it returned not just what I was looking for, but all sorts of other brands and models, I s'pose with the subliminal message "Maybe these are what you really want?" An intelligent company would have recognized that the more specific a search, the less likely it is that the searcher has interest in other things, particularly when the search string takes steps to exclude other makes and models.

    As ebay, so marketing in general: they think their ads actually work, but it's highly questionable whether they do anything other than annoy netizens.

  29. Anonymous Coward
    Happy

    Use hosts file to block

    I have my Asus TomatoUSB router blocking about 75,000 domains compiled from various ad/adult/tracking block lists. I was happy to see kissmetrics.com listed in there when this news came out. They can have their unkillable cookie on my systems ... just as long as it can't dial home! :)

  30. Anonymous Coward
    Devil

    Where's Anonymous when you REALLY need them?

    Seems a tailor-made target.

  31. b166er

    Now then

    THERE's a target for LulzSec

  32. John Savard

    Necessary Solution

    Server-side Javascript is able to access items in one's browser cache? That seems like something that has extreme privacy implications, and which should be corrected forthwith.

  33. shawnfromnh

    privacy

    Sure of course my country the US could care less about this.

    Though the better privacy standards of the EU should be able to ban or even fine this company out of business. I'm surprised I haven't heard anything reported about it yet.

  34. lunatik96

    ECPA violation?

    This kind of thing seems to violate the Electronic Communication Privacy Act. By peeking in specifically deleted files (cookies), this seems like a severe breach of trust.

    Where is the Gestapo when this occurs. I guess only Apple has that authority.

  35. Jon Smit
    Stop

    Hosts blocking

    There are 3 sites to block - at the moment

    i.kissmetrics.com

    trk.kissmetrics.com

    kissmetrics.com

This topic is closed for new posts.

Other stories you might like