DRM News

News and Updates

Sign up to receive email updates from DRM News

Search

Practice area

Date Range

History Sniffing

Published in Bloomberg Law Reports, March 7, 2011

Authors:  Walter E. Judge, Jr. and Matthew S. Borick

 

This past December, two California residents, David Pitner and Jared Regan, filed a class action lawsuit in a California federal court against Midstream Media International, N.V., the operator of the popular adult website “youporn.com” and other related sites.1 The suit claims that the defendant unlawfully engaged in the practice of “history sniffing” (or “history hijacking”) by embedding JavaScript code on its youporn.com website that allowed it to secretly access the web browsing histories of visitors to the site.2 The Pitner case appears to be the first of its kind, although very shortly after it was filed a New York resident filed two other class action lawsuits in a New York federal court alleging history sniffing.3

What Is History Sniffing, and How Does It Work?

Although it is just now getting attention in the courts, history sniffing (like many computer exploits) has been around for a number of years, and has been an active discussion topic for some web browser providers since at least 2002.4 As a general matter, history sniffing is, as its name suggests, a ploy to “sniff out” the browsing history of web users. History sniffing is performed by displaying hidden JavaScript links to web addresses (or URLs) on the offending website.5 When a visitor accesses the website, his or her browser will display these links (which remain hidden) in one of two colors – purple for links the visitor has previously accessed and blue for links not previously accessed.6 The JavaScript code on the offending website is able to see the colors of the hidden links, and thereby can “learn” about the visitor’s browsing history.7

The plaintiffs in Pitner allege that the defendant engaged in history sniffing as just defined, but also that the defendant went beyond that by using cryptography to “disguise” its actions.8 Specifically, the defendant’s website would initially display the hidden links in a form that changed each character by one – e.g., “qpsoivc/dpn” instead of “pornhub.com” – and thus if a visitor to the site used a tool to view the JavaScript on the site, the visitor would see what appeared to be a meaningless assortment of characters.9 However, the defendant’s website would later “translate” the link to the “correct” one for comparison to the visitor’s browsing history.10 According to the plaintiffs, none of the alleged history sniffing activity was disclosed in the offending website’s terms and conditions.11 And although these terms and conditions did mention “data collected and maintained by YouPorn with regard to its users” and that such data “may be disclosed in accordance with YouPorn Privacy Policy,” the privacy policy was not available to the site’s visitors.12

Similar activity is alleged to have occurred in Interclick and McDonald’s, the two separate New York actions filed by plaintiff Sonal Bose. In Interclick, the defendant (a web advertising service) allegedly embedded its hidden links in the code it used to display advertisements to consumers on the web.13 Once the history sniffing code examined the colors of the hidden links, it transmitted the results to the defendant’s servers.14 In the McDonald’s case, Bose alleges that the defendants engaged Interclick to conduct their web advertising campaigns and, as part of those services, to perform history sniffing.15

In the fall of 2010, researchers from the University of California – San Diego (UCSD) issued an in-depth study on history sniffing and other practices that use JavaScript web applications to capture private information from computers connected to the Internet.16 The goal of this study was to learn more about the occurrence of these exploits “in the wild,” given that the lack of empirical evidence on the prevalence of these exploits was seen as a barrier to the development and implementation of defense mechanisms.17 The study confirmed that of the top 50,000 sites on the web, 46 of them were engaging in history sniffing and also had measures in place to obfuscate their conduct.18 Of these 46 sites, one was among the web’s top 100 sites – youporn.com – and nearly half (22) of these 46 sites obtained their history sniffing code from Interclick.19 (Both youporn and Interclick should sound familiar by now.) Finally, the study pointed out that at least two companies, Tealium and Beencounter, sell history sniffing services.20

How Can History Sniffing Be Detected by Potential Plaintiffs?

