Lawsuit Alleges Hulu.com and KISSmetrics Used "Zombie E-Tags" To Track Consumers Without Notice And Consent
Monday, October 03, 2011
Last month, a lawsuit was filed in Central California District Court against Space Pencil and Hulu.com, alleging that the companies tracked consumers online usage without notice or consent using "Zombie Etags," a newer Internet technology. According to the complaint, consumers:
"... that accessed Hulu's website had HTTP cookies respawn via Flash shared objects, HTML 5 Local Storage, and/or cache/ETags after they had been deleted."
"Zombie ETags" refers to the latest combination of Internet technologies used to track online usage: HTML 5 local storage, and/or cached Etags. The Zombie Etags allegedly regenerate any HTML cookies the user has deleted, removing control from the user and preventing privacy. Entity Tags, also known as "Etags," are a mechanism to verify that the page components a web browser displays match the components on the web server hosting the URL or original web page.
According to the complaint (PDF - 6.3 MBytes), Space Pencil is the company doing business as KISSmetrics. Hulu.com is a popular website that streams video of television shows from ABC, CBS, Fox, NBC, and other networks and studios. This is at least the second class-action lawsuit filed against both companies.
This class-action lawsuit (Couch et al versus Space Pencil et al) was filed, in part, because the consumers:
What makes this lawsuit a little different from prior lawsuits (e.g., "zombie cookies), is the technology and hacking allegations:
"... Internet users who accessed Hulu's website, and knowingly, without the user's knowledge or consent, "Hacked" the Plaintiffs' and Class Member's Computing Devices in order to conduct covert surveillance of Plaintiffs and Class Members online activities, using web analytics to collect and de-anonymize Plaintiffs' and Class members' online data, providing the mechanism for Hulu to conduct perpetual online tracking of its users and a method to use cross domain tracking..."
This alleged tracking technology allowed Hulu and KISSmetrics to track Hulu.com users' online usage across the Internet and beyond the Hulu.com website. The complaint referenced several working papers about tracking technologies:
- "Flash Cookies And Privacy" by Ashkan Soltani et. al, 2009
- "Respawn Redux" by Ashkan Soltani, 2011
The 2009 working paper documented the extent of company websites using Flash cookies to regenerate HTTP cookies. The 2011 working paper documented the regenerated HTTP cookies practice:
Both companies supposedly stopped their Zombie Etag tracking on July 29, 2011. KISSmetrics published this response to the July 2011 lawsuit. The class-action plaintiffs want the tracking software and data files removed from their computers. The sensitive personal information:
"... compiled and misappropriated included sensitive information, such as users' video viewing choices revealing personal interests, his/her sexual preference, political views, and even more specific information like health conditions, such as DEPRESSION..."
The attorneys representing the plaintiffs in this class-action lawsuit include Strange & Carpenter, and a name I recognize: the law office of Joseph Malley.
If you want to learn more, I recommend reading this Wired story.
Great work Jo!
Posted by: Andrew Hillman | Monday, October 03, 2011 at 11:16 PM