January 21, 2009

New Web Analytics Service Spies on Web Browsing Activity Without Permission

Greetings. In the business of "Web Analytics" -- collecting, analyzing, and reporting of Web usage data -- various firms are continuously pushing the envelope.

Such data is in many ways the bread and butter of the free Web services that we've come to expect, since it is in key respects a crucial element of the ad-supported Web services ecosystem. However, the temptation to push analytics technology too far always exists.

A firm that appears to have succumbed to that temptation came to my attention today. Tealium Social Media, a service of Tealium in San Diego, California, is a commercial analytics service that uses JavaScript tricks to inspect -- without the knowledge or permission of Web users -- specific URLs in their current browser histories.

The service attempts to provide a finer grain of usage information than is typically available through analytical techniques, by querying users' browsers for the presence of particular URLs. While this does not permit the reading out of complete browser URL histories, it does permit the service to ask the potentially highly privacy-invasive question: "Has this user been to a particular URL recently?"

Obviously, by sending a variety of such queries (all of which are essentially invisible to the user), a fascinating portrait of users' activities could be generated. Visited this CNN story? This government Web page? This porn image? This medical information page? Well, you get the idea.

While the JavaScript functionalities that enable this intrusion have been known for quite some time in hacking and other technical circles, this appears to possibly be among the first commercial applications of this technique.

I had a cordial chat early this afternoon with Olivier Silvestre, one of Tealium's partners, and a later e-mail exchange with Ali Behnam, another partner.

They both emphasized a number of points that will sound all too familiar, and I'm afraid far from convincing. They noted that they do not collect PII ("personally-identifiable information"), don't accumulate user-linked data, and only query browser histories for specific ("social media") related links. It was also mentioned that they have obfuscated their JavaScript to try prevent their clients from altering the code, have a customer use policy that prohibits their clients from attempting such alterations, have put in place a privacy policy ... and so on.

Opt-out is apparently possible via a cookie -- but of course you have to know what's going on before you'd ever think to set an opt-out cookie! They hope to move to non-cookie opt-out techniques, and claimed in answer to my query that they'd really prefer to be opt-in, but realize that getting people to opt-in to such a service could be, shall we say, impractical.

If so much of this sounds like deja vu, it's because we've heard virtually all of it before. In many ways it's quite similar to arguments made by Phorm and NebuAd, which were roundly criticized as self-serving and inadequate.

The fundamental question is an obvious one -- "Unless we're asked for our permissions in advance, what the hell business is it -- of anyone by ourselves -- what is or is not in our browser histories?"

Arguments about not collecting PII, only looking for particular URLs, and all the rest, necessarily fall flat. Inspecting browser URL histories in such a manner -- without affirmative opt-in permission -- clearly crosses the line from acceptable analytics to an unacceptable intrusion into private activities.

If a burglar argued that the only reason they conducted break-ins was to check to see if you had purchased particular products, would such reasoning be likely to prevail in court? I'm not a lawyer, so I won't attempt here to present a legal analysis of the Tealium technique -- though I'd certainly be interested to hear opinions about this.

But again, the guys at Tealium were friendly and open in our contacts, and made no attempt to evade my questions. Clearly we're dealing in this case with a very different view of what privacy is, and what is acceptable behavior on the Web.

My hope is that Tealium will reconsider their use of this methodology, and I urge that all browsers vulnerable to such manipulations be altered to prevent their use.

In the meantime, there are some ways to protect yourself from this technology, though none are particularly pretty. You can make a practice of clearing your browser history frequently, or not keeping a history at all, but these are both inconvenient. You can turn off JavaScript, but this will completely break a vast number of sites and is generally not very practical these days.

[ Update (1/22/09): Several people have suggested the Firefox "NoScript" plugin as a method for finer-grained control over JavaScript. This is certainly available, though it is not necessarily clear which sites to script block, or what the side-effects of selectively blocking JavaScript will be in any given case. But as a practical matter, most people can't run NoScript since they don't use Firefox, and most people who run Firefox tend not to use plugins. The only ad hoc "solution" available to pretty much everyone with a Web browser is to turn off JavaScript completely, with the serious downside already noted. More to the point, blocking such activities at the PC is essentially a diversion from the larger issues surrounding the Tealium service, such as should their technique be permitted at all and is it legal in all jurisdictions? It is unrealistic to expect everyone to fiddle around with their browser configurations to try protect against these sorts of intrusive activities. ]

Or you might contact Tealium and let them know if you do (or don't) approve of their practices in these regards.

As far as I'm concerned, my browser history is mine, nobody else's. Period. Full stop. End of discussion.


Posted by Lauren at January 21, 2009 03:04 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein