Epic Marketplace is using history-sniffing techniques to collect information about users' Web history, including potentially sensitive data, according to new research from Stanford's Center for Internet and Society.
History-sniffing technology allows companies to exploit a vulnerability in browsers to determine which sites users have previously visited. The technique relies on stylistic differences, like changes in the color of links, between sites that users have visited and ones they haven't. Companies that track people with history-sniffing technology need not have relationships with publishers in order to know whether users have visited their sites.
Late last year, researchers from the University of California, San Diego brought history-sniffing to light when they published a paper explaining the technique and naming 46 Web sites where the technology was being deployed. In at least some cases, the ad company Interclick allegedly used the technology without the publishers' knowledge. Interclick currently faces a potential class-action lawsuit over the allegations.
Currently around 50% of people use browsers that enable history-sniffing, according to Stanford researcher Jonathan Mayer.
Epic says that any information it collects is not "personally identifiable." The company also says that it does not collect data about the precise URLs that users visits, but uses information about their Web activity to bucket them into marketing segments.
Epic Chief Marketing Officer Michael Sprouse adds that the company only gathers information from sites where it serves ads. He also says that Epic doesn't segment users based on "sensitive" information.
The self-regulatory group Network Advertising Initiative defines sensitive information as social security numbers, bank account numbers, insurance plan numbers, precise geotargeting data and precise information about health or medical conditions. The Stanford report says it identified at least four Epic segments that appear to deal with health and financial information: Pregnancy/fertility, menopause, repairing bad credit and debt relief. Sprouse says Epic "does not segment users on anything that may be deemed a sensitive medical condition as defined by the NAI."
History-sniffing techniques in themselves do not appear to be unlawful or to violate self-regulatory standards, but it's not clear why Epic is using that technology as opposed to cookie-based tracking technology. Sprouse says that the company characterizes the technology as "segment verification" and that it "provides companies with a way to measure the accuracy of the data that a company purchases from data vendors without compromising consumer privacy."