Wednesday, February 13, 2013

KISSMetrics: A Cautionary Tale of Web Analytics and Online Privacy

While scouring the web for my final blog post, I originally intended to write about Avinash Kaushik  and his impact the on web analytics industry.  During my search, I came across a blog post from way back in 2010, in which the author proposed five predictions about what will happen in the web analytics industry in the coming year.  Number 1 on the list?  Privacy:

There are many [privacy issues] - from data collection methods using 1st party cookies, third party cookies, Flash objects and data triangulation, to the highly personal IMEI number of your mobile phone. The issue is that the consumer (every web user), struggles to know what information is private, what is public and what to do in order to change the info they wish to share or keep private. Today the "average" web user is simply not in control of their own personal information.

A consequence of this, is that a particularly bad experience can lead to a complete shut-down of sharing visitor information…This is a real problem for the web measurement industry. If web users decide not to share their anonymous information in large numbers, tracking data becomes sparse, and the web takes a backwards step.[i] 

Fast-forward to August 2011, and sure enough a lawsuit was filed involving web analytics firm KISSMetrics and its clients.  Specifically, the suit alleged that KISSMetrics' technology to track users' site visits violated federal and state (California) laws[ii].  According to the complaint filed[iii], users would explicitly set their web browser to either block or routinely delete tracking cookies, thinking that this would prevent targeted ads from showing up.  Little did they know KISSMetrics was not storing browser cookies to get their user data - instead they were storing Adobe Flash LSOs (Local Stored Objects) - a technology that researchers found to be unavoidable no matter what precaution one takes (that's right, not even Chrome's Incognito Mode prevents those LSOs!).    

What was the result of this lawsuit?  KISSMetrics itself never admitted to any wrongdoing, and its official statement maintains that it never shared user info with a third party, and that it never had the ability to track users across multiple different websites.  In the end, they ended up settling with the two plaintiffs, with a whopping $2,500 paid to    each one (not to mention the $500,000+ the company agreed to pay in attorney fees).[iv]

I know what you're thinking: "why didn't this exciting case generate more media and public outrage?" - well, even though it didn't, it does raise significant issues about what role web analytics plays in the topic of online privacy.  To me, the KISSMetrics lawsuit is an example of neither right-nor-wrongdoing - they were simply leveraging a technology (the LSOs) to deliver a service - and in an industry as fast paced as web analytics, innovation will almost always outpace policy measures.  While the DAA (Digital Analytics Association) is doing a laudable job at promoting web analyst accountability through its white papers, more needs to be done to educate the people that are the real source of the privacy problem: the users themselves!  It's about time people learn about how their data is collected beyond just deleting tracking cookies every now and then.

I titled this blog post as a cautionary tale, but the warning is directed not towards web analytics, but to the everyday user of the Internet.  Web Analytics can do amazing things with completely anonymous user data. Once again, from all the way back in 2010, another web analytics blog offers this opinion about online privacy:
The real threat to privacy is the lack of education about the online information sharing.  We are the ones who are voluntarily revealing a ton of information...that to me should be more concerning than anonymous web analytics tracking and the ads that are targeted based on a user's click behavior.[vi]
I wholeheartedly agree, fellow blogger.