Greetings. A bit over a year ago, I reported here about a commercial firm using JavaScript tricks to pry into the site browsing history of unsuspecting Web users, and I discussed the serious negative implications of such spying.

Now comes a handy "do it yourself" guide detailing the kinds of obnoxious techniques involved, under the name "Sniff browser history for improved user experience" -- a quintessential example of how to portray (that is, spin) an obvious privacy invasion as if it were a user-friendly value proposition.

It's not terribly surprising that the author of the piece devotes only a couple of words to even the possibility that such techniques could be used for "evil" purposes.

But what's perhaps even more nauseating is the pro-privacy-invasion fan-boy comments to his article, mostly drooling over the possibilities.

While the browser history voyeurism technique described is not without some inherent limitations, it is more than powerful enough to be abhorrent to almost anyone with even a modicum of ethical sensibilities.

Turning off JavaScript is simply not practical for most Web users these days, given the major dependence on JavaScript and AJAX technologies at the heart of so many major (and less than major) Web sites.

But I can't find any ethical loophole for the use of such browser history surveillance techniques in the absence of affirmative and fully-informed opt-in permission being given by users for such intrusions.

I have no gripes with systems that collect browsing history information when this behavior is appropriately disclosed and explicitly agreed to by users in a voluntary manner (e.g., as is the case with various special-purpose toolbar products).

However, when browser history collection isn't disclosed and permission for that collection is not voluntarily granted, "sniffing" of user browser histories is the textbook definition of spying -- plain and simple -- regardless of whether or not the Web site operator claims that they're using the information collected only for "good" purposes.

For some Web users, the information that could be revealed by the application of such techniques could have health, safety, and even perhaps national security implications (think about the browser histories of law enforcement personnel, for example).

I'm not a lawyer, but I would assert that such spying should be illegal -- if it isn't already a civil or criminal infraction in various locales.

At the very least, I'd welcome the readership's suggestions as to legal processes (notifications?) and/or technical methods to fight back against anyone attempting to deploy these browser history spying abominations. But please keep in mind the limitations of script blocking plugins (that I described in my earlier blog posting), and the impracticality of turning off all JavaScript for most users.

Any ideas?

--Lauren--

Update: I should note that the "Browser History Sniffing" article referred to above was originally published two years ago, but has been making the rounds again including on current syndication feeds. In any case, the issues discussed above are as valid now as they were one year or two years back. Most people need JavaScript and aren't going to hassle with JavaScript or CSS blocking plugins. Rapid browsing history deletion makes histories useless for most users -- I know that I don't want to give up the value I get from histories over significant periods of time. But ultimately, the big issue is why should people need to jump through hoops to protect themselves from such invasive practices that should not be acceptable or possible in the first place?