A new paper (pdf) from researchers at the University of California, San Diego reveals that a significant proportion of the 50,000 most-visited sites on the web are engaging in some level of behavioral tracking. Furthermore, and more disturbingly, a few are actually examining your browser’s history to determine what other sites you visit, exploiting a security vulnerability known about for a decade.
Youporn.com, which determines whether a user has visited its competitors’ websites, even went so far as to engage in a primitive form of cryptography in order to hide the URLs of the sites it’s asking about.
The researchers singled out the Huffington Post for special opprobrium:
Suspicious website While investigating several sites that installed event handlers, we also found that the huffingtonpost.com site exhibits suspicious behavior. In particular, every article on the site’s front page has an on-mouse-over event handler. These handlers collect in a global data structure information about what articles the mouse passes over. Despite the fact the information is never sent on the network, we still consider this case to be suspicious because not only is the infrastructure present, but it in fact collects the information locally.
Morningstar.com has reported that it had no idea it was collecting this information, which appears to have been gathered by an ad network, called Interclick, running banners on its site. Interclick claims that the history sniffing it engaged in was simply an attempt to gather quality-control data to verify the anonymized data it gets from other sources. This data allows it to segment users by type, for example, car enthusiast, technology buyer, juggalo, etc.
This post is indebted to the uncommonly good (and thorough) technology reporting of Forbes.com’s Kashmir Hill.