|
|
 |
 |
|
|
| Internet
Security & Privacy |
| Internet
Search History & Security |
Security researchers with Spi Dynamics have demonstrated a
techniques that exposes the past search queries as well as
websites that a user visited to online publishers..
Websites could use the technique to check if a user has
researched its products through search engines. An insurance
provider for instance could deploy the method to verify if an
client applying for life insurance has ordered cigarettes
online. It could also allow Amazon to check if users have been
shopping with competing stores.
"You can basically determine how loyal of a customer I am and
offer me a price break," Billy Hoffman, a lead security
researcher with Spi Dynamics told vnunet.com.
Hoffman likened the technique to the publication by AOL of 20
million search queries from 650,000 of its users last August.
The 439Mb of data was released as part of a research project and
AOL was soon forced to delete the information over privacy
concerns.
Although the data couldn't directly be linked to individual
users, the New York Times was able to trace back one set of
search queries to 62-year-old Thelma Arnold from Lilburn,
Georgia.
"The release of the AOL data a few months ago showed that you
can learn so much about a person from their search engine
queries. Imagine that scary lack of privacy, but for everybody
on the internet," said Hoffman.
The URL for each online search query is formed in a standard way
and discloses the keywords that the user entered. Web browsers
store these URLs in a history file, which for among things
allows the color for a previously visited link to look different
from a fresh one.
Spi Dynamic's technique looks checks a series of predefined URLs
against the URLs in a user's search history through a JavaScript
application that is embedded on a webpage. The code is executed
on the user's system without any noticeable performance
interruption.
Most browsers are set to save the history for several days.
Firefox by default is configured to save the history for 9 days
while Internet Explorer holds on the URLs for 20 days.
Hoffman said that he isn't aware of anyone using the technique
to track online user behavior. But he added that if marketers
had figured out the technique, they probably wouldn't disclose
their use.
The company isn't certain about the legality of the technique.
Although it has obvious privacy implications, the technology is
no different from ways that websites today check for a system's
screen resolution and installed plug-in.
A proof of concept application is available on the Spi Dynamics
website. |
|
| |
|
|
|
