Hulu, Spotify, Etsy, accused of using invasive 'shadow tracking mechanisms'

Website analytics company KISSMetrics licensed out a technology to dozens of companies, including streaming media companies Hulu and Spotify, that let them implant a tracking tag in a user's browser history that could "respawn" if deleted. Now, the company and its licensees are being sued.

UC Berkley School of Law posted a study at the end of July that revealed the use of these persistent cookies.

From the Study's abstract:

We found over 5,600 standard HTTP cookies on popular sites, over 4,900 were from third parties. Google-controlled cookies were present on 97 of the top 100 sites, including popular government websites. Seventeen sites were using HTML5, and seven of those sites had HTML5 local storage and HTTP cookies with matching values. Flash cookies were present on 37 of the top 100 sites.

We found two sites that were respawning cookies, including one site --hulu.com-- where both Flash and cache cookies were employed to make identifiers more persistent. The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and "Private Browsing Mode" is enabled.

The same day that the report came out, KISSMetrics and Hulu were sued by two Californians who said the use of these ETags was a violation of the federal Video Privacy Protection Act, and California state laws because it shared their Hulu viewing information with marketing company Scorecard Research, Facebook, ad network DoubleClick, Google Analytics, and web analytics company Quantserve. Further, the suit alleged that Scorecard Research stored the users' Hulu ID as an unencrypted cookie that could be easily viewed by another third party.

"Hulu and Scorecard Research's practice of sharing user profile IDs and storing them in cookies constitutes a severe failure to observe basic security standards in the handling of user information," the complaint said.

This week, another lawsuit was filed in California, this time against 27 different sites who licensed KISSMetrics' ETag tracking, including 8tracks Inc., About.me, BabyPips.com, Conduit USA, Etsy Inc., Fitness Keeper, Inc., Flite, Inc., Friend.ly, Giga Omni Media Inc., Hasoffers.com, Involver.com, Ivilliage, Inc., Kongregate Inc., LiveMocha Inc., Moo, Inc., Rockettheme, LLC, Seomoz, Inc., Sharecash, LLC, Shoedazzle.com, Sitening, LLC, Slideshare.net, Space Pencil, Inc., Spokeo, Inc., Spotify USA, Inc., Tangient, LLC and Visual.ly.

This complaint says "While it is generally reasonable to expect a website to use cookies for tracking, the website defendants and Kissmetrics created numerous, alternative, "shadow" mechanisms for tracking; Defendants engaged in tracking by exploiting Plaintiff and Class Members' browsers and other software in ways that consumers did not reasonably expect."

The first suit (Garvey et al v. Kissmetrics et al) will proceed before a California District Court Judge, while the second (Kim et al v. Space Pencil, Inc. et al) will proceed before a Magistrate Judge.

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.