A UK advertising firm is stealing browser history and ignoring user do-not-track requests, researchers say.
The Stanford Security Lab said behavioural ad firm Epic Marketplace was “history stealing” and ignoring consumers' requests to not be followed online, while displaying ads for big-name brands.
History stealing is a method for advertisers to build up a highly specific picture of which web sites surfers have visited by using the information that computers use to change the colour of links from blue to purple when they have been visited.
According to the researchers, a script is added via an invisible iframe and can test for thousands of links per second and can be paused if consumers browse away from sites where the technology is employed.
Behavioural advertising is a hot topic as regulators try to balance websites’ commercial requirements against consumers’ desire for privacy.The risk goes beyond leaking individual tidbits about past browsing; history stealing can be used to track or even identify a user.
Advertising companies want to collect as much information as possible to target adverts, but some methods, including history sniffing, are frowned upon by web regulators while do-not-track requests are expected to be respected.
“We found that Epic Marketplace leaves its tracking cookies in place after both opting out with the NAI mechanism and enabling Do Not Track,” said graduate student Jonathan Mayer, who wrote the Tracking the Trackers: To Catch a History Thief report.
“We also found that history stealing continues after using either choice mechanism.
“The risk goes beyond leaking individual tidbits about past browsing; history stealing can be used to track or even identify a user."
“Last year Stanford researchers found that a few popular adult sites were history stealing to learn whether users had visited their competitors."
Epic has so far not returned a request for comment.