Official KISSmetrics Response to Data Collection Practices

I’m Hiten Shah, the CEO of KISSmetrics. First of all, I’d like to thank you for being part of the KISSmetrics community and allowing us to help you make better decisions for your online business. That’s a responsibility that I take very seriously.

Recently there have been articles in the press about KISSmetrics’ use of customer data, followed by two lawsuits. These articles are based entirely on a paper by Ashkan Soltani, who published his paper on the same day that the first lawsuit was filed.

As a company founded on integrity, we were blindsided by these allegations. We take these claims very seriously, and we think it is important for you to have the facts about our company.

Mr. Soltani’s paper significantly distorts our technology and business practices. To set the record straight:

  • KISSmetrics has never shared any information about a user with any third party.
  • KISSmetrics does not track users across different websites, nor do we have the ability to do so.

Mr. Soltani’s paper speculates that KISSmetrics tracks customers across websites based on his observation of a shared identifier on different customer websites. This has never occurred. His misinformation appears to result from the fact that we use the same url for all customers to reduce server and bandwidth resources and increase end-user performance, which is critical given our small size. An incidental consequence of this is that the same anonymous identifier was returned externally across multiple websites. However, internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers, including segregating each customer’s data in a completely separate database.

Mr. Soltani also claims that it is somehow improper to use any technology other than browser cookies to track website activity. In fact, countless online companies, including other major analytics providers, use a variety of different technologies to provide these services, including the persistent technologies Mr. Soltani targets in his paper.

We take Mr. Soltani’s claims very personally because we designed our company to go above and beyond what other companies are doing to protect user privacy and to avoid any sharing of user information with other websites. One of the key benefits of our service is that we are able to provide critical insights to our customers without aggregating data between customers or sharing their data with third parties, unlike other services.

Although our practices have always been lawful and ahead of industry best practices, we are a small start up, and we want to eliminate any concern or confusion about our business practices. To address any misinformation about our company, we have made the following changes:

  • KISSmetrics only uses first-party cookies for tracking.
  • KISSmetrics does not use ETags or any other persistent cookie or object for tracking purposes.
  • KISSmetrics has added support for the Do Not Track header. We have chosen to implement our Do Not Track in the most stringent possible fashion: preventing KISSmetrics from tracking any information about the user, even within a single session at your site.
  • KISSmetrics has added a consumer-level opt-out for those who wish to be entirely removed from all KISSmetrics tracking, going well beyond the options that other analytics companies provide.

Finally, a few thoughts about the lawsuits: we are not the first online company to be targeted by a meritless lawsuit, and we will not be the last. The same lawyers who filed these cases have filed dozens of cases around the country against hundreds of publishers, application providers, ad networks and analytics providers. Many of these companies have elected to settle, but when challenged, courts have repeatedly held that these claims have no merit. We believe in the value our company provides to our customers and are going to fight this lawsuit head on. We have every confidence that this case will be dismissed, and that we will be able to move on and continue providing great products to our customers.

We greatly appreciate the support we’ve received from the community across various forums. It’s helped sustain us during this frustrating ordeal, and it has allowed us to remain focused on providing an outstanding product to the online business community. If you have any questions or concerns about any of this, please contact us at: hello@kissmetrics.com

Hiten Shah, CEO – and the whole KISSmetrics team – Neil, John, Cindy, Steve, Ian, Ben, Michael, Derek, Stephen, Sean, Mika, Chuck, Eric, and Jason

UPDATED: A previous version of this blog post indicated that Mr. Soltani “works closely with the lawyers who filed these cases.” We are advised by plaintiffs’ counsel that that is not correct and that they do not work with Mr. Soltani. Because we want to get the facts 100% correct (unlike those who have sued us), we have removed that language from the blog post. We continue to note, for the record, that the first suit against us was filed the same day that Mr. Soltani’s paper was published, and we further note that a series of previous lawsuits involving “Flash cookies” filed by the same plaintiffs’ lawyers in 2010 relied on another paper authored by Mr. Soltani.

