Privacy

Like Zombies, Newfangled Cookies, Lawsuits Respawn

Published: Aug. 09, 2011

Updated: Oct. 05, 2020

This past weekend we saw another volley of rounds fired in the ongoing digital privacy wars. As with previous battles, this one started with the publication of an academic study and culminated in a class action lawsuit filed in the federal court in San Francisco.

The academic study was authored by U.C. Berkeley researchers (including my personal friends Chris Hoofnagle and Ashkan Soltani). It updated their 2009 study showing that online ad tracking firms Clearspring and Quantcast were using Flash capabilities in browsers to re-issue cookies even after users deleted them. The 2009 study inspired a class action lawsuit that Clearspring and Quantcast eventually settled for $2.4 million in cash and a promise to stop using the Flash cookie respawn method.

The July 2011 paper showed that while many websites had stopped using Flash cookies, some were using HTML5 Local Storage and a relatively new technique called Etags to follow individuals’ conduct on line. Because of the way these information methods work, a user deleting her cookies would nevertheless remain tracked by web analytics services, including San Francisco-based KISSmetrics.

As Wired’s Threat Level reporter Ryan Singel explained: “If a user came to Hulu.com from an ad on Facebook, and then later, using a different browser on the same computer, visited Hulu.com from Google, and then at some point signed up for the premium service, KISSmetrics would be able to tell Hulu all about that user’s path to purchase (without knowing who that person was). That tracking trail would remain in place even if a user deleted her cookies, due to code that stores the unique ID in places other than in a traditional cookie.”

For consumers to opt out, one must go to the KISSmetrics webpage.  The opt-out is complicated, however, by the fact that it counterintuitively depends on preserving a third-party cookie from KISSmetrics for each browser used.  Users are generally advised to delete cookies regularly, and not to accept third party cookies, if they want to avoid online tracking.

Hulu stopped using the KISSmetrics service but not before Kamber Law Firm sued the company and the firm providing the analytics service, San Francisco-based KISSmetrics, on the same day that the study came out. A few days later, Kamber filed another class action suit against 20 KISSmetrics customers.  Clearly academics are sharing their findings and conclusions with class action lawyers ahead of publication schedule. (August 9, 2011 PM UPDATE: The UC Berkeley researchers report that they did not share their findings in advance with Kamber or any other law firm. NB: Next reporter that interviews Attorney Kamber, please find out how his firm develops the facts behind the cases he files.)

The lawsuits allege violations of the Wiretap Act, the Video Privacy Protection Act, California Privacy Act, California’s computer crime statute and other laws.  These actions are sure to be consolidated in the Northern District of California with others yet to come, just as the complaints against Facebook, Zynga for transmitting user information and against Apple for transmitting unique device identifiers (UDIDs) have been.  As these cases wend their ways through the courts, “Do Not Track” regulation is getting traction from the Federal Trade Commission and in Congress (see Senator John Rockefeller’s (D-WV) Do Not Track bill).

Companies who are looking for ways to track user behavior or evaluate the effectiveness of advertising should consider whether they want to continue using any of these controversial cookies and if so assess whether they are providing appropriate disclosure as to their practices, lest they find themselves in the firing line.