Despite their bad reputation, it’s hard to imagine an internet without cookies. The small, suspicious looking files sitting in the bowels of your browser are what allow you to have a shopping cart when visiting Amazon, save your passwords on frequently visited websites and receive the kind of targeted advertising that helps underwrite much of the internet’s free content. Handled responsibly, cookies can be useful tools that respect your anonymity while offering you great services. And if you really don’t like them, well, that’s what your browser’s privacy settings are for.

But now researchers at UC Berkeley have discovered that some of the internet’s most popular websites – including Hulu and Spotify – have been using an ad tracking service called Kissmetrics which doesn’t use cookies at all, and consequently cannot be seen or turned off.

To figure out just what Kissmetrics has been up to and what it might mean for the future of tracking, we spoke with Mike Zaneis, the Vice President of the Interactive Advertising Bureau, and reporter Ryan Singel, who broke the story on Wired’s Epicenter blog.

TRANSCRIPT:

BOB GARFIELD: When you visit a website, the site sends a little gift home with you. It’s called a cookie, a bit of data that resides in your browser, and among other things, allows others to track your movements – or anyways your browsers movements – across the internet. Due to privacy concerns, browsers now make it easy to delete cookies and to block them in the first place. Likewise, users can go to an online industry supported site to opt out of online cookie tracking altogether. But now researchers at the University of California in Berkeley can track you without cookies, without detection, and without your ability to stop them. Ryan Singel wrote about this for Wired Magazine’s epicenter blog. Ryan, welcome back to OTM.

RYAN SINGEL: Hey, thanks for having me back.

BOB GARFIELD: Okay, how did they pull this off.

RYAN SINGEL: It’s an odd little trick, so basically, cookies are a way for you to store information in a user's browser, and what these folks found is that basically there are other nooks and crannies where you can hide a unique identifier, the equivalent of like a social security number, and so they’re sticking it into place where, when you delete cookies, you would then come back and they would assign you the exact same number. I mean that was the entire point – trying to create to a persistent trail.

BOB GARFIELD: And who’s they?

RYAN SINGEL: In this case, it is a company called Kissmetrics, which is a small startup in San Francisco that does analytics for websites, so websites can kind of see who’s visiting them, what they do on the website, you know what’s effective or not, and its customers include sites like Hulu and Spotify, two of the most popular sites on the internet.

BOB GARFIELD: And the thing about Kissmetrics is once we’ve gotten our ultra-violet stamp, it’s visible not only to Kissmetrics, but too all of its clients, in fact, everybody. Right?

RYAN SINGEL: Yeah, what’s odd here is that Kissmetrics, they give a cookie ID number, day something like 7336786. And then if you visit one of their clients, you know Hulu.com sets a cookie on your computer, and they give you that exact same ID, so Hulu could go and say to Spotify, “Hey, what do you know about this guy over here, 7336786?” And Spotify could say, “Oh, his name is so and so. He likes this type of music. He likes these sorts of things,” and they could share information.

BOB GARFIELD: Although, when you started reporting on this, Hulu said it was shocked that this technology existed and it was going to sever its relationship with Kissmetrics.

RYAN SINGEL: I think that’s not true. They were busted by the exact same researchers two years ago for this sort of cookie evasion just using flash, but this is exactly what this is technology for, so you wouldn’t use this if you were respecting people’s rights to opt out. And we’re going to have to start updating the story a little bit because over the weekend Kissmetrics decided that they were going to stop doing this, and they were just going to go back to using cookies the same way that people are used to them being used. So they responded as well to sort having been busted.

BOB GARFIELD: But they haven’t broken any sort of law. This is perfectly legal, at least as of today, right?

RYAN SINGEL: So far there’s no federal privacy law they’re breaking. They might have gotten themselves in trouble with the federal trade commission. You know there are ways that you could kind of construe this an unfair business practice, which is sort of the giant rubric that the FTC uses to go after companies who’s behavior they don’t like. They’re probably not going to do nearly as well in civil court. You know when this happened in 2009, the two companies that were doing something similar ended up settling for 2.4 million dollars. And Kissmetrics has already been sued. They were sued on Friday.

BOB GARFIELD: Now I made reference earlier to an industry supported means to opt out of any kind of cookie tracking, spearheaded by the interactive advertising bureau, and that initiative was designed to show the federal government, both the congress and federal regulators that the industry was sensitive to privacy issues. What kind of political problems does this create for the interactive advertising bureau and the rest of the industry?

RYAN SINGEL: The industry’s been pushing really hard for a decade to say, “Just let us regulate ourselves. We’ll take care of it.” So they invented this “go to one page and you can opt out of all sorts of sites.” They really didn’t spend much energy so of making the site actually work well. And so you had an advertiser who said you can go and set an opt out cookie, and that opt out cookie would last for seven days, and so every seven days you would have to go back. So the more and more you start to run into these problems, it starts to signal to people in the FTC, and people in the commerce department and prominent legislators that there’s got to be something done, because industry self-regulation around privacy is just not working.

BOB GARFIELD: Thanks, Ryan.

RYAN SINGEL: Thanks so much for having me on.