  1. Regarding the statements that “[your] practices have always been lawful” and being a “company founded on integrity”, do you have evidence of legal precedent that ensure your tracking activities were lawful or are you assuming what you did was legal? Do you believe cookie reconstitution is ethical even after a visitor reasonably believes they have taken steps to ensure their privacy?

    • Shut up Erin. The man wouldn’t have written this article and wouldn’t be taking on a lawsuit if he did have proof that KISSmetrics actions were legal. Did you even read the article or did you only make it through the first paragraph before deciding that was enough to substantiate a pointless and rhetorical complaint?

      • Hi Jessica,

        aren’t you a bit rude? Don’t get me wrong – I am entirely on your side, but such a blog should be able to deal with critical statements in a more polite and professional way. After all, Erin was asking a question that many others might have had as well. Ok, maybe she should have read the whole story before posting her question, but this is not the point. You, as a company that prides itself on its integrity (which I think is great!) should not answer user’s comments by saying “Shut up”. Honestly, I’m quite astonished about this.

      • That’s a logical fallacy. Taking on a lawsuit doesn’t determine the legality of your behavior.

        Plenty of people take on lawsuits and lose.

  2. I love KiSSmetrics and it’s sad how litigious our world has become. Our company is also faced with online slander and that’s the world we live in.

    Mr. Shah, please continue your amazing work and don’t give your situation to much attention. Great companies are sued all the time. It’s about money and market share.

    I think if you keep doing good things, you’ll be rewarded. I’ll continue telling people what a great site you have.

    Thank you for sharing and we appreciate your company.

    Oslo

  3. I work for IBM and I often read KISSmetrics from my office. Our system wouldn’t allow any unethical tracking of information… so, I know for a fact that KISSmetrics is within the law. IBM has a system that would block the site if it had tracking software or malicious cookies… I wouldn’t be able to view the site from work. So, the lawsuit is unjust!

    Some people are just litigious as Oslo said. I think your lawsuit is based on a quick settlement… that’s what they’re hoping. That’s our legal system, bad guys suing good guys.

    Susan (Systems Manager at IBM)

    • Susan,

      As a fellow IBMer, I urge you to consider if you might be ignorant of what we filter and what we do not (in fact, as I understand it – and I may be wrong – we filter practically nothing web-based unless its known to relate to malware).

      As to “Our system wouldn’t allow any unethical tracking of information”, remember that all systems can fail. We have policies, rules and technology which can help us keep on the right side, but even so bad things could theoretically happen. This is why we also have review processes and why people are encouraged and supported to speak-up when they feel something isn’t right.

      If you are planning on using the fact you work for IBM to provide some credibility or to support a given side in this (or indeed in any) story, you should speak with IBM general counsel in your IMT before doing so. You may wish to also read up on the IBM Social Computing Guidelines (which encompass the BCG’s) also. I don’t think your association with our company is particularly relevant to your view on this issue and would personally advise you keep it out of the frame :)

      Regards,

      Alex
      IBM Collaboration Services

      • Gosh Alex, perhaps you might have put a filter on your own mouth before making a public embarrassment not only yourself but of your company. God forbid you discreetly might have pulled Susan aside and shown a little respect to her…and yourself. But no…just couldn’t pass up that opportunity to make yourself feel like a big shot, right? So typical.

    • When did “unethical” and “within the law” become synonymous?

  4. In your blog post, you state that “These articles are based entirely on a paper by Ashkan Soltani, who works closely with the lawyers who filed these cases, and who published his paper on the same day that the first lawsuit was filed.”

    Looking at Mr Soltani’s website, I see that he has consulted for the What They Know series at the Wall Street Journal, and the Federal Trade Commission.

    I do not see anything regarding a financial relationship with class action attorneys.

    What is your source for this claim?

    • Let me get this straight, Mr Soltani must have no conflicts of interest, or taken funding for his study because he doesn’t directly list them on his personal website?

      Perhaps he could chime in with a comment on his relationship (or lack thereof) with the law firm trolling KISSmetrics?

      • It looks like Ashkan Soltani was indeed paid for his work with the Wall St Journal, assumably he was paid for this study as well given the timing of the lawsuit and the study’s release.

