History Sniffing

Using computer code to track which Web sites computer users have visited.

A University of California-San Diego study has found that browser vulnerabilities can be exploited in
order to access your Web surfing history, Chloe Albanesius reported on PC Mag:

JavaScript code used by Web sites and advertisers exploit browser vulnerabilities to track which sites
a user has or has not visited, the report said. Researchers have dubbed the practice “history sniffing,”
and they claim their work is the first empirical analysis of history sniffing across the Web.

“Nobody knew if anyone on the Internet was using history sniffing to get at users’ private browsing
history. What we were able to show is that the answer is yes,” UC San Diego computer science
professor Hovav Shacham said in a statement.

History sniffing is possible because browsers display links to sites you’ve visited differently from those
you have not. If you’ve clicked on a link, it shows up purple. If you have not clicked, it displays as blue.

According to Albanesius, information collected via history sniffing could be used by organisations to
track visits to competitor’s sites, by advertisers to help construct detailed user profiles, and by
criminals to launch increasingly realistic phishing attacks.

On the heels of a government report pushing a "do not track" option for Web browsers, a recent study
from the University of California-San Diego finds that browser vulnerabilities can allow access to your
Web-surfing history.

Researchers cautioned, however, that the practice is not as harmful as malicious software attacks like
malware.

JavaScript code used by Web sites and advertisers exploit browser vulnerabilities to track which sites
a user has or has not visited, the report said. Researchers have dubbed the practice "history sniffing,"
and they claim their work is the first empirical analysis of history sniffing across the Web.

"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing
history. What we were able to show is that the answer is yes," UC San Diego computer science
professor Hovav Shacham said in a statement.

History sniffing is possible because browsers display links to sites you've visited differently from those
you have not. If you've clicked on a link, it shows up purple. If you have not clicked, it displays as blue.

"History sniffing JavaScript code running on a Web page checks to see if your browser displays links to
specific URLs as blue or purple," the report said.

Why is this important? Researchers said that Web site owners can use this information to see if you
have been visiting the Web sites of their competitors. Advertising companies can also used the data to
build user profiles, while criminals could watch which banking sites you use to know which fake
banking site they should use for a phishing attack.

"JavaScript is a great thing, it allows things like Gmail and Google Maps and a whole bunch of Web 2.0
applications; but it also opens up a lot of security vulnerabilities. We want to let the broad public know
that history sniffing is possible, it actually happens out there, and that there are a lot of people
vulnerable to this attack," said Sorin Lerner, a computer science professor with the university's Jacobs
School of Engineering.

The report found that the latest versions of Firefox, Chrome, and Safari block history-sniffing attacks.
Internet Explorer, however, does not currently defend against history sniffing. November data from
Net Applications found that IE still holds 58.26 percent of the global browser market share.

A Microsoft spokeswoman said the company takes "a holistic approach to protecting consumer
privacy." That includes browser options like InPrivate Browsing, which lets customers surf without
having their activity tracked.

"Internet Explorer 8's InPrivate Browsing feature puts people in control of their privacy, giving them
the important features and controls to understand what information is being shared when they browse
the Web," Microsoft said.

To gather their data, researchers used their JavaScript monitoring tool to look at the top 50,000 Web
sites, as ranked by Alexa. The practice is not particularly widespread, at least. Of the 50,000 sites,
they found that 485 of those sites can monitor a browser's history. Of those 485 sites, 63 of them
transferred the browser history to the network; researchers only considered it history sniffing if that
data was sent to the network. The topics of these 63 sites were varied, though most focused on
entertainment. A complete list is included in the report.

To gather their data, researchers tagged – or "painted" – a link that was being tracked, akin to the
paint packets banks add to bags of stolen money.

"As soon as a JavaScript tries to look at the color of a link, we immediately put 'paint' on that. Some
sites collected that information but never sent it over the network, so there was all this 'paint' inside
the browser. But in other cases, we observed 'paint' being sent over the network, indicating that
history sniffing is going on," Lerner said.

