When the practice of browser ‘history sniffing’ was first revealed in December, it spurred headlines and lawsuits, and criticism from a key FTC official, who urged browser companies to alter their software to prevent the practice. After those controversies, you might have expected history sniffing to fade away. But new research by Stanford researchers shows that one ad company, Epic Marketplace, instead embraced the practice on an unprecedented scale.
Epic-which was founded in 1999, and called Traffic Marketplace until last month-has more than $100 million in revenue, and works with Fortune 500 clients like Microsoft (NSDQ: MSFT), Kraft and Macy’s. The “browser sniffing” software it has deployed reads the web-browsing history of millions of users each month, checking to see which of more than 15,000 web pages they may have visited. In addition to tracking a huge volume of information, the ad network is also collecting some very sensitive data about consumers, like whether they’ve read articles about debt relief or getting pregnant. While many internet companies do some kind of online tracking, what Epic is doing involves a “hack” of the browser software, which is not something that most people-or the browser companies-would condone.
History sniffing is probably legal, but some consider it to be unethical. Jules Polonetsky, head of Future of Privacy Forum and a former executive at AOL (NYSE: AOL) and DoubleClick, said on Google+ that Epic had been “caught… fair and square” by the Stanford researchers. “Using a browser exploit to peek at user history to help with ad targeting is unacceptable behavior.”
The FTC’s head of consumer protection, David Vladeck, expressed concern about history sniffing last year, saying that it “deliberately bypassed” the most common mechanisms consumers use to protect their own privacy, like deleting cookies.
But Epic is hardly distancing themselves from the practice. In the company’s response to the Stanford research, it concedes that it engages in history sniffing, which it refers to as “segment verification.” The company stresses that it doesn’t collect any personally identifiable information.
Epic’s embrace of history sniffing could put it on a collision course with the Network Advertising Initiative, an advertising group that runs a centralized opt-out program for 75 advertising networks. The NAI is one of the groups eager to convince Washington lawmakers that the advertising industry is capable of policing itself when it comes to privacy. Having a member like Epic that owns up to history sniffing could undermine that position.
Contacted by paidContent, the NAI would not say whether it has a policy regarding history sniffing. It did say in a statement that any advertising technologies should give users “an appropriate degree of transparency and control,” and said it was investigating “all facts relating to the CIS (Stanford) blog posting.”
The Stanford computer security researcher, Jonathan Mayer, found Epic’s practice when he checked for it on the top 5,000 most-trafficked websites. Mayer caught two of those sites-Charter.net, the default homepage for anyone using Charter Communications (NSDQ: CHTR) as its ISP, and movie review site Flixster-checking users’ browers to see if they had visited any of more than 15,000 URLs. The program Epic uses is speedy, scanning all the URL’s in less than 10 seconds, said Mayer.
When asked about the history sniffing, a Charter spokeswoman told us the company wasn’t aware that it was happening. “Epic Marketplace has been banned from the charter.net site,” company spokeswoman Anita Lamont said via e-mail. “Charter does not support history sniffing… Any advertisers found to be history sniffing will be banned from our site.”
Flixster, which was purchased by Warner Bros. (NYSE: TWX) in May, didn’t respond to emailed inquiries we left.
» ‘History sniffing’ first came into the national consciousness late last year. That was shortly after researchers at UC San Diego made headlines-and spurred lawsuits-when they discovered that some ad networks, such as Interclick, were using a loophole in many browsers to check if users had visited up to 222 different URL’s.
But Epic’s tracking is far more wide-ranging. It checks users’ browsing histories against 15,511 different URLs-more than 70 times as many as Interclick was looking for. (See the full list of URLs that Epic’s software is looking as an Excel spreadsheet or web page.)
The process works by checking if a browser’s links have changed color, indicating that a user has visited a website in the past. Such styling changes were never meant to be used for tracking, however, and history sniffing of the type Epic engages in is considered an “exploit” or hack of browser software. Mozilla closed this loophole when it launched Firefox 4 earlier this year, and the other major browser companies-Microsoft, Google (NSDQ: GOOG), and Apple-have followed suit.
That means that it’s just users who don’t have up-to-date browsers that are vulnerable. But that’s a lot of people. Around half of all users remain vulnerable to history sniffing, according to Mayer.
In collecting its giant dataset, Epic is looking for some pretty sensitive data. For instance, the company scans millions of browsers to get information about which internet users may be in financial trouble-by detecting if they’re reading articles about debt relief and repairing bad credit. It checks if users are reading financial tips published by the Federal Trade Commission and the IRS. Epic also records how many users show up who may have read pages about fertility and pregnancy; and who is reading about menopause.
Importantly, while Epic does check if users have read particular web pages, it does not keep that URL-specific data. Instead, it aggregates users into numbered “segments” that reflect their interest. So, if a user reads the FTC web page about debt relief, Epic won’t know the user read that exact page; it will put the user in a group along with others interested in debt relief who read similar sites.
In an e-mail, Epic Marketing CMO Michael Sprouse said the company uses this software to double-check that the audience segments it is purchasing from data sellers, such as BlueKai and Exelate, is accurate. “We expect there to be a strong correlation between the interest categories identified by the data vendors and what we have found on our own.”
While the sensitive information stands out, most of the information Epic collects involves more mundane consumer products. For example, the company checks which users are reading about theme parks like Sea World and Disneyland; it notices when users are interested in particular cars, like Ford Fiestas; other segments note interest in yoga (1483) and organic food (1484).
The company’s blog post also says that it obeys opt-outs in accordance with standards set by the Network Advertising Initiative. Epic also says that “all data collection efforts cease” when a user chooses the NAI’s advertising opt-out. But Mayer says that’s untrue; he says he double-checked after Epic’s claim, and the URL-checking script continues to run even after a user opts out.
It’s notable that Charter Communications, the fourth-largest cable operator in the U.S., runs one of the two websites that Mayer found was engaged in this practice. Charter.net was already found to be using history sniffing when the UCSD study [PDF] was published last year. At that time, it was the Interclick ad agency that was doing the sniffing.
Jim Brock, CEO of PrivacyChoice, a company that monitors developments in the world of online tracking, said that the revelation of Epic’s practice could be a watershed moment for the online advertising industry’s self-regulation plans. “What does NAI oversight stand for to advertisers and websites?” said Brock. “The success of self-regulation depends on how situations like this are handled.”
Will the data payoff for Epic be worth the cost? It’s hard to imagine it will. Epic’s reliance on history sniffing is likely to result in lawsuits, as there’s a well-developed bar of privacy lawyers now eager to jump at privacy snafus much smaller than this. And the FTC may decide it wants to take a close look at this behavior, even if it doesn’t result in charges.