  5. It’s a hard task responding to critics and litigation, especially when privacy and users rights are concerned.

    It’s difficult to see what’s going on behind the scenes here- it could be a case of interested parties taking advantage of the courts to ruin the reputation of KISSmetrics, or maybe there is legitimate concerns here- either way it’s good to see a response directly from the source. Thanks, Hiten.

  6. Hiten, I am impressed with your response, in regards to both this public statement and the changes you have made to your analytics product. Kudos to your continued innovation and running a great company.

  7. This is bullshit. Plain and simple. Disgraceful how “consultants” jump on the slime-bandwagon and slow down innovation, capital formation, and more user choice, while driving up costs. Crazy.

    Fight this Hiten and company. Fight them every step of the way. We are behind you too.

  8. Roberto Lebron Aug 04, 2011 at 12:54 pm

    It’s sad to see how common meritless, malicious suits have become in our litigious society, and how the burden of proof seems to have fallen on the accused, as seen in some of the comments above. The burden of proof properly belongs with the accuser. “Innocent until proven guilty.” Sound familiar?

  9. I have met Hiten on a few occasions and followed his company and posts online and I can say I’m cothenfident that he adheres to the highest standards of personal integrity. I hope this legal matter is resolved so he can return to building his product.

  10. Seems like part of the reward of creating amazing products is dealing with bs litigation. Keep up the good work kissmetrics team. Your users aren’t going anywhere.

  11. It’s a shame that people tried to penalize you for innovating your industry. Perhaps these lawyers, or Mr. Soltani, himself should give your product a try, and then take a step back and suffer the horrors of setting conversion goals without using button_IDs on Google Analytics.

  12. Well done with a professional, dignified response. Taking the high road here is absolutely the way to earn even more respect and demonstrate your integrity as a company. Good luck guys, keep up the great work.

  13. Someone should suit you guys for making it incredibly confusing to implement your service. Your UI isn’t that good (not sure how you speak about UI at conferences) and your data doesn’t matchup to other analytics platforms like GA or Chartbeat.

  14. Thanks Hiten. KISSmetrics has been essential for improving the usability of our Website. Building a startup that provides such a valuable service is an incredible challenge. As advisors to each other’s companies, I know you are one of the most ethical and helpful people in the startup world.

    We are in a sad place when lawyers prey on a startup and founder that is so committed to doing the right thing.

    Sean Ellis
    Founder & CEO
    CatchFree

  15. Hiten et. al. – stay strong. It sucks that guy’s misinformation is getting distorted, retransmitted & amplified and you guys are getting hit w/ this frivolous lawsuit. It’s hard to fathom how many collective hours of “barking up the wrong tree” you and your team have saved the entrepreneurial community. For the sake of all web startups I hope the judge realizes what a crock this lawsuit is and how top-notch you guys have conducted yourselves in the face of such low-life bullying behavior.

    sean

  16. Sampsa Suoninen Aug 04, 2011 at 10:56 pm

    Good luck with the fight, I wish you all the best. I don’t think you need it, as this claim is quite clearly not going to fly.

    Although a nasty piece of business, this will unfortunately bring no bad rep to the ones who do this with some dollar signs in their eyes, even when they lose.

  17. Hiten and KISSmetrics team – you have supported us over the years and of course you have our support now.

    Unfortunately this isn’t uncommon in the world of business. Typically it’s easier and less expensive to settle, but that doesn’t mean it’s the right thing to do. I applaud you guys for standing up for yourselves and your product.

  18. Although I cannot comment on the technology behind kissmetrics’ offering, I have met Hiten on a number of occasions and can comment on his character. He is a completely ethical entrepreneur and I’d be very surprised if anything that kissmetrics does is even close to the ‘borderline’. Glad you are fighting this one.

  19. I agree with a lot of your readers that this lawsuit is baseless. I applaud you for taking the first step and being 100% transparent (so unlike AirBnb). This has the potential to blow up, so please continue to be transparent and it will diffuse over time. Good Luck!
    Also, it would be nice if your community of followers sends a personal note to Washington to show how our legal system needs major reform if we are to support startups and encourage hiring in this country. I will voluntaril sign a petition if one exists.

