http://online.wsj.com/article/SB10001424052748704493004576001622828777658.html

DECEMBER 6, 2010

Suit to Snuff Out 'History Sniffing' Takes Aim at Tracking Web Users

By JESSICA E. VASCELLARO

A lawsuit filed Friday for alleged use of "history sniffing," a method for surreptitiously detecting what websites a person has visited, is the latest to take aim at technologies that harvest Internet users' personal information.

A lawyer for two California residents said they filed suit against the owner of adult website YouPorn, alleging that it had violated cybercrime and consumer-protection laws by using the method, which is drawing increased scrutiny from regulators and academics.

The suit, among the first to target history sniffing, alleges that YouPorn used technology that can "peek in on the plaintiffs' Internet-visitation history" by exploiting a vulnerability in Web browsers and failed to disclose to users that the site was doing so. The suit filed in U.S. District Court for the Central District of California, seeks unspecified damages and an injunction to stop YouPorn from using the technology. Plaintiffs David Pitner and Jared Reagan, both of Newport Beach, Calif., allege that their privacy was violated by YouPorn and are seeking class-action status for their suit.

The site was one of 46 listed in an October paper by researchers at the University of California, San Diego, as running history-sniffing technology. The sites cover a range of topics, including sports and investing.

History sniffing generally relies on the fact that Internet browsers display Web links in different colors based on whether the browser has visited the particular link before. By running code inside a Web browser, a company can tell whether certain sites have been visited and create a profile of where someone has been online without the person knowing.

Online tracking often is used to target ads based on a person's interests. Other lawsuits and recent regulatory scrutiny have focused on "cookies," small text files that are placed on users' Web browsers when they visit Internet sites. A separate suit about use of cookies was settled Friday.

In the history-sniffing study, the University of California researchers didn't determine how the companies used data they collected. YouPorn owner Midstream Media International NV, which is based in the Netherlands, couldn't be reached for comment.

Consumers, academics and regulators are starting to look beyond cookies to scrutinize a wider array of targeting methods, including history sniffing.

The director of the Federal Trade Commission's bureau of consumer protection in a speech last week expressed concerns that history sniffing "deliberately bypassed" the most widely known method that consumers use to prevent online tracking: deleting their cookies. "In theory, history sniffing could be used to get extensive information regarding the domains or even subdomains the consumer had visited," said the director, David Vladeck.

In history sniffing, code written in the JavaScript programming language is put on a user's Web browser through ads or other elements on a Web page. If the sniffer wants to know if the visitor to that page has visited another site, the code will add a link to that site that is hidden from the user. The code then looks to see whether the hidden link would appear purple, meaning it has been visited, or blue, meaning it hasn't been visited.

Mr. Vladeck said the commission has urged major browser vendors to implement fixes, and some have. But the University of California researchers responsible for the sniffing study estimated that 66.8% of Web users are still vulnerable and said some of the browsers that have addressed the problem may be hit by more-sophisticated types of sniffing.

The October study found that sites running history-sniffing technology included investor site Morningstar, ESPN car racing site ESPNF1 and Charter.net, a portal operated by cable-television provider Charter Communications Inc. Because the history-sniffing code is served through ads or other items on a page, the site's hosts might not have known the history-sniffing was running. The researchers determined that YouPorn had hosted its sniffing technology itself, however.

The researchers found that online-advertising company Interclick Inc., had hosted the sniffing technology on many of the sites. The company said the code was aimed "to provide Interclick guidance in its purchasing decisions of targeting data." Interclick, which wasn't named in the lawsuit, said it stopped the test because it wasn't effective and said the company didn't store users' browser histories.

A Charter spokeswoman said the company ended its relationship with Interclick after being contacted about the issue by The Wall Street Journal several weeks ago. Charter has since updated its process for vetting new technology partners, the spokeswoman said.

A spokeswoman for Morningstar said it stopped working with Interclick last week after it became aware Interclick had been running the technology. ESPN declined to comment.

In another online-tracking case, Quantcast Corp., Clearspring Technologies Inc. and several websites on Friday agreed to settle lawsuits filed against them this summer alleging that the sites used online-tracking tools that essentially hacked into users' computers without their knowledge.

Under the agreement, Quantcast and Clearspring agreed not to use a technology known as Flash Cookies to store Web-browsing activity without adequate disclosure or except related to Adobe System Inc.'s Flash program, which is commonly used to show video online. Quantcast and Clearspring also agreed to pay $2.4 million, some of which will go toward one or more online-privacy nonprofit organizations. The settlement is subject to court approval.

A spokeswoman for Quantcast said the company in 2009 addressed the concerns raised in the suit. Clearspring said it "has always respected the need for user privacy" and settled the case to avoid protracted and costly litigation.

--Emily Steel contributed to this article.

Write to Jessica E. Vascellaro at jessica.vascellaro@wsj.com

Rooting Around

History sniffing is a means beyond cookies to determine what sites a person has visited.

1) Special code is served to a user's browser through a website's ad or another element on the page.

2) The code puts links, invisible to the user, to sites the sniffer wants to learn if the user has visited.

3) The software sees if the browser would render the links purple, meaning the user had visited the sites before, or blue, meaning they weren't visited.

4) The list of sites can be used for research or marketing.