The answer to this question is not entirely clear. According to the report from UCSD, there are no publicly available tools for detecting history sniffing.21 Moreover, it appears as if the plaintiffs in Pitner, Interclick, and McDonald’s did not use any special tools, but rather were “tipped off” by the UCSD report. In Interclick, for example, the plaintiff alleges that the UCSD study provides independent confirmation of Interclick’s use of history sniffing technology.22 She also alleges that, after examining the contents of her local storage associated with Adobe Flash on her computer, she discovered an LSO that had been stored by Interclick.23 Based on this discovery, coupled with the fact that Interclick is an advertising service and was identified in the UCSD report as furnishing history sniffing code, the plaintiff alleges that she “believes” that Interclick accessed her browsing history.24 This same plaintiff makes similar allegations in McDonald’s.

The Legal History of History Sniffing

As discussed above, although history sniffing is nothing new in the computer world, it is a relative newcomer on the legal scene. The Pitner, Interclick, and McDonald’s cases are the first three in what may or may not be a long line, and these cases are just getting started. There is no meaningful activity on record in either Pitner or Interclick, and in McDonald’s the parties recently stipulated to extend the deadline for defendants to “answer, move, or otherwise respond” to the complaint until March 7, 2011.25 It is reasonable to expect that the defendants in all three cases will seek to dismiss them at their earliest opportunity.

History sniffing has not only grabbed the attention of the judicial system in recent months, it is now on the Federal Trade Commission’s radar screen. The Director of the FTC Bureau of Consumer Protection, David C. Vladeck, discussed history sniffing in early December in remarks made at meetings of various privacy organizations.26 Mr. Vladeck discussed the UCSD study and reported that FTC staff have met with web browser vendors regarding the development and implementation of fixes for the history sniffing problem.27

The Merits of History Sniffing Claims

The outcomes in the three current lawsuits on history sniffing will obviously serve as a litmus test for what is to come. If these cases all fall flat, that could spell a quick end to history sniffing litigation. On the other hand, if any of these cases are successful, then arguably any web user could have a case, either now or down the road.

The three current lawsuits present a number of potential theories of liability related to history sniffing. All of the suits include claims for violation of the federal Computer Fraud and Abuse Act, violation of the applicable state deceptive acts and practices statutes (i.e., “consumer fraud” statutes), and unjust enrichment.28 The case pending in California also includes claims for violation of the state computer crime and unfair competition statutes.29 The two cases pending in New York also include claims for violation of the Electronic Communications Privacy Act, trespass to personal property, breach of implied contract, and (in one of the cases) tortious interference with contract.30

The question is, out of all these causes of action, will any of them hold up under close scrutiny? Notwithstanding the difficulty of meeting the elements of these claims that address the defendants’ actions, the issue of damages could be particularly troublesome for the plaintiffs. For one, it could be difficult to place a value on a “violation of privacy” – especially when dealing with something as “public” as the Internet, where users already know that “cookies” are a fact of life – or impairment of the “integrity” of a computer or data. Additionally, these lawsuits allege that the plaintiffs’ browser histories contain confidential personal information that has discernable value to them, and that the defendants have taken this information away from the plaintiffs, thereby compromising the plaintiffs’ ability to sell such information themselves. Will a jury ever buy that argument? Does a market exist for individual web users to sell their browser histories?

Finally, from a policy perspective, Internet advertisers will point out that “history sniffing” is merely another form of finding out what products and services computer users (i.e., consumers) are specifically interested in, so that the advertisers may transmit “targeted” advertising to the users, rather than barrage them with random advertisements. They will further point out that Internet advertising is part of what keeps most websites free, and that if Internet advertisers cannot engage in targeted advertising, websites may no longer be free.

Concluding Thoughts

First, there were “cookies.” Now, there is “history sniffing.” Even if history sniffing is outlawed or abandoned, people will continue to browse the web, and Internet advertising will continue. So it is fair to assume that Internet advertisers will continue to develop new methods for tracking users’ web-browsing activities.


Walter E. Judge, Jr., is a director and Matthew S. Borick is a senior associate with Downs Rachlin Martin PLLC in Burlington, Vermont. Both are members of the firm’s Litigation and Intellectual Property Practice Groups and have litigated numerous cases involving intellectual property, computer crime, and consumer fraud. Both are active members of DRI and DRI’s Commercial Litigation Committee.

©2011 Bloomberg Finance L.P.  Originally published by Bloomberg Finance L.P. Reprinted with permission. The opinions expressed are those of the author.