  20. Vincent Flanders Aug 05, 2011 at 11:39 am

    It’s not just the tech world. An ex-coworker hit a man in a wheelchair with her car and killed him. Everyone, including police, said the crash was the fault of the man in the wheelchair. His relatives still sued. The insurance company lawyer said that even though the man was at fault, they would settle the suit for $100,000 because it was cheaper than going to trial.

  21. Greg Thornton Aug 05, 2011 at 11:44 am

    You were using Etags for user tracking rather than cache control (for which they are intended), yet claim to be ahead of industry best practices. And now you’ve stopped that practice in light of the lawsuits. Haven’t you just admitted that Etag tracking is unethical? If you *do* consider it an ethical use of Etags, why have you now stopped? Why did you choose Etags over cookies in the first place? It’s a blatant misapplication of the technology, and the only advantage of using them rather than cookies is that the end user cannot disable tracking via Etags. And you could have certainly used different URLs for each client’s tracking code, since different URLs can easily point to the same server or even the same resource on that server with no extra overhead. The only disadvantage technically would be that you *couldn’t* track users across your clients’ sites if the URLs were unique to the client, because cookies would then be unique per domain. I’m not going to comment on the character of KISSmetrics employees, but even if they’re the nicest guys in the world, there are (or were) seriously dangerous technical practices inherent to the service.

  22. Your blog doesn’t have a search bar.

    Your argument in invalid.

  23. Why did you use Etags in the first place?

  24. Schuyler Langdon Aug 05, 2011 at 5:49 pm

    This is basically legalized extortion. The suing party has no plans of ever setting foot in a courtroom, they just want a settlement.

  25.  I have nothing but respect for Hiten and the entire Kissmetrics company. There’s no doubt in my mind these claims have little to stand on. I know that Kissmetrics will prevail in the end. 

    Glad to see Hiten and his team are fighting this. They have a very bright future and this will only stand as a little bump in the road on way to even more success. 

  26. so how does one remove whatever crap that has been placed in my browser by this software? I don’t recall ever being given an opt out since I never knew I had been opted in.

  27. I’m sorry that you guys got hit with such a dumb lawsuit. Good luck fighting the lawsuit.

  28. I’ve written a detailed follow-up on the @KISSmetrics/@Hulu respawning mechanisms outlining exactly how they work.

    Also posted a statement highlighting that: I’ve never worked with, been paid by, or given advanced data to the plaintiffs firms. This work was done free and voluntarily be me.

    Details here: http://ashkansoltani.org/docs/respawn_redux.html

    Finally, I’d like to invite I’d like to invite Hiten Shah, Hulu, or any other site discussed in this post to provide corrections if any of the above statements are incorrect in any way.

    -a

  29. Thanks to everyone (including Mr. Soltani) for their comments. One of the unfortunate aspects of this situation is that, given the pending litigation, we have been advised by our counsel not to comment further on this matter. We continue to believe we have done nothing wrong and look forward to the opportunity to correct the record and put this matter behind us.

  30. All looks like great PR in the end.

  31. You are subverting user privacy controls to track people against their wishes. Nuff said!

  32. Hiten: nothing wrong? WTF? how arrogant

  33. so we can opt-out of your tracking? but like google you make it difficult for us to find out how.

    Being legal is not the same as ethical and so far i have not seen companies that track us being ethical

  34. Arnold Kaughien Aug 16, 2011 at 5:56 am

    I’ve looked and haven’t found the “opt-out” method in a simple search. How about putting a button on your front page, just to show us how sincere you are?

  35. Shit, I’m on kiss metrics site. Wonder how much hitter knows about me now?! Btw,don’t wanna go to the sites of any of his customers now!!!!

  36. Building Profiles business – $ 100 dollars a day http://ow.ly/69GLq?e=220l76

  37. Reading how cookie resurrection and e-tag tracking was implemented  I know that the programmers who coded it were very smart. Smart programmers like to discuss how smart they are; “look boss, even if the user does this or that which would break normally tracking my code will still be able to track them”. 

    Now smart programmers occasionally do dumb things; they get carried away solving a hard problem and sometimes they miss points like “if this code ever gets publicly discussed it is going to generate really negative press and potentially law suits”. Management either did not understand the technology or did not to spot the public relations problem it would lead to. That’s a textbook management failure. In the Darwinian world of business they pulled the tigers tail and took a mauling. 

