Who spies on your browsing history?


We've written before about the security vulnerability that allows websites to sniff your browsing history. A paper from UC San Diego computer science department researchers, "An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications," surveys which websites use this invasive technique against their users. YouPorn tops the list, but PerezHilton, Technorati, TheSun.co.uk, and Wired are also spying on their users' browsing habits by exploiting this vulnerability.
So I checked in with Interclick. Interclick explained that it deployed the script on websites around the Web over a limited period, from March to October, to test the quality of data sets it had purchased. "Interclick purchases anonymous audience data from several vendors for the purpose of targeting advertising campaigns. Consequently, it has a number of quality control measures in place to understand the quality and effectiveness of this data. The code observed in the paper was a quality measure being tested," said Interclick in a statement to me.

I asked Interclick to explain and got some interesting insight into how the data purchasing market works. Interclick buys user targeting data on websites such as BlueKai, Bizo, AlmondNet, Datalogix and Exelate. The data sets supposedly represent a group of particular users, like Sports Enthusiasts or Industrial Equipment Shoppers. But Interclick needs to know that it's getting what it paid for, so that its ads are more effective, so it has a series of quality control measures. The researchers happened upon one of those quality control tests.

Firefox's "Private Browsing" facility appears to be proof against this attack, for what it's worth.

Update: Sid Stamm from Mozilla adds, "Firefox 4 will include a protection against this for both modes public and private (the 4.0beta versions already have this feature)."

History Sniffing: How YouPorn Checks What Other Porn Sites You've Visited and Ad Networks Test The Quality of Their Data (via JWZ)

(Image: What the Internet Knows About You vs my browser history)

21

  1. Interestingly, this site is completely unable to find any of my browser history. But I’m using Chrome, so possibly this is Google monopolizing that information.

  2. There was/is a Firefox extension called SafeHistory that came out of Stanford.

    You need to do a little editing to make it work with current versions, but it blocks all of the tests on What the Internet Knows About You.

    Hopefully someone will pick the project back up and keep it updated.

  3. GimpWii is virus-proof and spy-proof! (Also occasionally annoyingly flash-proof)

    The future for the consumer internet is black boxes. General-purpose computing will return to the realm of power users aka hackers.

  4. All browsers now have “Private Browsing” (aka. porn mode), and it was pioneered in Safari, not Firefox.

  5. @Anon- how do you use it with later versions? It wouldn’t even let me download it for version 3.5ish that I have.

  6. Visited the site. Now I’m trying to remember when or why I looked up “Necrophilia” on Wikipedia, or, for that matter, “Dancing With The Stars”. The latter revelation disturbs me far more than the former.

    1. If you want to avoid this kind of data leakage, do roughly in this order of importance:
      1. Use Chrome or Safari.
      2. Delete cookies, and disable for third party sites if is not a default in your browser.
      3. Disable your browser’s history.

    2. Hey Anon, thanks for that information.
      so what’s the best browser in terms of data protection?

      Telnet over stunnel. The learning curve is pretty steep, though.

  7. 1. Visit the website (possibly with Noscript, if you don’t want the script activating)
    2. View page source and copy the list of URLs out.
    3. Hours of entertainment. And ads. And there may be a bit of malware.
    4. Profit? Nope, just discounts and bargains…

  8. @Anon #6

    LOL! Yep, I’m doing a mental review too. It’s like passing a cop car and automatically looking in the rearview, even when I know I haven’t done anything worthy of attention. D’oh.

  9. It’s not fair to say that “Technorati, TheSun.co.uk, and Wired are also spying on their users’ browsing habits by exploiting this vulnerability.” They are cited in the article for exploiting a different vulnerability, which is collecting mouse movements for usability improvements. It’s the least evil vulnerability they mention. The researchers contend that since a website visitor does not expect mouse movements to be transmitted to a site, it is a privacy violation. However, they don’t claim this data is being shared with other sites or that it is being leveraged to target a customer differently.

    1. It’s not fair to say that “Technorati, TheSun.co.uk, and Wired are also spying on their users’ browsing habits by exploiting this vulnerability.” They are cited in the article for exploiting a different vulnerability, which is collecting mouse movements for usability improvements. It’s the least evil vulnerability they mention.

      Thanks for clarifying that, mrb!

  10. Call me paranoid, or just naive, but I use one browser for general browsing (Firefox) and another (Safari in Private mode) when I want to peruse content with a bit more anonymity.

    Is this a worthwhile caution or a self-deluded waste of time?

  11. @Anon: The blog article this comes from says the script that exploits the visited history bug doesn’t work at all with either Chrome or Safari — both Webkit-based browsers, I note, although I don’t know if this has anything to do with it. I can’t imagine why Cory didn’t mention this.

    Anyway, you might as well porn-surf in Safari in normal mode; the private mode bit is still handy for preserving your sleazy or otherwise browser history from your nearest and dearest, however.

Comments are closed.