June 1st, 2007

Spyware Alert: Are Sites You Visit Spying On You?


In what may be a not so odd coincidence, I discovered the following two items in the space of five minutes, which made me wonder whether most websites could be fairly accused of “spying” on their users:



The item on the left is from the beta version of CNN’s redesigned site, which, like the Amazon recommendation system, recommends articles based on your browsing history (via Bivings Report).

The item on the right — just an image! — is the widget version of a service called Spyjax that exploits a common browser feature — turning visited links red — to determine which other sites a visitor to a site using Spyjax has visited. If you go here, you will see your browser history displayed in the widget. It’s quite a chilling experience. I set up a Spyjax account and installed the code because I wanted to display the widget here to make the point dramatically, but I immediately took the code off after seeing my own visitor report. It felt so wrong — it felt evil.

(Sites using Spyjax will show a call to merchantos.com in the status bar when loading.)

You can see from the screen capture above some of the sites that the widget immediately determined I had visited — Noggin, for my daughter, Pair, because I’m probably going to switch my hosting service, and PlentyOfFish — strictly for business.

So why the comparison with the CNN recommend feature? Because they’re both cut from the same cloth. CNN’s recommendations seem benign — and it can be a useful service. But those recommendations are based on spying on your browsing without your permission.

Of course, every site that uses cookie-based traffic analytics effectively spies on you by planting a cookie in your browser. Any site that has a “most read” or “most emailed” list is essentially spying on user behavior.

Many sites, including many mainstream media brands, work with Tacoda, Revenue Science, or other behavioral targeting companies to take plant cookies that follow you everywhere you go — and serve ads based on your “behavior.”

There are some people who block cookies entirely, and many more people probably would if there weren’t so many sites that required cookies in order to function properly.

It will continue to be the subject of increasingly intense debate where to draw the line for user privacy. Media sites (and what isn’t media these days?) will need to keep a close eye on how the privacy pendulum is swinging.

Comments (10 Responses so far)

  1. Spyware Alert: Are Sites You Visit Spying On You? » Publishing 2.0

  2. + Discussion: Publishing 2.0, The Daily Background and Lost Remote

  3. Spyware Alert: Are Sites You Visit Spying On You? » Publishing 2.0

  4. Spyware Alert: Are Sites You Visit Spying On You?

  5. an article in Publishing 2.0

  6. Hi I’m the creator of Spyjax. I just wanted to say that your post is a great addition to this issue. Very thoughtful.
    I also wanted to point out that Spyjax does not collect information on who you are when it collects visited sites. There is no way within Spyjax to correlate specific users with visited urls. It simply tells you the % of users that have visited each url.
    That being said, this technique could easily be used to track specific user’s history.
    I mainly created Spyjax because I was surprised it was possible and I thought it would spur a lot of discussion. I’m glad to see conversations like this.
    I think the take home message is the same as it has been: Be careful when you give someone information that allows them to identify you, such as a name, phone number, address, etc.
    Your browser history is just one of many things that can be tagged to you once someone knows who you are.

  7. hmmm what kind of “business” ?

  8. I use the Internet with the assumption that websites are “spying” on me. I think that this assumption is even more justified with many of the 2 dot 0 web apps which have tracking software embedded right in.

    Facebook, MyBlogLog, del.icio.us, WordPress, Google Analytics are all designed to track user behaviour, perhaps not as the first goal of the service, but definitely an aside one.

    Privacy is one of those dualistic issues for me. I both want user privacy, but at the same time, I want to know whose checking me out. Plus, being a social researcher, the data collection potential of the Web 2.0 is very appealing. The main way I try to negotiate this internally is by constantly reminding myself that cookies are only one element of collecting data that is usually automated, designed to turn the user into a statistic rather than care about the user themself.

    I could say much more on this… but I’ll stop now… I tend to use too many words.

  9. Justin,

    Thanks for the comment. It is an important clarification that Spyjax doesn’t collect individually identifiable information. As such, it isn’t really different from what many other websites do. It was the widget though that really creeped me out — it was like looking in a mirror where you didn’t expect to find one.

    What you made is a worthwhile exercise because it does help crystallize the issue — the technology itself isn’t good or bad, it’s all in how you use it.


    You know, checking out how well your business. is doing.


    I think a lot of web users have made similar compromises when it comes to privacy — it’s definitely a double-edged sword.

  10. [...] read more | digg story [...]

Add Your Comment


Receive new posts by email