    Management did the right thing and withdrew/rewrote the code and is addressing the matter in public forums. It is hard to perceive that there is anything aggravating or evasive in the company response.  A lesson to all.

    The law suit will try to prove that they knew it was a tiger they were assaulting and that punitive damages are appropriate. Any reasonable person rightly sees that trolling for what it is; the creepy crawls of the business jungle. I hope those bugs crawl back under their rock and life can heal and move on.

  38. Web sites we think you need to go to

  39. So with all your technological/legalese bloviation you did here why is it too taxing to say in plain fricking English how to opt out and where to go to do it, especially as Chad Vavra pointed out that you have no search bar to find it? If everything was ok and legal with the way you were doing things then why did you have to make all these changes? Just answer these questions please or we will have to conclude you are full of it. Thanks.

  40. I found the opt out, after quite the search. Unfortunately, if you clear your cache after your done browsing (like I do), then every time you get back online, you have to opt out again. Every. Single. Time. If it wasn’t a ‘zombie cookie’, then please explain why every site I would go to would have the same exact ads of something I had searched for or looked at previously? Until I read about zombie cookies (and put an ad blocker on my browser), it was a minor annoyance. Now, knowing what I do, it’s ridiculous. I clear my cache for a reason – I do a lot of research and web searching as a blogger. I also find it an invasion of privacy. At least I had the option to opt in or not with Google Analytics when I downloaded Chrome. With the sites that KissMetrics works with/for, I was never given a choice. Not cool man, not cool.

    Here’s the link to the opt out button, as well as the information as to what it has to do, since KissMetrics seems to be making it difficult:
    http://www.kissmetrics.com/user-privacy

    • @ndrcvrngl If you don’t want to be tracked, you’re using the wrong browser. There’s a unique identifier built into Chrome. Use Chromium or a non-Google Chromium build like SRWare Iron.

  41. Also I find it interesting that my name and address along with a google map to my house ended up on Spokeo.com who is a plaintiff in this lawsuit as you can see here

    http://www.extremetech.com/wp-content/uploads/2011/08/complaint.pdf

    not too soon after I visited Kissmetric’s site and blogged about this. I google my name all the time, sometimes as much as every other day, and this site never showed up until after I blogged about this KISSmetrics crap. I am aware that this is all public information anyway and that it can be found on many sites where you can get it for free or pay to get it, but I find it odd that it ended up on Spokeo.com when it did which was right after becoming aware of this controversy and blogging about it. I had to contact them and ask to be taken off. Did this happen because I often go to sites where I have to fill in my name and address for some reason and your cookie bullshit is tracking where I go and what I do?

    Also I think I have your crap on my computer as it has been running very, very slow. I also find that stuff I have looked at on one site will pop up in ads on other sites which only recently started happening with such regularity as to be realy noticeable and sort of spooky.

    You did answer my email about where the opt out thing is I admit, but like ndrcvrngl I find it about as useless as a nun at an orgy because who is going to implant some cookie of yours on their computer now, and if they do won’t it be deleted every time you clear your cache forcing you to reinstall it every time?

    Why you couldn’t put the opt out link where people can find it is beyond me. Why you think it’s ok to implant something undeletable on people’s computers that they can’t get rid of and that effects how their computer runs is also beyond me.

  42. ashkan soltani Nov 08, 2011 at 11:05 am

    interesting data point:

    Online Advertiser Settles FTC Charges ScanScout Deceptively Used Flash Cookies to Track Consumers Online

    http://www.ftc.gov/opa/2011/11/scanscout.shtm

    just sayin’

  43. The “opt out” method from this horrible, horrible company’s Zombie Cookies only works if you accept their cookie. It’s like taking “The Number of The Beast.” Hopefully the authorities will break it up, arrest the perpetrators and send them back to whatever Godforsaken Hell spewed them forth.

82 comments

Please use your real name and a corresponding social media profile when commenting. Otherwise, your comment may be deleted.

← Previous ArticleNext Article →