Another History Sniffer Calls it Quits
We’ve blogged before about the practice of browser history sniffing — web developers using a bug in certain browsers to see what other sites a user had been to. We don’t like the practice, and we think it’s probably illegal. Last week, Stanford researcher Jonathan Mayer revealed that he had found an ad network named Epic Marketplace using history sniffing to check to see if visitors had been to thousands of other sites. While the company was not sending the precise browser history itself back to its own servers, it did run a script on the user’s computer to analyze the history and make conclusions about folks based on the information (e.g., interested in “home improvement,” or “coffee”), which was then sent back to Epic, presumably to help them serve relevant advertising.
History sniffing used this way seems a lot like traditional behavioral advertising, except the ad network doesn’t actually have to have a relationship with a site publisher in order to see when a visitor goes to the publisher site. That is, traditionally, if an ad company (let’s call it MegaAds) wants to know if a particular visitor goes to the New York Times, MegaAds has to have the New York Times agree to host a MegaAds web pixel, which can drop a MegaAds cookie, or recognize an existing one. Using history sniffing, MegaAds can just ask your browser “Has this computer been to nytimes.com?” wherever you are on the web, without your or the New York Times’s permission. That publisher relationship, however, has always been the legal hook for finding out whether I’ve been to the New York Times or not. Presumably, someone needs to consent to tell third parties about my web communications. Ideally, it would be me, the web visitor, but alternatively, courts have accepted that it can be the website publisher too. By using history sniffing, companies can find out about my web communications without my or the site publishers knowing anything about it.
In the past, when we learned that companies were engaged in history sniffing, we’ve reached out to them to try to convince them to stop. Last year, for example, when a UCSD study revealed a bunch of companies engaged in the process, we called one up to see if they could defend the practice. They couldn’t — after only eight minutes of discussion, they agreed to end the business line. As far as I know, that company never got sued for its practices; others called out in that report, however, weren’t so lucky.
CDT reached out to Epic Marketpace last week, and on Tuesday, they brought company representatives to our office to talk about the practice. While they had previously defended the practice, they told us that in response to concerns we and others had raised, they had shut down the history sniffing script, and would agree not to reactivate it, and get rid of all data collected through the sniffing script. (Epic also indicated that this technology had been used in a product that they had acquired, and hadn’t been developed by the company itself.). I’m pleased to see Epic repudiate this practice, and hope that others considering using the browser history sniffing trick decide not to do it.
At some point, though, some company is going to stand by this practice, at which point it’s going to be incumbent upon the FTC and state AGs to step in and say they can’t do it. CDT has long argued for a baseline consumer privacy law to require companies to treat user data consistently with the Fair Information Practice Principles; however, in the absence of new legislation, regulators should be much more aggressive in interpreting existing laws’ prohibition on deceptive and unfair business practices. Privacy law in this country shouldn’t just be don’t lie about what you do with customer data. The FTC has established some precedent for requiring companies to affirmatively provide clear and upfront information about unexpected business practices outside of a vague and legalistic privacy policy. While we’re waiting for a clear and straightforward privacy law, CDT renews its call for the FTC and others to enforce the Fair Information Practice Principles through the law currently on the books.
