Class-action complaint against Kissmetrics and others for use of Flash LSO [pdf]

Not just Kissmetrics in the defendents:<p>Space Pencil, Inc. D/B/A KissMetrics, Babypips.com, Involver.com, Moo, Inc., Sitening, LLC., Shoedazzle.com Inc., 8tracks Inc., About.me, Friend.ly, Giga Omni Media Inc., Hasoffers.com, Kongregate Inc., Livemocha Inc., RocketTheme, LLC, Fitness Keeper, Inc., Seomoz, Inc., Sharecash, LLC., Slideshare.net, Spokeo, Inc., Spotify USA, Inc., Visual.ly, Conduit USA, FLite, Inc., Tangient, LLC, Etsy Inc, and iVilliage, Inc

For the backstory: <a href="http://www.wired.com/epicenter/2011/08/tracking-lawsuit/" rel="nofollow">http://www.wired.com/epicenter/2011/08/tracking-lawsuit/</a> <a href="http://www.wired.com/epicenter/2011/08/kissmetrics_reversal/" rel="nofollow">http://www.wired.com/epicenter/2011/08/kissmetrics_reversal/</a> <a href="http://www.wired.com/epicenter/2011/07/undeletable-cookie/" rel="nofollow">http://www.wired.com/epicenter/2011/07/undeletable-cookie/</a> <a href="http://www.wired.com/epicenter/2010/12/zombie-cookie-settlement/" rel="nofollow">http://www.wired.com/epicenter/2010/12/zombie-cookie-settlem...</a>

the takeaway for me is respect privacy and other general laws of the country you do business in<p>i personally believe kissmetrics had to fully know they had figured out a way to bypass privacy settings and thought themselves clever for it. Most likely they said the far too often: "It will only be a problem if we are successful and then, hey we are successful"

This could backfire massively if the court says "no problem".<p>Better Privacy and Ghostery plugins are your friends, turn off local storage in about:config -&#62; dom.storage.enabled<p>Etags is rather clever though, not sure how to ignore those.<p>added: also remember to turn off third-party cookies in Firefox (it's there but buried in Chrome)<p>Note to developers: please never, ever, rely on third-party cookies!

While I don't disagree with some of the claims made, other claims, especially those about the harm caused to the Plaintiffs and Class Members, are pretty amusing. They're claiming that it caused economic loss because it resulted in unauthorized use of bandwidth without payment and that it diminished the performance of their computers and internet connectivity.

Best way to resolve this issue? Just add "kissmetrics.com" to your ADSL modem router URL blocking filter (assuming your router/modem has this ability). Then the problem is resolved for all your devices..wireless or otherwise.

go here and see just how many companies drop flash cookies on you: <a href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html" rel="nofollow">http://www.macromedia.com/support/documentation/en/flashplay...</a>

They're claiming 5 million in damages for using something that's cookie-like that doesn't respect their browser's cookie settings?

I thought this would be related to the story last week about KissMetrics using etags for tracking (<a href="http://www.wired.com/epicenter/2011/07/undeletable-cookie/" rel="nofollow">http://www.wired.com/epicenter/2011/07/undeletable-cookie/</a>) -- but it's not. Maybe that will bring another lawsuit entirely.<p>edit: corrected below, thanks!

I'm in the middle of a somewhat heated difference of opinion on whether we use evercookie for a site I'm working on. This will help my arguments sound less peace &#38; love-y.

This brings up an interesting point about tracking services. If a user selects 'Do Not Track' in their browser (Providing it supports it), does that mean do not track them at all? Or do not track them as a unique user? May sites still use software like Webalizer/AWStats or similar to track users, it would be very complicated to set those up not to track users that send the 'do not track' headers

What does this all mean? How does it impact startups and anyone else that runs a web site, and how can we avoid getting sued?<p>Is this a completely ridiculous lawsuit, considering how many websites use Kissmetrics and other tools?

What I didn't understand about this lawsuit is the following angles:<p>&#62; Plaintiffs believe their decisions to disclose or not disclose information is their decision to make.<p>&#62; To avoid being tracked online Plaintiffs used and relied on their browser controls.<p>&#62; It is contrary to standard practices to use DOM local storage instead of cookies.<p>If you are going to put down a practice as a "hack" or "repurposing" why not quote the standard?<p><a href="http://dev.w3.org/html5/webstorage/#user-tracking" rel="nofollow">http://dev.w3.org/html5/webstorage/#user-tracking</a><p>Very clearly it states:<p>&#62; A third-party advertiser (or any entity capable of getting content distributed to multiple sites) could use a unique identifier stored in its local storage area to track a user across multiple sessions, building a profile of the user's interests to allow for highly targeted advertising.<p>To me: any effort by plaintiffs to protect their privacy is moot, especially attacking local storage practices, when it is known that it can be used for tracking.<p>W3C puts the control and responsibility back in the user's hand:<p>&#62; There are a number of techniques that can be used to mitigate the risk of user tracking, all involve user agent/browser settings.<p>So in my mind:<p>- Plaintiffs (or their browsers) did not enough to protect their online privacy.<p>- Plaintiffs complain about the abuse of local storage practices, when tracking through local storage is a very real option.<p>- Plaintiffs can configure their user agent to not accept these cookies.<p>As for information sharing between sites: this I could see as bad, if proven. But a KissMetrics-wide unique ID doesn't proof that such information is shared.<p>Even with all security efforts in place, a user can still be tracked (By IP and browser/system settings), and this data can still be shared. I do e-commerce profiling, and while I don't really need a flash cookie, I also don't really need your permission to scan my own servers logs: it was you who made the decision to disclose that information to me.<p>&#62; However, user tracking is to some extent possible even with no cooperation from the user agent whatsoever, for instance by using session identifiers in URLs, a technique already commonly used for innocuous purposes but easily repurposed for user tracking (even retroactively). This information can then be shared with other sites, using using visitors' IP addresses and other user-specific data (e.g. user-agent headers and configuration settings) to combine separate sessions into coherent user profiles.

Wonder why they single out Kiss, you can bet anything they're doing the entire ad industry is doing too.