Spotify Caught Using Evil Tracking Cookie…

Spotify is already managing this like a crisis. According to research just published by researchers at UC Berkeley, Spotify has been using a cookie that cannot be deleted, still tracks if the user blocks cookies, and even operates in browser stealth mode.  In fact, if you try to delete this thing, the cookie dynamically regenerates.  “The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and ‘Private Browsing Mode’ is enabled,” the researchers described.

The cookie is powered by Kissmetrics, and also deployed by Hulu and others.


In response to the potentially horrible press, both companies have dropped the use of the cookie immediately.  In other words, both were caught red-handed, and are now hoping for the best.  “We take the privacy of our users incredibly seriously and are concerned by this report,” a Spotify spokeswoman told Digital Music News.  “As a result, we have taken immediate action in suspending our use of Kissmetrics whilst the situation is investigated.”

The only problem is that most in Europe have already downloaded the application, as have early-adopting Americans.  And, there’s no clear way to remove this thing.  “If you do everything the average user does to say ‘I don’t want to be tracked,’ it still tracks you,” an IT professional who examined the cookie told Digital Music News.  “The potential for invasion of privacy is huge.”

Update (8/4): Spotify is now part of a lawsuit related to the Kissmetrics tracking implementation.