How To Profit From Invading Your Users Privacy

*Important Notice* Please consult with laws in your area before acting on anything in this post. Even though many sites are doing some of the methods I describe it does not mean its legal. Consult your legal council.

What if I told you that just by visiting my website I am able to know everything about you. What sites you have been to, your name, your wife’s name, your phone number, your household income, and much more.

Here is how it works

Within your web browser (internet explorer, chrome, firefox, etc.) one of the things it checks is for links that the site is linking to. This is a “feature” for the user so they are able to tell if they had been to the site before. By default, links that you have not visited are underlined blue and links that you have visited are a violet color.

Websites can override these defaults using cascading style sheets (CSS) to make links a certain color or even replace the text all together to load images for the links or more importantly visited links. Now I can also set each visited link to a particular image.

So, lets say you come to my site and have visited I could load as the image for that link if you had visited the site. But that is not very practical.

What would be practical (and profitable) is to set links for the top 10000 retail sites in the world in a 1 pixel frame that the user would never see. While the user would not see it… the website owner would and then could load advertisements based on what sites you have previously visited.

This actually exposes a MUCH bigger problem though. If you can load a image based on where a person has been then whats stopping me from dropping an eBay affiliate cookie if you have been to eBay? An apple cookie if you been to An Amazon cookie, if I know you shop at Amazon?

Dropping these cookies via an image would pay me every time you continue to shop at these sites you already shop at. Plus it would be a nightmare for affiliate programs because unlike most cookie stuffing.  Your click through to conversion would be in line (maybe even more inline) then blind cookieing the entire world and easily getting busted.

Now before you run off and do this people are not only getting kicked out from affiliate programs for stuffing cookies, but some are actually being charged with “wire fraud” by the FBI.

It doesn’t really matter anyway though because about year ago web browsers started blocking the ability to load images from visited active links.

So can you still see where all your users have been? Yes- but it takes a little more technical ability.

Through Javascript you can check to see if your visitors have visited. All you have to do is set your visited links to an arbitrary color and then simply query the browser to see which links match the color you had chosen.

Lets say we don’t even use css and leave the visited link as the default color.

Then I would run this code on the page:

function stealHistory() {
   // loop through websites and check which ones have been visited
   for (var i = 0; i < websites.length; i++) {
      var link = document.createElement("a"); = "id" + i;
      link.href = websites[i];
      link.innerHTML = websites[i];
      var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
      // check for visited
      if (color == "rgb(0, 0, 255)") {
         document.write('' + websites[i] + '');
      } // end visited check

This would loop through a predefined set of specified websites and then check to see what color your web browser is displaying them as. If you have visited them then I know.

Now you might think that it takes a while to check all these sites to see if you have visited before? It really is a client side thing so it varies but, in my tests I was able to load 10,000 sites in less than 5 seconds.

The scary thing is you could mix some ajax in with this and load a image that would still stuff cookies or maybe even an iframe.

Now the above is obviously just proof of a concept code. You would want to log the data to some sort of database.

What if I told you I was doing this to people on my sites… not stuffing but just tracking them. Tracking their ip with all the sites they visit. You would say I am pretty shady right?

Big sites are doing it right now

A report done 7 months ago by the University of California, San Diego scanned more than 50,000 of the top Alexa ranked sites and here are some of the big names that were using javascript to detect what sites you have been to:

Maybe you recognize some of them? A lot of them have since removed the code. Read the full report for more details. It also has the exact code the sites were using (a lot better than my example above).

But what is the data probably used for?

What the report found was that out of the over 400 sites that were getting your history 90% of them were sniffing for eBay. Why? Was eBay buying data on who visits there site and where they go?

The most practical application for this is for the website owner to sell the data (that would include your ip address and all the major retail outlets you visit) to advertising companies like Double Click. They could then target them throughout their entire network.

Enough about history what else can we find out?

Lets take it a bit further. If you were to comment or use any service on a site they could take that email and run it against Facebook’s tools. Being that 70% of people on the internet have a Facebook account and Facebook has your account “open” by default I can lookup all the information on your Facebook account that is publicly accessible. By default this includes your phone number, your interests, all your friends, your location, where you work and tons of other stuff.

I could then add this to my arsenal of data that I have on you to sell you products (or sell the data to a company who does so).

Lets take that another step further. There are services out there that aggregate data from many sources and can lookup people’s information from a phone number or email.

So now I can take your email (which came from my site) or for more accuracy your phone number (which I just got from Facebook) and I can use that data with the tools provided by data services like amplemedia. Within seconds it will return your home address, how many kids you have, your household income, and possibly your credit history and other data.

So just by visiting my site and making a comment I now know your name, your email, your phone number, all your friends (and possibly all their phone numbers), your household income, and on a basic level all of the websites you have visited.

Do you think this would help me find the right kind of shit to sell you?