Site Meter Reader — finding commenters in another website’s traffic logs

On Sunday I discovered a potential privacy leak in the Site Meter traffic logs; I was able, with a fair degree of confidence, to determine the IP addresses used by ten anonymous commenters to a well-trafficked blog. I reported it to the blogger, whom I’d met once, and we discussed this over several days of emails as I worked on an article (which turned out to be 2,100 words). Only on Wednesday night did we figure out what led directly to the problem: by paying, you can see the full IP address– but anyone else can as well. On Thursday the blogger reported this problem to Site Meter. I followed up with a support request at 4pm PST (Site Meter is in LA, apparently) asking general questions about who to talk to at the company regarding privacy issues. [I sent an email in at 9am EST on Friday.]

Based on the blogger’s support request Thursday, Site Meter should have sent an email to all paying blogging subscribers. They still need to. Naturally, once Site Meter sends that email, it will get blogged. So thus I felt I deserved to break the story.

I did’t go all out to try and reach Site Meter before. It did’t help that their site lists none of their corporate officers. (a WHOIS search turns up empty as well). I use that term “corporate officers” because they have been collecting massive amounts of user data for some time now, and it ought to be more than a guerilla operation by now. The irony was that when I started working on the article, I really expected to nail eXTReMe Tracking, a website tracking company that even less is known about. But ET did’t have the same potential leak that SM did.

The article (linked above, and here) is titled Privacy Considerations of Third Party Website Trackers. (So I’ve been reading a number of law review papers lately…) My aim was to call attention to all sorts of 3rd-party website tools which can track visitors. I do’t believe there’s a privacy framework in place for this today. So the Site Meter bug is a small piece of this.

I do’t know how big this story is; I leave that to the blogosphere (in a Friday before Christmas) to help prioritize it. (The problem does’t affect sites like Gawker Media, which apparently does’t pay, and thus neither they nor we see the whole IP address.) In other words, let the story hype itself. I merely wrote this mini-post here to boil down the essential facts of the longer article.

Update: Daniel Solove revealed himself as the blogger, and the blog is Concurring Opinions.