Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

New Web Analytics Service Spies on Web Browsing Activity Without Permission

From: David Farber <dave () farber net>
Date: Thu, 22 Jan 2009 13:04:12 -0500


Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: January 22, 2009 12:19:26 PM EST
To: dave () farber net
Subject: New Web Analytics Service Spies on Web Browsing Activity Without Permission
New Web Analytics Service Spies on Web Browsing Activity Without Permission 

               http://lauren.vortex.com/archive/000498.html


Greetings.  In the business of "Web Analytics" -- collecting,
analyzing, and reporting of Web usage data -- various firms are
continuously pushing the envelope.

Such data is in many ways the bread and butter of the free Web
services that we've come to expect, since it is in key respects a
crucial element of the ad-supported Web services ecosystem.  However,
the temptation to push analytics technology too far always exists.

A firm that appears to have succumbed to that temptation came to my
attention today.  "Tealium Social Media," a service of
Tealium ( http://www.tealium.com ) in San Diego, California, is
a commercial analytics service that uses JavaScript tricks to
inspect -- without the knowledge or permission of Web users --
specific URLs in their current browser histories.

The service attempts to provide a finer grain of usage information
than is typically available through analytical techniques, by querying
users' browsers for the presence of particular URLs.  While this does
not permit the reading out of complete browser URL histories, it does
permit the service to ask the potentially highly privacy-invasive
question: "Has this user been to a particular URL recently?"

Obviously, by sending a variety of such queries (all of which are
essentially invisible to the user), a fascinating portrait of users'
activities could be generated.  Visited this CNN story?  This
government Web page?  This porn image?  This medical information page?
Well, you get the idea.

While the JavaScript functionalities that enable this intrusion have
been known for quite some time in hacking and other technical circles,
this appears to possibly be among the first commercial applications of
this technique.

I had a cordial chat early this afternoon with Olivier Silvestre, one
of Tealium's partners, and a later e-mail exchange with Ali Behnam,
another partner.

They both emphasized a number of points that will sound all too
familiar, and I'm afraid far from convincing.  They noted that they do
not collect PII ("personally-identifiable information"), don't
accumulate user-linked data, and only query browser histories for
specific ("social media") related links.  It was also mentioned that
they have obfuscated their JavaScript to try prevent their clients
from altering the code, have a customer use policy that prohibits
their clients from attempting such alterations, have put in place a
privacy policy ... and so on.

Opt-out is apparently possible via a cookie -- but of course you have
to know what's going on before you'd ever think to set an opt-out
cookie!  They hope to move to non-cookie opt-out techniques, and
claimed in answer to my query that they'd really prefer to be opt-in,
but realize that getting people to opt-in to such a service could be,
shall we say, impractical.

If so much of this sounds like deja vu, it's because we've heard
virtually all of it before.  In many ways it's quite similar to
arguments made by Phorm and NebuAd, which were roundly criticized as
self-serving and inadequate.

The fundamental question is an obvious one -- "Unless we're asked for
our permissions in advance, what the hell business is it -- of anyone
by ourselves -- what is or is not in our browser histories?"

Arguments about not collecting PII, only looking for particular URLs,
and all the rest, necessarily fall flat.  Inspecting browser URL
histories in such a manner -- without affirmative opt-in permission --
clearly crosses the line from acceptable analytics to an unacceptable
intrusion into private activities.

If a burglar argued that the only reason they conducted break-ins was
to check to see if you had purchased particular products, would such
reasoning be likely to prevail in court?  I'm not a lawyer, so I won't
attempt here to present a legal analysis of the Tealium technique --
though I'd certainly be interested to hear opinions about this.

But again, the guys at Tealium were friendly and open in our contacts,
and made no attempt to evade my questions.  Clearly we're dealing in
this case with a very different view of what privacy is, and what is
acceptable behavior on the Web.

My hope is that Tealium will reconsider their use of this methodology,
and I urge that all browsers vulnerable to such manipulations be
altered to prevent their use.

In the meantime, there are some ways to protect yourself from this
technology, though none are particularly pretty.  You can make a
practice of clearing your browser history frequently, or not keeping a
history at all, but these are both inconvenient.  You can turn off
JavaScript, but this will completely break a vast number of sites and
is generally not very practical these days.

[ Update (1/22/09):  Several people have suggested the Firefox
"NoScript" plugin as a method for finer-grained control over
JavaScript.  This is certainly available, though it is not necessarily
clear which sites to script block, or what the side-effects of
selectively blocking JavaScript will be in any given case.  But as a
practical matter, most people can't run NoScript since they don't use
Firefox, and most people who run Firefox tend not to use plugins.  The
only ad hoc "solution" available to pretty much everyone with a Web
browser is to turn off JavaScript completely, with the serious
downside already noted.  More to the point, blocking such activities
at the PC is essentially a diversion from the larger issues
surrounding the Tealium service, such as should their technique be
permitted at all and is it legal in all jurisdictions?  It is
unrealistic to expect everyone to fiddle around with their browser
configurations to try protect against these sorts of intrusive
activities. ]

Or you might contact Tealium and let them know if you do (or don't)
approve of their practices in these regards.

As far as I'm concerned, my browser history is mine, nobody else's.
Period.  Full stop.  End of discussion.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
  - Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: