• by Wendy Davis , Staff Writer @wendyndavis, December 2, 2010

Add "history sniffing" to the roster of techniques that can be used to circumvent people's attempts to protect their online privacy.

Researchers at the University of California, San Diego, recently released a paper outlining how 46 sites engage in history sniffing by exploiting a vulnerability in browsers to learn what other sites users previously visited.

The Web publishers caught using history sniffing include sites devoted to news, finance, gaming and porn. In some cases, the sites themselves don't seem to have been aware of the history sniffing -- apparently because third-party ad networks engaged in the activity without telling the publishers, according to Forbes. (Some browser companies have recently rolled out fixes, available to consumers who update their software.)

The research has already caught the attention of the Federal Trade Commission, which takes a dim view of companies who ignore users' privacy choices. Delivering a keynote address this week at a Consumer Watchdog event, FTC consumer protection chief David Vladeck called out history-sniffing sites. "We will not tolerate a technological arms race aimed at subverting privacy," he warned.

Of course, that begs the question of how to stop such an arms race. Even a do-not-track mechanism -- endorsed this week by the FTC -- wouldn't necessarily prevent companies from surreptitiously deploying technology that could be used for tracking purposes. While the FTC proposes to make do-not-track "enforceable," no one has yet proposed laws or regulations doing so.

Without such laws, the FTC's ability to require companies to honor do-not-track -- assuming that anyone even creates such a mechanism -- remains to be seen.

One possibility is that the FTC could bring enforcement actions against publishers, if it turns out that they are violating their own privacy policies by allowing third parties to use history sniffing. Another, proposed by Center for Democracy & Technology policy analyst Erica Newland, is that the FTC could argue that ad networks who track people against their wishes engage in unfair and deceptive business practices.

Whether either of those theories would hold up in court is just one of many unanswered questions surrounding online privacy.