____________________

1Pitner v. Midstream Media Int’l, N.V., No. 8:10-cv-01850 (C.D. Cal. filed Dec. 6, 2010).

2Complaint at 4-5, Pitner v. Midstream Media Int’l, N.V., (C.D. Cal. filed Dec. 6, 2010) (No. 8:10-cv-01850).

3Bose v. Interclick, Inc., No. 1:10-cv-09183 (S.D.N.Y. filed Dec. 8, 2010); Bose v. McDonald’s Corp., No.1:10-cv-09183 (S.D.N.Y. filed Dec. 8, 2010).

4Dongseok Jang et al., An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications 2 (2010).

5Id. at 1, 9.

6Justin Brookman, All Your Browsing History Are Belong to Us [sic],

7Dongseok Jang et al., An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications 9 (2010).

8Complaint at 6-7, Pitner v. Midstream Media Int’l, N.V., (C.D. Cal. filed Dec. 6, 2010) (No. 8:10-cv-01850).

9Id.

10Id. at 7.

11Id. at 7-8.

12Id.

13Complaint at 6, Bose v. Interclick, Inc., (S.D.N.Y. filed Dec. 8, 2010) (No. 1:10-cv-09183).

14Id. at 7. The plaintiff also alleged that the defendant stored Adobe Flash LSOs (local shared objects), or “Flash cookies,” on her computer to track and profile her web use. Id. at 3-6. LSOs are used to recreate browser cookies that the user has deleted. Id. at 5.

15Complaint at 4, 8, Bose v. McDonald’s Corp., (S.D.N.Y. filed Dec. 8, 2010) (No. 1:10-cv-09183).

16Dongseok Jang et al., An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications 1 (2010).

17Id. at 2.

18Id. at 9.

19Id.

20Id. at 1.

21Id. at 13. The authors of that study designed and employed a sophisticated policy language, which is described in the report, to detect history sniffing. Id. at 1-6.

22Complaint at 7, Bose v. Interclick, Inc., (S.D.N.Y. filed Dec. 8, 2010) (No. 1:10-cv-09183).

23Id. at 8.

24Id.

25Stipulation and Order at 1, Bose v. McDonald’s Corp., (S.D.N.Y. filed Jan. 26, 2011) (No. 1:10-cv-09183).

26David C. Vladeck, Director, Fed. Trade Comm’n Bureau of Cons. Prot., Remarks at the Meeting of the International Association of Privacy Professionals (Dec. 7, 2010) (transcript available at
http://www.ftc.gov/speeches/vladeck/101207vladeckspeechtoiapp.pdf);
David C. Vladeck, Director, Fed. Trade Comm’n Bureau of Cons. Prot., Remarks at the Consumer Watchdog Conference (Dec. 1, 2010) (transcript available at
http://www.ftc.gov/speeches/vladeck/101201vladeckspeechtoconsumerwatchdog.pdf).

27Id.

28Complaint at 12-19, Pitner v. Midstream Media Int’l, N.V., (C.D. Cal. filed Dec. 6, 2010) (No. 8:10-cv-01850); Complaint at 14-23, Bose v. Interclick, Inc., (S.D.N.Y. filed Dec. 8, 2010) (No. 1:10-cv-09183); Complaint at 13-24, Bose v. McDonald’s Corp., (S.D.N.Y. filed Dec. 8, 2010) (No. 1:10-cv-09183).

29Complaint at 13-16, 18, Pitner v. Midstream Media Int’l, N.V., (C.D. Cal. filed Dec. 6, 2010) (No. 8:10-cv-01850).

30Complaint at 16-19, 20-23, Bose v. Interclick, Inc., (S.D.N.Y. filed Dec. 8, 2010) (No. 1:10-cv-09183); Complaint at 15-18, 19-23, Bose v. McDonald’s Corp., (S.D.N.Y. filed Dec. 8, 2010) (No. 1:10-cv-09183).

Comments:
  1. [...] Epic Marketplace may be within their rights to exploit this privacy flaw in users’ browsers. This article by lawyers Walter E. Judge, Jr. and Matthew S. Borick addresses the legal history of history [...]

Add your comment

Copyright ©2014 Downs Rachlin Martin PLLC      ●     Disclaimer
lexMundi