Last week, Jonathan Mayer, a graduate student at the Stanford Institute for Internet and Society, released a blog post reporting that Epic Marketplace, a major US advertising network and member of the Network Advertising Initiative (NAI), is history stealing via the CSS history hack. This declaration has instigated an ongoing conversation in the internet security and advertising worlds about the ethics and legality surrounding these tactics, especially once users have opted-out or activated Do Not Track. We find this discussion particularly interesting as we’ve seen these methods used by the blackhat affiliates that we monitor on a daily basis.
What is the CSS History Hack?
The CSS history hack is a way to exploit a common hole in web browsers that exposes information about where a user has been on the Internet and what sites that user has previously visited. In simple terms, your web browser treats links to sites that you have visited differently than links to sites you’ve never visited; for example, an unvisited link appears blue but a visited link is purple. The person performing the hack provides a list of links and a method to check their status and, depending on how they look, is able to guess if you have been to those websites before. More detail about this process can be found at our internal FAQ or on the site http://www.whattheinternetknowsaboutyou.com.
This information can be accessed on versions of Internet Explorer, Chrome, Mozilla, and Firefox. Although all the major browser companies have released fixes and updates in the past year, Mayer suggests that based on browser usage statistics, about half of all users continue to run older versions of their browsers and thus remain vulnerable.
In a past blog post, we discussed in detail how and why abusive affiliates use this technique, but, to summarize briefly, we most often see this hack performed by affiliates seeking to avoid detection for trademark bidding. They will use this hack to see if a visitor to their site works at a merchant or an affiliate network, or if they have visited sites like BrandVerity. If an affiliate sees that a user has visited sites like www.brandverity.com/account/login or adcenter.microsoft.com, the user will be sent immediately on to the merchant website without the affiliate dropping a cookie.
By redirecting certain users in this way, the affiliate succeeds in hiding their illegitimate business from merchants and affiliate managers while simultaneously monitoring their investigations. That is to say, by running a CSS history hack, an affiliate can be pre-warned of an investigation into their activities and granted the time to alter their tactics to protect their commissions. Of course, the broader ramifications of a history hack lie in the capacity for a hacker to use history “stealing” or “sniffing” to track or identify a user. In general, it is considered a major privacy violation.
Epic Marketplace: The Accusations and Their Response
Mayer and his team claim that they caught Epic Marketplace, an online advertising company, history stealing on Flixster and Charter.net. They highlight the following features of the Epic Marketplace history stealing script:
* The script is fast. Thousands of links are tested per second.
* Links are added in an invisible iframe; there is no apparent effect on the page layout.
* The script dynamically loads lists of URLs and associated interest segments using JSONP.
* Progress is stored in a cookie so the script can resume where it left off.
* The script sets a cookie indicating when it was last run; it will not history steal more than once every twenty-four hours.
* If history stealing is still in progress when the window is closed (e.g. the user navigates to another page) the script sends its findings before ending execution.
* The script slows down if a URL list takes over two seconds to process.
* To prevent multiple history stealing attempts in parallel, the script uses a mutex cookie.
* The script does not directly report the URLs that it detects the user has visited; it sends a deduplicated list of the interest segments associated with the visited URLs.
The interest segments for which Epic Marketplace searches range from broad to specific and from fairly innocuous to highly personal. Some of the examples Mayer pulls include discount sites like Groupon and eBay Daily Deals, sites about the Ford Fiesta, and pages about fertility, menopause, and repairing bad credit.
Mayer further asserts that Epic Marketplace continues to leave tracking cookies on users’ browsers even after they have opted out with the NAI opt-out tool or by enabling Do Not Track in their browser. He further claims that active history stealing continues after using either tool and has reconfirmed this statement following Epic Marketplace’s response to the original blog post.
Epic Marketplace did respond within twenty-four hours of Mayer’s posting. Claiming that they take all such allegations very seriously and immediately employ corrective action should it be deemed necessary, the company also made clear that they find Mayer’s understanding of ad network practices to be biased, unsophisticated, and no more than student work. Suggesting a change in terminology from “history stealing” to “segment verification”--a technicality that Mayer rejects-- they maintain that this kind of data collection happens in nearly all web transactions. They purport that this information allows companies to verify the data they purchase from data vendors at no risk to consumer privacy. Epic Marketing CMO Michael Sprouse reasserted this position in an email to Joe Mullin at paidContent. The company further asserts that none of the data pulled via segment verification is personally identifiable information, nor is that data ever combined with potentially personally identifiable data points.
