So I checked in with Interclick. Interclick explained that it deployed the script on websites around the Web over a limited period, from March to October, to test the quality of data sets it had purchased. "Interclick purchases anonymous audience data from several vendors for the purpose of targeting advertising campaigns. Consequently, it has a number of quality control measures in place to understand the quality and effectiveness of this data. The code observed in the paper was a quality measure being tested," said Interclick in a statement to me.
I asked Interclick to explain and got some interesting insight into how the data purchasing market works. Interclick buys user targeting data on websites such as BlueKai, Bizo, AlmondNet, Datalogix and Exelate. The data sets supposedly represent a group of particular users, like Sports Enthusiasts or Industrial Equipment Shoppers. But Interclick needs to know that it's getting what it paid for, so that its ads are more effective, so it has a series of quality control measures. The researchers happened upon one of those quality control tests.
Firefox's "Private Browsing" facility appears to be proof against this attack, for what it's worth.
Update: Sid Stamm from Mozilla adds, "Firefox 4 will include a protection against this for both modes public and private (the 4.0beta versions already have this feature)."
(Image: What the Internet Knows About You vs my browser history)