Browser History Sniffing in the News
Suddenly, it seems that history sniffing — a long known web exploit — is finally getting the attention it deserves. Last week, Forbes blogger Kashmir Hill drew on an excellent University of California-San Diego study to call out the pornography site YouPorn for snooping on site visitors’ browser history files. Two days ago, class action attorneys filed a suit against another company cited in the USCD study for the same behavior. The FTC has also weighed in, calling on browser makers to plug security holes that can be exploited to surveil consumers.
This has been an issue CDT has been trying to draw attention to for a while. In short, browsing history sniffing involves a website taking advantage of a browser security hole to play “Go Fish” with your browser history — the site can ask your browser about various webpages to see if you’ve visited those pages, and alter the content of the page (or the advertisements) based on that information. Back in March, I wrote about the issue, and called on the browser makers to fix the problem after ten years of dithering. Since that time, it appears that some (though not all) of the browsers have taken steps to fix this problem.
The companies using this exploit know they’re in the wrong. A few weeks ago, CDT found a company publicly marketing this trick as a means to deliver site analytics. The product wouldn’t necessarily change any individual’s site experience based on browser history, but it would report to the client in aggregate how many of the site’s visitors had previously visited Facebook, Twitter, The New York Times, or dozens of other sites. We set up a call with its CEO to discuss the practice. After eight minutes of discussion, they decided to completely discontinue the product and cut off all their customers. Eight minutes! Previously, CDT had identified a company named Tealium as providing a similar service; they’ve dropped the product as well. Even YouPorn, identified in the Forbes article, has suspended its use of the browser history sniffing exploit after being called out. (Well done, Kashmir — you managed to shame a Dutch pornography company!)
Clearly, companies know it’s a bad practice to sniff browser history. In fact, it’s probably illegal too. The technical reason that sites can query browser history is so the site can determine whether to render a link of that page as blue (unread) or purple (read). If the site isn’t even displaying those links to the consumer as part of the site experience, it’s clear the site is simply taking advantage of that functionality to snoop on site visitors. That sounds like a classic deceptive practice under Section 5 of the FTC Act, as well as a similar violation under fifty separate state deceptive practices laws. Class action lawsuits are a powerful deterrent, but if sites continue to take advantage of this and other security holes to gather information on consumers, regulators have an obligation to bring enforcement actions.