The Law and Business of Social Media
December 18, 2012 - FTC, Privacy

FTC Snuffs Out Online “History Sniffing”

FTC Snuffs Out Online “History Sniffing”

The Federal Trade Commission (FTC) has cracked down on a company that was engaged in “history sniffing,” a means of online tracking that digs up information embedded in web browsers to reveal the websites that users have visited. In a proposed settlement with Epic Marketplace, Inc. and Epic Media Group (together, “EMG”) announced on December 5, 2012, the FTC settled charges that EMG had improperly used history sniffing to collect sensitive information regarding unsuspecting consumers.

EMG functions as an intermediary between publishers—i.e., websites that publish ads—and the advertisers who want to place their ads on those websites. It does this through online behavioral advertising, which typically entails placing cookies on websites a consumer visits in order to collect information about his or her use of the website and then using that information to serve targeted ads to the user when he or she visits other websites within the EMG Marketplace Network.

What got EMG into trouble was that it also used history sniffing to collect information regarding the websites that users visited. Here’s how the technique works. In your web browser, hyperlinks to websites change color once you have visited them. After you have visited a webpage, the hyperlink to it will most likely appear in one color (e.g., purple). If you haven’t been to a particular webpage before, any link to it will probably show up in another color (e.g., blue). History sniffing code exploits this feature to go through your browser—that is, to “sniff” around—to see what color your hyperlinks are. When the code finds purple links, it knows that you’ve been to those websites.

According to the FTC, for almost 18 months—from March 2010 until August 2011—EMG included history sniffing code in ads it served to website visitors on at least 24,000 webpages within its network, including webpages associated with name brand websites. EMG used the code to determine whether consumers had visited more than 54,000 different domains, including websites “relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.” EMG used this sensitive information to sort consumers into “interest segments” that, in turn, included sensitive categories like “Incontinence,” “Arthritis,” “Memory Improvement,” and “Pregnancy-Fertility Getting Pregnant.” EMG then used the sensitive interest segments to deliver targeted ads to consumers.

History sniffing is not per se illegal under U.S. law. What got EMG in trouble was that it allegedly misrepresented how it tracked consumers. First, EMG’s privacy policy at the time stated that the company only collected information about visits to websites within the EMG network; however, the FTC alleged that the history sniffing code enabled EMG to “determine whether consumers had visited webpages that were outside the [EMG] Marketplace Network, information it would not otherwise have been able to obtain.” EMG’s tracking of users in a manner inconsistent with its privacy policy was therefore allegedly deceptive, in violation of Section 5 of the FTC Act.

Second, EMG’s privacy policy did not disclose that the company was engaged in history sniffing; it disclosed only that it “receives and records anonymous information that your browser sends whenever you visit a website which is part of the [EMG] Marketplace Network.” According to the FTC, the fact that the company engaged in history sniffing would have been material to consumers in deciding whether to use EMG’s opt-out mechanism. EMG’s failure to disclose the practice was therefore also allegedly deceptive in violation of Section 5 of the FTC Act.

The proposed consent order would, among other things, require EMG to destroy all the information that it collected using history sniffing, bar it from collecting any data through history sniffing, prohibit it from using or disclosing any information that was collected through history sniffing, and bar misrepresentations regarding how the company collects and uses data from consumers or about its use of history sniffing code.

EMG stopped its history sniffing in August 2011, and most new versions of web browsers have technology that blocks this practice. Nonetheless, the FTC made it clear in the complaint that it wanted to highlight the problem because history sniffing “circumvents the most common and widely known method consumers use to prevent online tracking: deleting cookies.” Mark Eichorn, assistant director of the FTC’s Division of Privacy and Identity Protection, told the Los Angeles Times that the FTC “really wanted to make a statement with this case.” He added, “People, I think, really didn’t know that this was going on and didn’t have any reason to know.” The proposed consent order puts online tracking and advertising companies on notice: If you collect data in a manner inconsistent with—or not disclosed in—your privacy policy, you run the risk of a charge of deception.