BOB GARFIELD: Ryan Singel edits the epicenter blog for Wired.com. Mike Zaneis is Senior Vice President for Public Policy and general counsel for the Interactive Advertising Bureau. Mike, welcome to On The Media.

MIKE ZANEIS: Thank you very much. It’s great to be here, Bob.

BOB GARFIELD: This study was kind of a jaw dropper. Can you give me a reason why we as the public, or the government, shouldn’t feel betrayed at this revelation?

MIKE ZANEIS: For consumers the key is to understand whether this is prevalent, and I think there were questions as to whether or not some of the websites that were using these services actually understood how the technology was being used, so this is certainly not something that is used across the industry as a common business practice.

BOB GARFIELD: Now I know that IAB is a membership organization. Now did you or Randall Rothenberg, the President of IAB, get on the phone with your members, who have been employing this software, to say, “Are you out of your minds? Do you have any idea what kind of political problems this is going to cause us in Washington, with the FTC, with the Congress? I mean, do you have any idea of the damage you’ve done?” Did you have that conversation?

MIKE ZANEIS: We don’t’ have to have that one on one conversation because the industry, led by IAB, has taken a proactive role around protecting consumers’ privacy. Later this month the IAB’s first ever membership code of conduct goes into effect for all 470 IAB members. That means that they have to be respectful of consumers privacy, they have to increase transparency to consumers, and they also have to offer them the choice. If they don’t want to be tracked, irregardless of technology used, they have to allow consumers to opt out of that, so we’re doing it at the macro level, so that we don’t have to be reactionary on a one by one, case by case basis. That’s the right thing to do for the industry.

BOB GARFIELD: Maybe the right thing to do, and the boilerplate that you’ve just gone over is fine, but it’s irrelevant if the actual membership is not cleaving to those best practices. This does cause you a mammoth problem in Washington does it not?

MIKE ZANEIS: We can’t paint with such a broad brush to say that the industry is doing something wrong here just because one company or one technology is allowing somebody to do something outside of the mainstream.

[OVERTALK]

BOB GARFIELD: Mike, come on, this is not bad apple in a barrel of healthy apples. This bespeaks pervasive rottenness. People trying to elude the very code of conduct which you’ve described.

MIKE ZANEIS: No, Bob. What you’re talking about is the use of certain technologies, and we need to be careful not to demonize technologies. Here in Washington, D.C., just three years ago there was an effort to demonize the use of everyday web cookies. And there was actually legislation that would require a consumer opt-in every time a cookie was dropped. Well, that’s the type of technology mandate that we need to avoid because it stifles innovation. Technology, in and of itself, is not evil. It’s sometimes the uses of technology that can violate consumer privacy, so we cannot use the use of a technology as a proxy to being a bad apple, as you say, or to doing something that is in violation of consumer privacy. That’s simply a non-sequiteur.

BOB GARFIELD: Well, I think you’ve gotten actually to the core of the issue. Stipulated that over-regulation by Washington could essentially kill the goose that lays the golden egg. It could take the business model out of the internet that has given us all of this fantastic content, essentially for free. Stipulated. But it’s equally true that among the IAB’s most important mandates for its membership is to make sure that the government does not over-react; it does not kill the goose that lays the golden egg. And I guess my question for you is when the Berkeley study emerged, didn’t that make your role to protect your members from onerous regulation at least one order of magnitude more difficult?

MIKE ZANEIS: Of course our job gets more difficult as the spotlight continues to shine brighter in Washington D.C. on our industry, but you could have asked the question two years ago, and many people thought that we would have a national privacy law in the space then. And the reality is it’s a complex ecosystem, and so it’s difficult for the federal government to move quickly enough to write laws that can keep up with changing technology. And Congress is to be applauded. They’re taking a deliberative approach. They don’t want to kill the goose that’s laying the golden egg. They want to make sure that the industry’s doing the right thing but that innovation continues to thrive.

BOB GARFIELD: I got a tell you. The first thing I said to myself when I saw the news in Wired about this Berkeley research was “Woa, the IAB is so screwed.”

MIKE ZANEIS: Oh, I think the IAB is just fine. We’re alive and kicking and growing just as the IAB is growing. We have a long term focus of growth and innovation and meeting consumers’ privacy expectations as part of that, because at the end of the day, the most important asset any IAB member company has is the relationship with the consumer. Without that, it doesn’t matter how great their content is or how many ads they can sell, because they don’t have people coming to their website.

BOB GARFIELD: Well, I actually think you’ve just hit on the problem, because the customer of your membership, in most cases, is not the consumer, it’s advertisers. Those are the customers and they’re trying to do the best for the customers, maybe at the expense of being honest with consumers about how well their privacy is protected.

MIKE ZANEIS: No, that’s a false proposition and premise. It’s simply not true, as I just stated. The most important asset that any web publishing company has is the relationship to the customer, because without that they don’t have an audience, and if you don’t have an audience you can’t sell advertising.

BOB GARFIELD: Alright, Mike, thank you very much.

MIKE ZANEIS: Bob, it’s been a pleasure. I appreciate the opportunity.

BOB GARFIELD: Mike Zaneis is the chief lobbyist in Washington for the Interactive Advertising Bureau.