Going forward, the researchers said they would use this technique to see if history sniffing is also used
by Web 2.0 applications and social-network sites.

Shacham said that while history sniffing might be invasive, it is not as great a risk to your privacy as
malicious software programs like malware, which can steal banking information or an entire Facebook
profile. Still, "history sniffing is unusual in effectively allowing any site you visit to learn about your
browsing habits on any other site, regardless if the two sites have any business relationship," he said.

He advised users to keep their browsers and Flash plug-ins up-to-date to avoid history sniffing.

The report comes several days after the Federal Trade Commission released an online privacy report
that recommended "do not track" technology for browsers. Essentially, browser companies should add
the ability for consumers to opt-out of having their Web activity tracked, the agency said. The FTC
discussed it more at a House hearing last week, where a researcher from Symantec expressed his
concern about "do not track" technology. Major browser firms like Microsoft, Google, and Mozilla have
said they will review the FTC's proposal.

FTC Privacy Plan Includes 'Do Not Track' Browser

Option
The Federal Trade Commission on Wednesday unveiled an online privacy proposal that includes a "do not track"
suggestion for browsers that would prevent them from collecting a Web user's online history.
The "do not track" option would be similar to the agency's "do not call" list. Just like a consumer can choose not to
receive calls from telemarketers, they could choose not to be tracked on the Web. As a result, their Web-surfing
history would not be sent to third-party sites and their activity would not be used to serve up targeted advertisements,
among other things.
At this point, the proposal is just a suggestion. The FTC is asking stakeholders to comment on this and other facets of
the plan by January, and the agency will release a final proposal sometime next year.
"We don't have regulatory authority; what we're doing is offering best practices to companies and guidance to
lawmakers," FTC Chairman Jon Leibowitz said during a Wednesday call with reporters.
Leibowitz said that companies like Google, Microsoft, and Apple have experimented with "do not track"
technologies, and urged them to push forward.
In a Wednesday blog post, Microsoft pointed to the InPrivate Browsing option introduced with Internet Explorer 8,
which allows users to surf without being tracked.
"Internet Explorer 9 will continue this focus and leadership on enabling our customers' choice and control with
respect to their online privacy," wrote Brendon Lynch, Microsoft's chief privacy officer. "We appreciate the Federal
Trade Commission's efforts to advance consumer privacy protections and welcome the opportunity to review the
FTC's Privacy Report."
Google Chrome also has its Incognito private browsing mode, while Firefox has Private Browsing. Leibowitz was
asked about these features, specifically about Chrome's Incognito mode. He said it is a "good innovation" but the FTC
is looking for "a little more ubiquity."
On "do not track," a Google spokeswoman said the "FTC raises some interesting ideas, and we look forward to
learning more about what Do Not Track could look like."
On the entire report, Google said it agreed that "people should be able to understand what information they share and
how it's used. That's why we simplified our privacy policies earlier this year, offer control through our privacy tools,
and explain our approach to privacy in plain language and through YouTube videos in our Privacy Center."
In a blog post on the report, Mozilla didn't specifically mention the "do not track" browser option, but said it was
"encouraged by what we've seen so far."
"The FTC should also be commended for continuing its efforts to seek a comprehensive proposal rather than focusing
only on one aspect of the issue," wrote Harvey Anderson, Mozilla's general counsel. "Over the next month, we'll
examine the questions and proposal in more detail and take advantage of this opportunity to share our experience,
concerns, and views on the proposed framework."
The FTC also called out Adobe because the cookies gathered by Flash are apparently collected regardless of the
browser's settings.
"Adobe would support and participate in any industry initiative to foster clear, meaningful, and persistent choice
regarding online tracking for purposes that are not obvious in context or commonly accepted," Adobe said in a
statement. "This includes the 'tracking' of user preferences by third parties for advertising purposes using local storage
capabilities (such as Flash Local Shared Objects, often referred to as 'Flash cookies' in the public and confused with
Web browser cookies), which were not designed for this purpose. Adobe has repeatedly stated publicly that we
condemn such practices because they clearly circumvent the user's expressed choice."
Flash Player 10.1 supports private browsing, and "Adobe is also working with the browser manufacturers to better
