Wednesday 8 December 2010

YouPorn Sued for Browser History Sniffing, Wired Named in Tracking Scandal | ZDNet

With YouPorn in the #61 spot for global Internet visits, you no longer need to pretend you’ve never checked it out. But do you know who’s been checking you out when you come to visit?

YouPorn now faces a lawsuit over browser sniffing. The FTC is asking lawmakers for tracking opt-out tools for surfers, and a whole bunch of big sites have been caught peeping their users’ private history. So you’d think that people would be practicing a lot more “safer surfing” precautions these days.

Back in October, an insanely sexy report was filed by UCSD researchers called An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications (.PDF). Their paper confirmed that 46 websites used browser (history) sniffing to see which sites users visited before they arrived, and noted 326 sites they deemed “suspicious” in history tracking practices.

“Our study shows that popular Web 2.0 applications like mashups, aggregators, and sophisticated ad targeting are rife with different kinds of privacy-violating flows,” the researchers wrote.

The top 46 in the browser history sniffing expose were using a browser exploit that relied on the browser telling the site which color to use for visited links, based on visitors’ history. Visit one of the 46 meant activating a script that ran to get your browser to tell them were you’d been, and visitors are none the wiser. Not surprisingly, the trail led mostly to ad networks: 22 used sniffing code from Interclick and 14 used scripts from Meaningtool.

Among the 46 noted in the study included StraightDope, OSDir.com, Newsmax, investor site Morningstar, NamePros, ESPN car racing site ESPNF1, Charter.net (a cable-television provider Charter Communications portal), and YouPorn, among others. The report especially noted that other sites, such as YouTube and Microsoft, were found to be performing covert behavior sniffing; Wired.com, PerezHilton, Technorati and TheSun.co.UK were also found to do so with TYNT.

Of all those caught spying on surfers’ histories and doing behavior tracking, none got as much attention as YouPorn – not for the adult content, but for the way they executed the exploit. The 61st most popular web site in the world (according to Alexa) ranked top in the researchers’ findings; they were really good at what they were doing… differently than the others.

Last week, the Forbes.com blog noted the report’s highlight of YouPorn who had created their own version of the Java exploit that they have since removed from the site. YouPorn’s version cloaked the data slightly by using next letter code (instead of “me.com” it would read “nf.dpn”).

Far be it for those in glass houses to hurl rocks at pornographers; it does seem a bit odd to see a porn privacy suit that is not filed by two John Does. Yet while some of us think that looking at porn is nothing to be ashamed of, some also think that tracking users without their consent isn’t hot or sexy.

YouPorn is now facing a lawsuit filed Friday: David Pitner and Jared Regan have filed a class-action lawsuit in the Central District of California against Netherlands-based Midstream Media (YouPorn) for “the use of “history sniffing” or “history hijacking” techniques to intentionally and knowingly capture personal information from unsuspecting users of its websites without their knowledge or consent.”

The Plaintiffs accuse YouPorn (and its sites) of violating the U.S. Computer Fraud and Abuse Act as well as California’s computer crime law, and that they engaged in deceptive and unfair business practices; and accuse YouPorn of unlawful and unfair competition.

Perhaps what is most interesting is that there was only one porn site among the top offenders; YouPorn. The question is, could this extend to the other top 46?

Interclick is not named in the lawsuit – nor is anyone else – and Interclick claims that the exploit was a test code that they have since stopped using. After the Wall Street Journal contacted Charter Communications about their place in the browser sniffing scandal, Charter ended their relationship with Interclick.

Could the practice of browser sniffing and behavior tracking be illegal?

Perhaps if the US had privacy laws as watchful as other countries. Sites are frothy-obsessed with gathering data in visitors; that Interclick is an ad company behind a number of sniffers in the report is no surprise. We expect this sort of thing from ad companies, who make the porn guys look like they’re late to the game.

The Federal Trade Commission is worried about privacy: they want to propose rules that would limit advertisers’ ability to track Internet users for the purpose of ad-targeting. They proposed a “Do Not Track” tool to lawmakers last week which would take the form of a browser setting that allows surfers to “opt out” of tracking, similar to the “do not call” registry. However, this may not actually block history all forms of sniffing. The nanny state is just as late to the game, it seems.

Why not just build a better browser? Browsers are generally well aware of their own privacy holes and the link color exploit has been known about for some time. The newest versions of Chrome and Safari have sniffing protection onboard, and Firefox announced they’d be taking sniffing countermeasures back in March, with full implementation set for Firefox 4.

YouPorn was not the only site in the top 46 to be running their own version of the exploit so it remains to be seen how the lawsuit will shake out.

What do you think: should sniffing and covert tracking be illegal? Does the FTC know what it’s doing? Talk back in the comments and tell me what you think.

Update: Ars Technica reports that in light of the YouPorn and FTC news, Internet Explorer 9 Gets A New Anti-Tracking Privacy Feature.

Image via Chicago Tribune.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.