Through initiatives such as the Digital Advertising Alliance, the digital media industry continues its attempts to self-regulate the collection of consumer data via the Internet. Despite that fact, ad technology companies are developing new methods to deliberately circumvent user attempts to evade online tracking, according to researchers at the University of California, Berkeley.
A research team consisting of privacy lawyer Chris Hoofnagle and researcher Ashkan Soltani, among others, published a report on Friday describing the use of a practice called “ETag tracking,” which stores behavioral information in the browser cache rather than in cookies. The technology supposedly provides the ability to monitor users’ behavior even if they block or delete HTTP, Flash, and HTML5 cookies from their machines.
According to the report, researchers found popular video site Hulu.com recreating HTTP and HTML5 behavioral cookies using ETag technology provided by a third party provider called KISSmetrics. Even if a user deletes his or her cookies, data regarding their previous behavior can simply be reinstated, effectively limiting their ability to control how their behavioral information is used.
“To our knowledge, this is the first demonstration of this ETag tracking in the wild,” the report read. Speaking with ClickZ, Soltani said the method is specifically designed “to get around the privacy tools built into browsers and still track persistently.”
Since the report published, however, KISSmetrics has altered its practices and updated its website to reflect those changes. “As of July 30, 2011 KISSmetrics uses standard first-party cookies to generate a random identity assigned to visitors to our customers sites,” the firm’s website now reads. Soltani suggested the company is “engaging in a bit of whitewashing” as it backs away from the ETag technology.
Hulu has already found itself scrutinized for reinstating deleted HTTP cookies, and was implicated in a lawsuit alongside tracking vendors Quantcast and Clearspring in 2009 regarding that behavior. The Berkeley study implies the company did so again, albeit with a slightly different technology, this time provided by KISSmetrics.
Bodies such as The Digital Advertising Alliance and the Network Advertising Initiative have gone to great lengths to create cookie-based mechanisms through which consumers can opt out of being tracked as they move around the Web. Those efforts have been formulated largely in response to scrutiny from regulatory bodies such as the Federal Trade Commission and the European Commission, both of which have repeatedly expressed concerns about users’ control over online data collection.
Although KISSmetrics is not listed as a member of either of those initiatives, Hoofnagle suggested practices such as ETag tracking could severely undermine the efforts. “This is another example of tracking brought to light by researchers, rather than the industry self-regulatory groups… it is unclear whether they have the technical expertise to engage in the surveillance and reverse engineering of new tracking methods,” he wrote in an email to ClickZ.
Hoofnagle also said the NAI and the DAA were failing to cover a reasonable scope of the industry, estimating that the bodies represent well under a third of the network trackers currently operating in the market.
It’s worth noting, however, that ETag tracking is not the only technology being used to track users across the Web more persistently. Numerous companies are experimenting with a practice known as device fingerprinting, which doesn’t require the placement of data on users’ machines in order to track their activity.
Besides ETag use, the study also monitored the top 100 U.S. sites – according to QuantCast – and recorded how many HTTP cookies were placed by those properties. In total it detected 5,675 cookies, an average of 56 cookies per site. 20 sites placed more than 100 cookies during a ten-page browsing session, it said, including seven that placed more than 150 including wikia.com, legacy.com, foxnews.com and myspace.com. A third party placed the vast majority of those cookies, the research found.
KISSmetrics and Hulu did not respond to requests for comment on this story.