« When “Photography Forbidden” Really Isn’t SiteMeter Responds »
SiteMeter and Spyware (Sort of)
Posted April 1, 2007 – 1:10 am by Yakov Shafranovich in TechnologyTonight word comes from multiple blogs (here, here, here and here) that a popular free stats called SiteMeter made a deal with a third party marketing company called Specific Media to place tracking cookies on ALL sites that use SiteMeter. Sitemeter’s privacy policy makes no mention of this fact. Needless to say people are leaving the service in droves. I do not use this service on this site, but do use it on at least two other sites that I operate (TorahTexts.org and SocialPeople). I will be waiting a little bit before removing it in case they change their mind.
I took a look tonight at the Javascript that SiteMeter sends out and was able to confirm what others have been saying. Here is the relevant snippet:
var newIFrame = document.createElement("iframe");
newIFrame.frameBorder=0;
newIFrame.width = 0;
newIFrame.height = 0;
newIFrame.src="http://dg.specificclick.net/?u=" mce_src="http://dg.specificclick.net/?u=" +
escape(document.location) + "&r=" + SiteMeter.getReferral();
...
parentOfScript.insertBefore(newIFrame,scriptRef);
As you can see, this piece of code creates a hidden IFRAME that is sent over to the Specific Media servers. The server returns a set of tracking cookies back from the IFRAME request:
p3p: policyref=”http://www.specificmedia.com/w3c/p3p.xml”, CP=”NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA”
Set-Cookie: dmc=0tI-5mV2XP.-UizyToBLTyoWE.-UiyyToBLTyoWE.-UhaoNkzkkIskM.-UhYjpL9Z7uCCD.-UhY———-.-UhYjpL9Z7uCCD.-Ufoqnj95tRCzm.-Sa_eZYVjhqc3-; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/
dmk=0tI-5mV2XP.-Sa_blm17MIsM6Gh; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/
smc=0tI-5mV2XP.-UizyToBLTyoWE.-UiyyToBLTyoWE.-UhaoNkzkkIskM.-UhYjpL9Z7uCCD.-UhY———-.-UhYjpL9Z7uCCD.-Ufoqnj95tRCzm.-Sa_eZYVjhqc3-; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/
smk=0tI-5mV2XP.-Sa_blm17MIsM6Gh; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/Content-Length: 0
Date: Sun, 01 Apr 2007 05:17:59 GMT
Server: Apache-Coyote/1.1200 OK
Here is some information on what this specific cookie does: here, here and here. While this is not true spyware per se - there is not physical software installed, nevertheless it is a tracking cookie which is being installed without permission.
Additionally, what is glaring is lack of mention of this in the privacy policy. The FTC has been known to go after companies what violate their own privacy policies, so if I were SiteMeter, I would rectify this issue really fast.
Digg This Share This PostTags: privacy, security, sitemeter, spyware
Permalink | Trackback URL | This post has 3,748 Views
3 Responses to “SiteMeter and Spyware (Sort of)”
Dear Netwizard,
We are taking some time today to reach out to a few blogs like yours and send a personal update. If you are interested Sitemeter posted a detailed update on our blog http://weblog.sitemeter.com/) a few days back which outlines some important new features and services we’ve been developing and testing. We’d be interested in knowing your opinion on the potential new data points and whether they would be of value to you and your business (see survey on www.sitemeter.com)
We also posted a lengthy response to some of the assumptions, rumors, and allegations circulating, on Eric Odems blog http://conservablogs.com/EricOdom/2007/04/09/sitemeter-spyware-saga-continues/). We want to assure you that Sitemeter has not “sold out”. Our sole objective is to create products and services that put us at the head of our class.
We do thank you for your past business, and should you ever want to return we’d be happy to accommodate you. If you are not interested in having access to the reports and data we can certainly move you to a dedicated server which does not offer this new information.
Sincerely,
The Sitemeter Team
By Sitemeter Team on Apr 10, 2007
Dear NetWizard,
We are taking some time today to reach out to a few blogs like yours and send a personal update. If you are interested Sitemeter posted a detailed update on our blog http://weblog.sitemeter.com/) a few days back which outlines some important new features and services we’ve been developing and testing. We’d be interested in knowing your opinion on the potential new data points and whether they would be of value to you and your business (see survey on www.sitemeter.com)
We also posted a lengthy response to some of the assumptions, rumors, and allegations circulating, on Eric Odems blog http://conservablogs.com/EricOdom/2007/04/09/sitemeter-spyware-saga-continues/). We want to assure you that Sitemeter has not “sold out”. Our sole objective is to create products and services that put us at the head of our class.
We do thank you for your past business, and should you ever want to return we’d be happy to accommodate you. If you are not interested in having access to the reports and data we can certainly move you to a dedicated server which does not offer this new information.
Sincerely,
The Sitemeter Team
By Sitemeter Team on Apr 10, 2007
At the weekend I put several hit counters with full public access on The Wardman Wire blog for comparison. This post is a comparison of the results so far:
http://www.mattwardman.com/blog/2007/04/11/comparing-web-statistics-services-sitemeter-go-stats-extreme-tracker-beeswork/
By Matt Wardman on Apr 11, 2007