Online Analytics Firm Settles Suit Over Unstoppable User Tracking

A screenshot of a “cookie” hidden in the browser cache.


KISSmetrics, a popular tool for websites to monitor who is using their site, has agreed to settle a lawsuit accusing the company of using shady techniques to recreate cookies after users deleted them and track users who blocked cookies.

The company was sued in August 2011, just after Wired.com reported on research into the company’s practices by UC Berkeley researchers including Ashkan Soltani. The suit, brought on behalf of John Kim and Dan Schutzman, accused the company of violating California and federal anti-hacking laws and misappropriating their personal information for profit.

In the proposed settlement (.pdf), the two plaintiffs will split $5,000, while their lawyers will get 100 times as much: more than $500,000 in legal fees for work ranging in rates from $350 to $580 per hour. Though the original lawsuit included KISSmetrics clients, such as Spotify and AOL, these companies were dismissed from the suit in the spring.

There’s no payout for the general public. Instead, the public will have to be satisfied that KISSmetrics largely agrees not to use sneaky methods to track users any more — unless users are given notice and a choice. Those methods include using JavaScript, HTML5, Flash and browser caches to store copies of a cookie’s unique ID in order to re-create it if the cookie was deleted.

KISSmetrics tracking techniques worked even if a user had cookies turned off and private browsing mode turned on. The company’s tracking codes including one function with the damning name “cram cookie.”

KISSmetric’s founder Hiten Shah initially defended the practice, telling Wired there was nothing illegal about the techniques it was using.

“We don’t do it for malicious reasons. We don’t do it for tracking people across the web,” Shah said in July 2011. “I would be having lawyers talk to you if we were doing anything malicious.”

Hulu.com — one of KISSmetrics’ clients in 2011 — faces a separate lawsuit, as it had been previously busted using Flash cookies and promised in a settlement not to do it again.

KISSmetrics did not, however, admit guilt in the proposed settlement, which awaits approval from a federal court judge.

Man Banned Mid-Trip by No-Fly List Gets Stranded in Hawaii

Wade Hicks, Jr., was booted from his military flight from California to Japan after authorities told him his name was on a no-fly list. (AP Photo/Audrey McAvoy)

The farce that is the government’s no-fly list got another bizarre twist when the spouse of a Navy lieutenant, flying on a military jet to visit his wife in Japan last week, was booted from his flight during a layover in Hawaii.

Wade Hicks, from Mississippi, was on a layover at Joint Base Pearl Harbor-Hickam, on a military flight from California to Okinawa, when a U.S. Immigration and Customs Enforcement official in Hawaii told him he was on a no-fly list and barred him from continuing his journey.

Hicks was stranded in Hawaii for six days before the ban suddenly lifted last Thursday after he contacted politicians in Mississippi and Hawaii for assistance.

During the time that he was stuck in Hawaii, he stayed in a hotel room at the Pearl Harbor naval base — a facility that houses submarines, cruisers and destroyers — despite being considered a national security risk, based on his placement on the no-fly list.

Hicks told the Associated press that he thought authorities had confused him with someone else, since he didn’t have a criminal record, had worked in the past for a military contractor, has high-level security clearances and had recently passed an extensive FBI background check in Mississippi in order to obtain a permit to carry a concealed weapon.

But the Customs agent in Hawaii told him his name, Social Security number and date of birth all matched the person on the no-fly list. Hicks thought he might have landed on the list for controversial views he’s expressed about the Sept. 11 terrorist attacks — he has criticized the 9/11 Commission’s conclusions about the attacks.

Hicks has filed requests under the Freedom of Information Act for answers from the Transportation Security Administration and the Department of Homeland Security about why he was detained, and plans to seek reimbursement for his expenses.

“They have not apologized nor given me any reason,” he told the Associated Press.

The government’s no-fly list contains the names of about 20,000 people suspected of terrorist activity, including 500 to 600 Americans. The office of the Defense Secretary told AP that passengers who fly standby on military flights are screened against the no-fly list only on international flights. Domestic passengers are screened only through an internal military system, not the Advanced Passenger Information System run by Customs and Border Protection.

Because Hicks had no problem flying from California to Hawaii before he was barred, it’s possible that either his name was added to the no-fly list after he was already en route to Hawaii, or authorities in California failed to check the list before he boarded because the first leg of his journey was only a domestic flight.

In the past, quite a number of Americans, including Senator Ted Kennedy, many David Nelsons and an influential nun, were nabbed by the list for having names similar to suspected terrorists.

The government does not make public any statistics about the effectiveness of the no-fly list and its companion list — the secondary screening list — which singles out passengers for more intense screenings. Those caught on either list can try to get off it by filing a request with the government, but have no recourse to the courts to challenge the administrative punishment.

That’s because the Ninth Circuit ruled that while Americans have a First Amendment right to travel, they do not have a constitutional right to fly.