Philip Sheldrake

Menu Close

My browser history is my own, so back off with your unethical social media metrics

Privacy is a personal thing. Some people want to be as "off grid" as they can get. And then there are those who actually bolt a camcorder to their heads and stream their life 24/7. Irrespective, I believe there are some things that everyone expects to be private by default; even Marc Zuckerberg! And one of these is your browser history... the log that lists every webpage you visit.

It's this list that enables modern browsers to suggest auto-completions for URLs as you enter them in the address bar. It's this list you might visit when you're trying to find that something or other you stumbled across the other day. It's this list that allows your browser to try to render unvisited links one way, underlined blue by default, and previously visited links another way, underlined purple by default (even though individual webpages and associated styling information may actually override these defaults).

My browser history is mine. My wife's browser history is hers. Your browser history is yours.

But whilst the Internet turned 40 last year, the World Wide Web is still a teenager, and that relative immaturity places irresistible temptations in the path of the less ethical. And being able to read your browser history is just one of those.

Has your browser history been "sniffed" recently

You wouldn't know.

It's been known for nearly a decade now that the feature of a browser that conveniently tries to show visited and unvisited links differently courtesy of your browser history leaves that history open to being "sniffed". Specifically, if I want to know if you've visited www.example.com before visiting my website, all I have to do is include that link on my webpage and, with a little bit of code, I can get my webpage to tell me what colour your browser is trying to use to display the URL. Purple? Then you've been there.

What's more, I can make sure you don't even see I'm trying to display this link, or hundreds of others. In simple terms, a webpage layout is a grid with references setting how far from the left and how far down from the top something appears. So if I set the horizontal position of the links to something like -999 (minus 999) it is effectively 'displayed' to the left of your visible screen. In other words, invisible to you.

Let's try it now, but so you can see it plain and clear. Visit the slightly over-exaggeratedly named www.whattheInternetknowsaboutyou.com now and it will check to see which of some 5000 popular websites your browser betrays you as having visited. (I'm happy to point you to this harmless website as its raison d'etre is simply to educate you about this matter.)

Analytics and metrics

So, you're in marketing and PR and you want to "close the loop". You want to determine if all those places on the web where you've managed to get exposure for your brand, paid and unpaid, actually drive people to drop by your website.

So, you're in marketing and PR and you want to see which of your competitors' websites a visitor to your website has been to before.

So, you're in marketing and PR, and you want to check if visitors to your website hang out at certain websites.

Of course, if they clicked links at these places through to your website then your web analytics will log the referring webpage accordingly, but what if the visitor left a few days between going to these webpages, and therefore potentially seeing or reading stuff about you, and deciding to pop by today?

Well first up, congratulations on having the ambition to "close the loop"... regular readers know how passionate I am for analytics, measurement and evaluation. But is this the way to do it? Is this ethical? After all, you're sniffing behind the visitors' backs... which actually isn't all that pleasant a metaphor.

Social Media Metrics, the book

Social Media Metrics book coverThere are two things I don't like about Jim Sterne's otherwise most excellent book, "Social Media Metrics: How To Measure And Optimize Your Marketing Investment". First up, he feels compelled to take up the best part of six pages in the introduction listing David Berkowitz's "100 Ways to Measure Social Media", despite the fact that the vast majority represent outputs and not outcomes, not best practice and now at odds with the 5th of the Barcelona Principles.

Jim does however report David's advice that the metrics must be applied in context with your business objectives, and goes on to some super stuff in later chapters. I particularly love his deft management of sentiment analysis in Chapter 4... in fact, my criticisms here aside, I still recommend you buy the book!

But to return to the main theme of this blog post, Jim's most grievous error in my opinion comes in Chapter 5 (page 117 in my edition) where he refers to the potential for browser history sniffing and the associated capabilities of a service from a company called Tealium, without the faintest reference to any ethical considerations.

Tealium does try to limit misuse (unethical application) of its service by way of its terms of service, providing a plain English explanation here. The most important assertions are that they don't collect personal identifying information, that they determine which URLs to check for, not the client, and that they tell clients not to abuse their system.

But this policy does not address the potential to associate 'sniffed' histories with visitors' clickstreams, and therefore identity, via timestamps and cookies for example. Nor does it indicate how Tealium polices its clients' potential abuses.

Here's an idea

The New Rules of Marketing & PR book coverIf there's one word that sums up the journey we've been on in the last ten years it's authenticity. As David Meerman Scott writes in "The New Rules of Marketing and PR": "People want authenticity, not spin."

And interpreting the Oxford English Dictionary, authenticity refers to having the quality of an emotionally appropriate, significant, purposive, and responsible mode of human life.

So here's an idea. If you want to know where people have been before they got to you, so you can "close the loop" and inform your marketing research, why not just ask them nicely? You could even offer something useful to them in return. Why not say something like this?...

Hi, thanks for dropping by. Ask any company and they'll say you dropping by is important to them, but we feel more strongly about it. We really want to understand what makes you tick so we can do better at developing our products and services, so we can improve our ability to listen and understand your needs and answer any questions you might have.

Knowing if you've been to a few dozen specific websites before coming here today would help us a lot, but if you don't want to that's no problem at all. If you do, we'll be able to share with you how your potential trips to these websites compare to others who've shared this information with us, and perhaps there's a great site or two in there you've yet to discover!

Just click here and we'll check your browser history now (or click here to find out how this is done, which websites we're interested in, and how our privacy policy guides our use of this capability).

Get yourself a modern browser

Disclosure: I've worked with and advised Mozilla, the non-profit organisation behind the Firefox browser, since 2003.

Mozilla Firefox Icon

Image via Wikipedia

Browser history sniffing has not been a common problem until companies like Tealium started to 'productize' the capability. It's for this reason that Mozilla lists the way Firefox deals with colouring hyperlinks, like other browsers, as a bug, and it's for this reason the bug was fixed this past week subject to quality assurance verification. It's attention to detail like this that makes me happy to recommend Firefox as the most secure browser, including its regard for personal privacy.

Be open and ask nicely

If other browsers catch up, then my idea above has a limited shelf life. You'll only be able to ask visitors to share this information with you in an automated fashion only when you've first detected that they use a browser that still has this bug. But the underlying principle of being open and asking permission is timeless, and will become increasingly important as the opportunities to collect 'digital detritus' unknowingly and unethically grows massively in coming years.