Finally, Epic Marketing’s blog post definitively states that “when the user opts out, all data collection efforts cease.” Although they admit to leaving cookies on the user’s computer after a user opt-out, they maintain that, as for other ad networks, the purpose of those cookies is to provide operational information for all (not just targeted) ads, to monitor for fraudulent activity, and to establish the consumer as one who has indeed opted-out. They assert that the user’s profile data is deleted and all behavioral data collection from that user ceases.
Epic Marketplace strongly maintains that this practice is entirely consistent with the NAI’s definition of opt-out as well as industry standards and a blog post by NAI executive directer Chuck Curran last week seems to confirm this statement.
Epic Marketplace and their Links to Affiliate Marketing
These allegations concerning Epic Marketplace are of particular interest to us at BrandVerity because of the company’s strong ties to a large and well known CPA affiliate network, Epic Direct, formerly known as Azoogle Ads. Both Epic Direct and Epic Marketplace are subsidiaries of the Epic Media Group, a global digital marketing solutions company whose brands also include Epic Social, Creative by Epic, and Entertainment by Epic.
Epic Marketplace recently replaced Traffic Marketplace as Epic Media’s market brand with the stated purpose of operating EpicSocial, EpicMobile, and EpicDisplay. Their June, 2011 press release states that Epic Marketplace “enables brands and advertisers to leverage the distinctive strengths of social media, pervasive mobile advertising, premium display targeting, video and rich media.”
Epic Direct remains a separate division of Epic Media. Epic Marketplace and Epic Direct, however, are closely related but we do not know the extent of data sharing between the divisions.
Whether or not Epic Marketplace is actively studying blackhat techniques in order to track users, it is clear that the methods they use closely resemble those already at work in the affiliate field. The fact that Epic Marketplace and Epic Direct are sister companies cannot but create some concerns regarding the affiliate network’s position regarding these tactics, especially given Epic’s active participation in the creation and implementation of compliance standards for internet marketing.
Epic Media, Epic Direct, and Epic Marketplace are all considered trendsetters for compliance in their respective fields. In particular, Epic Media Group is a leader in the discussion surrounding performance marketing compliance. It is a Platinum Charter member of the Performance Marketing Association and holds the chair of that organization’s Anti-Fraud/Anti-Abuse Working Group. Epic Direct was rated by mThink as the top CPA network for 2010 due to their account management standards. And finally, Epic Marketplace is A+ rated with the Better Business Bureau, DoubleVerify has rated it a top firm in advertising compliance and accountability, and they consider themselves outspoken advocates for protecting consumer data.
The Impacts of these Techniques on Affiliate Marketing
As both the law and industry policy currently stand, this type of browser history stealing, sniffing, hacking, or segment verification may be legal. There are currently class actions pending against YouPorn, Interclick, and McDonalds for the same activity, but until these cases are decided, Epic Marketplace may be within their rights to exploit this privacy flaw in users’ browsers. This article by lawyers Walter E. Judge, Jr. and Matthew S. Borick addresses the legal history of history sniffing and the potential merits and impacts of these cases.
We do feel, however, that this sort of practice is a serious privacy violation, and we aren’t the only ones. On Google+ last week, Jules Polonetsky, the director and co-chair of the Future of Privacy Forum, called Epic’s behavior “unacceptable” and Mullin at paidContent suggests that privacy lawyers are ready “to jump at privacy snafus much smaller than this” as well as that the Federal Trade Commission may end up getting involved. And indeed, the FTC has responded strongly to allegations of history sniffing in the past. Under public and legal pressure organizations such as YouPorn, Interclick and Feedjit have reportedly suspended their history stealing activities.
More generally, we think that this kind of behavior tarnishes the reputation of the affiliate marketing industry as a whole. At BrandVerity, we believe that the industry can and should hold itself to a higher standard and we continue to affirm our commitment to helping maintain ethical marketing practices.
If you find this content useful, please consider sharing this and subscribing to our RSS feed.
Update: Epic Marketplace's CEO Don Mathis comments upon Epic's privacy policies and discusses the end of their history sniffing in this open letter.
Update: Many of the claims brought against Interclick and McDonald's in New York state have been dismissed.
Update: Mathis also responds to the Wall Street Journal article discussing history sniffing and supercookies here.