Tonight word comes from multiple blogs (here, here, here and here) that a popular free stats called SiteMeter made a deal with a third party marketing company called Specific Media to place tracking cookies on ALL sites that use SiteMeter. Sitemeter's privacy policy makes no mention of this fact. Needless to say people are leaving the service in droves. I do not use this service on this site, but do use it on at least two other sites that I operate. I will be waiting a little bit before removing it in case they change their mind.
I took a look tonight at the Javascript that SiteMeter sends out and was able to confirm what others have been saying. Here is the relevant snippet:
var newIFrame = document.createElement("iframe");
newIFrame.frameBorder=0;
newIFrame.width = 0;
newIFrame.height = 0;
newIFrame.src="http://dg.specificclick.net/?u=" mce_src="http://dg.specificclick.net/?u=" +
escape(document.location) + "&r=" + SiteMeter.getReferral();
...
parentOfScript.insertBefore(newIFrame,scriptRef);
As you can see, this piece of code creates a hidden IFRAME that is sent over to the Specific Media servers. The server returns a set of tracking cookies back from the IFRAME request:
p3p: policyref="http://www.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA"
Set-Cookie: dmc=0tI-5mV2XP.-UizyToBLTyoWE.-UiyyToBLTyoWE.-UhaoNkzkkIskM.-UhYjpL9Z7uCCD.-UhY----------.-UhYjpL9Z7uCCD.-Ufoqnj95tRCzm.-Sa_eZYVjhqc3-; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/
dmk=0tI-5mV2XP.-Sa_blm17MIsM6Gh; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/
smc=0tI-5mV2XP.-UizyToBLTyoWE.-UiyyToBLTyoWE.-UhaoNkzkkIskM.-UhYjpL9Z7uCCD.-UhY----------.-UhYjpL9Z7uCCD.-Ufoqnj95tRCzm.-Sa_eZYVjhqc3-; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/
smk=0tI-5mV2XP.-Sa_blm17MIsM6Gh; Domain=.specificclick.net; Expires=Mon, 31-Mar-2008 05:18:00 GMT; Path=/Content-Length: 0
Date: Sun, 01 Apr 2007 05:17:59 GMT
Server: Apache-Coyote/1.1200 OK
Here is some information on what this specific cookie does: here, here and here. While this is not true spyware per se - there is not physical software installed, nevertheless it is a tracking cookie which is being installed without permission.
Additionally, what is glaring is lack of mention of this in the privacy policy. The FTC has been known to go after companies what violate their own privacy policies, so if I were SiteMeter, I would rectify this issue really fast.
UPDATE (04/10/2007):
As seen in the comments of my previous posts and here, Sitemeter decided to respond. Two points:
1. Why wait for over a week before a response? Blogs are there for a reason - its gives companies ability to respond quickly.
2. Why not post about it on their own blog?
Setting that aside the crux of Sitemeter's argument has been that Specific Click's cookies aren't spyware and if anti-spyware companies label it as such, it is their problem. Additionally, Specific Click provides an opt out option and so does Sitemeter itself. They also were nice enough to update their privacy policy (but not before I filed a complaint with the FTC).
However, they tend to miss the point - the issue is not what they did but rather how they did it. Any company has a basic responsibility towards their customers about informing them of major changes before doing them. In Sitemeter's case if they would have blogged about it ahead of time AND let people have an option of opting out, it would have been very different. Instead, they did it without asking AND did not do anything about it for over a week after the story broke. All of which makes me very suspicious. For now, I am still holding out for a little bit to see if anything changes before making my decision to use their services.