×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FTC Bars Ad Firm From Snooping Browser History

Soulskill posted about a year ago | from the most-private-of-places dept.

Privacy 21

itwbennett writes "Score 1 for online privacy. The Federal Trade Commission and online ad firm Epic Marketplace have reached a settlement that will bar Epic from using browser history sniffing technology. According to the news report, 'The history sniffing allowed Epic to determine whether a consumer had visited more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy. Epic used the tracking to send targeted ads related to several health issues, the FTC said.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

21 comments

Finally! (0, Insightful)

Anonymous Coward | about a year ago | (#42196473)

Finally! Freedom from ubiquitous surveillance. Now FTC just needs to break the google/doublecklick tracking bug and the Facebook "like" button. Until then, I'll stick to using VPN at the library, thankyouverymuch.

NoScript / Ghostscript / Adblock (0)

Anonymous Coward | about a year ago | (#42196619)

should do the trick

Meant Ghostery (0)

Anonymous Coward | about a year ago | (#42196665)

obviously... got traumatised by ghostscript as a kid

about:trackers (1)

Anonymous Coward | about a year ago | (#42197247)

I've removed Ghostery as a memory hog, and replaced it with about:trackers [mozilla.org]

Re:Finally! (1)

Anonymous Coward | about a year ago | (#42199527)

Now FTC just needs to break the google/doublecklick tracking bug and the Facebook "like" button.

Not needed. It's your computer which loads the like button. If you don't want it to, by all means, don't have it do that. I don't. Not a single packet to or from facebook has ever crossed my network.

Your request sounds like, "I keep ordering hamburgers from this restaurant, and they're really bad for me! The law should make them stop selling me burgers!" No... if you don't want to eat the burgers, then stop ordering them. They aren't going to force them on you.

Once you get laws involved in things like this, all kinds of bad shit is going to happen. You can't put that cat back in the bag again once we let it out, so think REAL careful about how necessary it is. In this case, it isn't necessary at all, because you can accomplish what you (and I) want perfectly well on your very own computer.

NSA/FBI/CIA - Worse than an ad agency (5, Interesting)

ilikenwf (1139495) | about a year ago | (#42196551)

I trust sleazy ad agencies more than I trust the US government. Too bad they don't obey the laws they force the citizens to themselves, especially those regarding privacy, since they need 5 petabytes to store every email and who knows what other web related data there in Utah.

Re:NSA/FBI/CIA - Worse than an ad agency (0)

Anonymous Coward | about a year ago | (#42196685)

and who knows what other web related data there in Utah.

Mostly it's a complex integration of various forums and discussion sites to identify potential threats by finding links between both accounts and anonymous posts to such forums, cross-analyzing the style, and tracing the communications to a point of origin to match up the comments to an actual person.

Huh, a memo?

Oh, looks like I'm unemplyed now. And moving to Panama.

Re:NSA/FBI/CIA - Worse than an ad agency (4, Funny)

davester666 (731373) | about a year ago | (#42201725)

In the voice of The Count from Sesame Street:

One! One company prevented from violating your privacy! Ha Ha Ha Ha Ha....

Re:NSA/FBI/CIA - Worse than an ad agency (0)

Anonymous Coward | about a year ago | (#42206735)

They don't need to store the data anymore, they just ask google when they want it!

Needs to be both illegal and impossible (2, Informative)

Anonymous Coward | about a year ago | (#42196751)

This is great, but we need security at both ends here: prosecution to remove the economic incentive to invade people's privacy, and software security to increase the difficulty of doing so.

Here are two tests for vulnerability to history sniffing attacks, one CSS based and one based on cache timing:
http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/ [mikeonads.com]
http://lcamtuf.coredump.cx/cachetime/chrome.html [coredump.cx]

Unfortunately it seems Opera (12.11) is still vulnerable to the CSS leak. :(

Re: Opera (0)

Anonymous Coward | about a year ago | (#42197223)

That's okay, Opera can be safely ignored as obsolete since they also refuse to implement IndexedDB and the CSS transform: rotateX(90) which has been unprefixed in the other browsers now.

Re:Needs to be both illegal and impossible (0)

Anonymous Coward | about a year ago | (#42199543)

Well, I tried the button on the first site, and nothing at all happened. This is under Firefox 17. So it wasn't a very impressive attack.

The second site I decided not to visit; don't really trust .cx sites.

Re:Needs to be both illegal and impossible (2)

gr8_phk (621180) | about a year ago | (#42203571)

Yep, I don't know why browser creators don't consider this information leakage a significant bug.

Re:Needs to be both illegal and impossible (3, Interesting)

tlhIngan (30335) | about a year ago | (#42204891)

Yep, I don't know why browser creators don't consider this information leakage a significant bug.

Law of unintended consequences without an easy fix.

For example, browsers have long used vlink highlighting to show previously visited links, which are really handy if users have a tendency to wander. E.g., if you're just browsing Wikipedia, it's awfully nice to know if you've already seen the article it links to ahead of time. Or if it's a list of files, if you've already downloaded it before (perhaps if you're showing someone how to get said file or what file you actually used).

The question becomes though is should scripts be able to get at the DOM properties? Setting it is useful (to highlight new options for example), but getting it? Might be useful for some effects I suppose. And then once gotten, it's really just a simple XmlHttpRequest away from passing that information back to the server.

It's really nothing special other than the clever combination of several innocent features in a nefarious way. (And no one had the gal to patent it... )

WRONG WRONG WRONG (0)

Anonymous Coward | about a year ago | (#42197267)

The solution should not be legal. It should be technical. There should be restrictions on what companies can do with user data however. The difference is there is no technical solution (at least not that i can conceive) to solve the problem unless we are willing to produce truly throwaway addresses within the postal systems and shipping carriers of the world + implement a more anonymous and easy to use BitCoin like system.

Wait, what? (3, Insightful)

Macdude (23507) | about a year ago | (#42200709)

Wait, what? A web site can secretly access my browser history? Why does this need the FTC need to get involved, shouldn't "we" stop them by fixing the browsers?

Re:Wait, what? (1)

tlhIngan (30335) | about a year ago | (#42200987)

Wait, what? A web site can secretly access my browser history? Why does this need the FTC need to get involved, shouldn't "we" stop them by fixing the browsers?

The question becomes "how". There's a lot of tricks that's used - for example, they can use CSS and DOM inspection to see if you've visited a link before (like setting the vlink color to be different from the link color, then inspecting the DOM to see what the color of the link is). Of course, the browser can hide visited links from you the user by making sure the attributes are the same, but seeing links that are in your history can be extremely useful.

The browser doesn't allow direct access to the history, but there are various tricks used to achieve the same effect

Don't keep history (1)

Anonymous Coward | about a year ago | (#42203145)

THIS is why I always clear the browser history. At least, that is what I tell my wife.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...