coordinate local storage management with browser privacy management settings," the company said. Google Chrome,
for example, currently provides access to Flash Player local storage settings from within the browser's privacy
controls.
"Adobe anticipates that future versions of the browsers will include the ability for users to clear their local storage
data directly through the browser privacy management interface," Adobe concluded.
"Do not track" is just one component of a plan that "proposes a new framework for consumer privacy," Leibowitz
said. "The FTC wants to ensure that the growing, changing, thriving information marketplace is built on a framework
that promotes privacy, transparency, business innovation, and consumer choice."
Leibowitz argued that most data collection online is invisible to the average consumer. Some companies do not
disclose their data collection processes, while those that do often have long, incomprehensible privacy agreements
that consumers don't read or understand, he said.
Going forward, companies need to "bake privacy protections into their operations," Leibowitz said. They should
collect data "only if they have a legitimate business reason for doing so." Privacy choices, meanwhile, should be
presented in a simpler, more streamlined way, he said. Companies shouldn't have to seek consent to share your
address with shipping companies that deliver their products, for example, but if data is being shared with marketers or
data miners, consumers should be informed.
Leibowitz pointed to EchoMetrix, a company whose Sentry software allows parents to monitor their children's online
activities. Sentry, however, tracked those children's online activities and sold the information to third-party marketers.
A vague reference to this policy was 30 paragraphs into multi-page end user license agreement.
As a result, the FTC on Tuesday announced a settlement with EchoMetrix whereby the company will no longer use or
share the information it gathered via Sentry. It must also destroy the data EchoMetrix transferred to its marketer
database.
"Despite some good actors, self-regulation of privacy has not worked adequately … for American consumers,"
Leibowitz said. "The industry as a whole needs to do a far better job. We're going to take action against companies
across the line … especially when children and teens are involved."
Despite his skepticism of self-regulation, Leibowitz is open to suggestions from industry, though "a legislative
solution will surely be needed if industry doesn't step up to the plate," he said. At this point, however, the FTC wants
to hear from the public, and will reserve final judgment until all comments have been submitted, he said.
Many in industry have shunned a legislative solution because they claim it will hurt innovation, an assertion with
which Leibowitz did not agree.
"I just fundamentally disagree with the notion that we're creating barriers to entry," he said. "I think there are a few …
Washington folks [who are] doing what they're supposed to be doing – perpetuating that myth - but we have 5-0 vote
at the commission [on this report], and if we thought we were creating barriers to entry, we'd have a 0 to 5 vote."
New FTC Privacy Proposal
December 1, 2010 lockshot Leave a comment Go to comments
Today the Federal Trade Commission released a proposal describing a new framework for protecting consumer
privacy in both online and offline environments. The report reflects the new challenges users, publishers, service
providers, and advertisers face in today’s digital environment and incorporates feedback from public roundtables
conducted over the past year. The report acknowledges the shortcomings of the current “notice and consent”
framework, but doesn’t abandon it completely, rather it seeks to implement it in a way that makes more sense for
users.

While we’ll need more time to digest and evaluate the details, we’re encouraged by what we’ve seen so far. In
particular, the FTC has proposed a set of principles that align well with the Mozilla manifesto and our approach to
software development including:

privacy by design;
transparency;
 user choice; and
no surprises.

Of course the devil is often in the details, but the first principles seem right. The FTC should also be commended for
continuing its efforts to seek a comprehensive proposal rather than focusing only on one aspect of the issue.

The Commission has also shown that it understands the complexity and nuance of many of the issues, for example,
the blending distinction between PII and non-PII, and the contextual nature of privacy issues. To that end, the
Commission has articulated a robust set of questions on which it is seeking further public feedback. Comments on the
proposal are due on January 13, 2011.

Over the next month, we’ll examine the questions and proposal in more detail and take advantage of this opportunity
to share our experience, concerns, and views on the proposed framework.

If you have thoughts about the proposal let us know.