WhatTheInternetKnowsAboutYou: your browser is giving away your history

Art sez,
We just launched a new Web-privacy-related webapp, and want to show it off to you.

The app is an example of using browser history detection to determine personal preferences of Web browser users and is located at http://whattheinternetknowsaboutyou.com. The history detection hack has been known for quite a while; it works by using the CSS :visited pseudoclass to style visited links differently from unvisited ones, in order to figure out which ones are present in the browser's history and does not require JavaScript.

There are over 20 tests to extract various kinds of information from the browser's history; the most obvious application is to check for visits to the most popular websites and blogs, which we grouped into categories (banks, pr0n sites, dating sites, social networks, etc.) We're also monitoring for more sensitive content, such as all visited Wikileaks articles and administrative pages, visited .gov and .mil websites, as well as Google search queries and zipcodes typed into forms. In addition to that, we're indexing over fifty most popular RSS newsfeeds (including Boing Boing, of course) to determine which recent news stories the user has read; also, for social news sites, we're trying to determine the user's username by detecting visited profile pages.

We also meticulously documented the problem and listed possible solutions in hope of educating casual Web users as well as browser vendors about this issue. Most people still have no idea that such history detection is possible, and in fact trivially easy to implement; what's worse, there are no simple ways to protect against this (other than disabling history altogether). I hope that by publicizing the issue we can get browser vendors to figure out sane ways of solving the problem to make our browsing histories private again, and would appreciate your help.

What the Internet knows about you (Thanks, Art!)


  1. Wow, that was a deeply-unnerving experience. Boing Boing didn’t show up in my history for some reason, even though I visit multiple times per day (but will probably cease if the mods aren’t brought into line.) Also, the number of visits was quite wrong on some of them.

  2. Dear people of the Internets,

    Don’t submit your link to Boing Boing unless you’ve prepared for the traffic. You know what’s going to happen.

  3. Interestingly – after trying this with IE 8, FF 3.5, Chrome, and Opera 10 [my regular browser] .. Opera does not have this issue, while all the others do.

  4. The site’s suggested solution (a FireFox add-on), doesn’t support the current version of FireFox. You have to wonder how much else is out of date.

    If you use the mouse to “select” the site text, it becomes white-on-black and isn’t nearly as hard to read.

  5. Opera showed the insane amount of 5 sites there.

    I thought the site was bugged until I tested it in other browsers.

    +1 for Opera ;)

  6. The problem with the technique that they use is that it must work from a list of ‘known’ pages, which in practice is likely to be limited to well-known sites. If ‘midgetgoatporn.com’ isn’t in the pre-programmed list, your shameful secret is safe. So long as the list of sites to check for is finite, this isn’t a very useful technique.

    One nice exercise might be to make it dynamic. If they detected that I visited ‘boingboing.net’, for example, they could fire off a spider (or review a cache of previously-spidered pages, or just query Google) to see what pages exist on ‘boingboing.net’, then present me with a revised page to figure out exactly which pages I looked at. That would give you the beginnings of a more detailed profile of my interests (“Hmm, he seems to have totally ignored all the papercraft articles and only read about half the steampunk stuff, but he does seem to be interested in civil liberties …”).

    I guess we’ll need to get into the habit of regularly clearing our browser histories as well as our cookies.

  7. In Chrome, the the Internet is just looking back at me with two square red eyes. While this is somewhat disconcerting, I don’t get the feeling it knows much about me…

  8. I’m sort of sad that it doesn’t have a larger list of porn sites for me, given that I spend 8-10 hours a day working on them.

  9. What is really scary here is what the internet does know about me– it picks up a very distorted image.

    Yes, I did indeed visit all the sites found (and I’m on Firefox), but they were a small fraction of the overall pagecount. You could use this tool to present me as a pervy militarist commie white power/survialist birfer/troofer islamicist or almost whatever you want. Which is what comes from doing research.

    This is really dangerous stuff if stoopid cops or the NSA take it at all seriously.

    And yes, it did pick up my BoingBoing visitation.

  10. I just clicked on cute kitten and the power went off.

    How do they do that? Do they know about my UPS?

  11. …And which link on their site turns it back on again?

    Or do I just have to wait five or ten minutes, like most regular power cuts here ?-)

  12. ..but will probably cease if the mods aren’t brought into line..

    Do I need to take this personally, Rodney?

  13. The article sez one doesn’t need javascript enabled for the hack to work. So how come NoScript prevented the inner part of the website to load? I think the hack may have been IFRAMEd from another site. Would this have really worked if the hack was hosted on the site I was visiting?

  14. Odd. It says I visit the USPS site a lot more than Google. Apparently I’m into postal services. Aside from that it’s giving me a lot of government sites that I rarely visit, usually only while doing research. I guess the rest of the places I visit don’t merit attention by them.

  15. I got the same thing. It listed sites I haven’t been to in a long time and then only briefly.

    I only use one profile and only use Firefox. It looks like they’ve got some work to do.

  16. If I turn on FF’s private browsing feature, it picks nothing up. Also, I access a whole bunch of stuff, including (usually) Boing Boing by way of RSS, and it didn’t pick any of that up either.

  17. Try : http://jondos.de/en/anontest for some more substantial and open set of tests and explanations.

    Agree with #21 noscript blocks a redirection link, which, even if explicitly allowed links to another set of scripts, all of which are blocked.

    FF: Tools:Preferences:(tab)Privacy:(button)Settings: Tick all boxes, clear on exit! Job Done.

Comments are closed.