How Online Marketer Peered Into People’s Health Histories

Photograph by Getty Images

Online advertising firm Epic Marketplace is accused by the FTC of spying on Internet users' browsing histories.

There are few things as creepy in online marketing as digging into someone’s health history, without their knowledge, to advertise to them. Yet that’s precisely what New York-based Epic Marketplace is accused of doing.

According to the online advertising company’s settlement with the U.S. Federal Trade Commission, Epic used a technique to snoop on people’s Internet browsing histories and sold that information to marketers, my colleague Sara Forden reported.

The company exploited a flaw that existed widely in Internet browsers until about two years ago to accomplish its surveillance, according to the FTC’s complaint against Epic. The flaw allowed websites to check whether visitors had also viewed other sites — a boon for underhanded marketers and site owners, as well as a gigantic privacy violation. Most modern browsers are protected.

Epic, whose tracking technologies existed on tens of thousands of partner sites, would ping visitors’ browsers for evidence that they visited any of more than 54,000 other domains, and record whether they saw pages related to fertility, impotence, menopause and incontinence, as well as non-health-related topics such as credit repair and personal bankruptcy. That information was then included in the profiles that Epic built and used to target people with advertisements, according to the FTC.

Stanford University graduate student Jonathan Mayer exposed Epic’s practices last year.

Epic could not be reached for comment. Three phone numbers listed for the company were disconnected. Key executives went on to found another firm, Kinetic Social, after some Epic partners said earlier this year that Epic had stopped paying its bills. Hank Kim, a spokesman for Kinetic, said the history-sniffing technology was used by a firm that Epic bought and was not disclosed to the marketing company at the time of the deal. Epic took steps to stop the practice once it was discovered, Kim said.

The flaw that Epic is accused of exploiting dealt with the way websites could query visitors’ browsers and get answers about which other sites they’d visited. Sites that had been visited would display a hyperlink in purple, and those Web pages that had not would display in blue.

To make matters worse: Even if someone cleared their tracking cookies and employed other privacy measures, their browsers would still silently betray them, offering up a record of other places they’d been on the Web.

The settlement bars Epic from using “history sniffing” technology in the future and mandates that it destroy all data collected using it, according to the FTC. Epic’s privacy policy had promised visitors that they would only be tracked on the more than 45,000 sites that Epic partners with, not sites outside of that network. The history sniffing code constituted a deceptive business practice, the FTC said.

“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” FTC Chairman Jon Leibowitz said in a statement. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”

The case is a vivid example of the lengths that some online marketers will go to fill their databases and carve out a niche in a highly competitive industry. As the social networks have illustrated, people are often the product online, and we’re the ones being shopped, not the other way around.

It’s an agreement we’re often OK with, a reasonable tradeoff for a valuable service like free e-mail. But the case against Epic shows in stark terms that there are corners of the consumer Internet where even services that do business with high-profile, legitimate sites may go over the boundary of acceptable behavior.

Epic was no fringe entity.

According to the FTC, the history-sniffing code was used on more than 24,000 sites that partnered with Epic to serve up targeted advertisements. Some of them are quite popular, including cnn.com, papajohns.com, redcross.com, and orbitz.com. The sites may have had no idea their visitors were being violated in this way.

What do you think about this article? Comment below!