FTC Busts Advertisers In Browser Snooping Scandal, But Web Sites Shouldn't be Off the Hook

Today, the FTC announced a settlement with Epic Marketplace, an online advertising company that had abused a security flaw in popular web browsers in order to covertly “sniff” other websites visited by consumers.

According to the FTC complaint, for a period including between March 2010 and August 2011, the online advertising company Epic Marketplace probed the browsing history of visitors to popular websites including CNN, the Red Cross, and Orbitz in order to determine which other web sites those consumers had previously visited. The pages revealed by this snooping included those relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.

The specific security vulnerability exploited by Epic, dubbed “CSS browser fingerprinting” by security experts, relies on the fact that web browsers use different colors to represent links to sites that have been previously visited. By writing special code that detects or “sniffs” the color of a link to a particular 3rd party site, a malicious website can determine whether or not someone visiting that site has visited other 3rd party sites.

This flaw has existed for more than a decade, although most of the big web browsers only fixed the issue in 2010 (it took Microsoft an additional year to fix it in IE9). Even so, there are still millions of users running out-of-date-browsers that remain vulnerable to this security flaw. Months after the web browsers started to address the flaw, security researchers revealed that several online advertising companies had started to abuse the vulnerability in web browsers to dig through the browsing history of visitors to popular websites, including YouPorn.com, which at the time was the 61st most popular site on the web.

Although the 2010 research study and subsequent press coverage led to several class action lawsuits, it did not lead to any public action by the FTC. However, in 2011, Stanford researcher Jonathan Mayer revealed that online advertising company Epic Marketplace was abusing the same browser history sniffing technique. A subsequent investigation by the FTC led to Epic Marketplace abandoning the practice. The company has also agreed to a 20-year consent order with the FTC prohibiting it from lying to consumers about its online tracking activities or engaging in further browser fingerprinting. The company apparently laid off all of its staff this summer and has shut down, so the FTC’s settlement may be the final nail in the coffin.

We are of course delighted to see that the FTC went after and punished Epic Marketplace for its abuse of consumer privacy. However, the FTC’s reliance on its “deception” authority (in which Epic has been punished not for abusing a browser flaw, but for not telling consumers about it in its privacy policy) raises serious questions about whether another ad network could lawfully engage in similar harvesting of private consumer data if it merely disclosed the activity in the small print of a privacy policy that no one reads.

We also think that the web sites where Epic was improperly collecting data are in no way innocent victims. Consumers have no relationship with the hundreds of online ad companies that quietly track them as they browse the web, but they do know who CNN and Orbitz are. Epic’s behavior reflects a failure by CNN, Orbitz and the Red Cross to police the behavior of the advertising companies they partner with, and an unwillingness to protect the privacy of their own customers. These consumer-facing companies can and should require the advertising companies tracking consumers on their own websites to inform them about the techniques used and where sensitive categories of information, such as medical data, are collected, the consumer facing companies should proactively sign off on the collection.

People visit CNN to learn about the news, not to have a sketchy advertising company dig through their web browsing history for information about visits to other websites related to menopause and incontinence. The name-brand websites that allowed Epic Marketplace to harvest information about visitors should be on the hook as well.