Wednesday, 6 June 2007

Spyjax: websites can see your visited sites; browser history, and how to protect your privacy

A site can tell which other webpages or websites (from a pre-defined list) you've visited, just by including some script on the webpage you're viewing to look at the colour of links to them - using Spyjax.

Check out what the widget below displays:

Yep, that's a list of which ones of the top 10,000 sites on the Web you've been to (including Kirk's blog and Zo's blog, if you've been there before you came here - it's not in the top 10k, not yet, but you can add your own custom URLs to check so I added his as I know he won't mind - and you can even check the top 12 Google results for any search too, in this case whether you've done a search on Google for "Gmail alias" and visited any of the top 8 results). But no, I'm not going to insert the code in my sidebar or my blog generally, as I don't want to spy on my visitors like that! I've just added the script to this one post, so you can see it in action.

It's clever. When you've visited a site, as you know the link to the site will change colour in your web browser. The Spyjax script checks for visited links by injecting a list of links and then looking at their color - I quote: "All a website has to do to see what pages you’ve been to is place a list of links on the page [you're currently viewing] and examine the color of those links. Ajax can be used to retrieve a list of links to test and also send the results back to the server without the user ever knowing." (More on the a:visited pseudo-class in CSS.)

But strictly it doesn't spy on your full browser history - it just checks whether you've visited certain specified URLs, though given the power of scripting it can check against a list of thousands of URLs in just seconds.

The full code is on the Spyjax site.

Anyone can spy on their visitors by signing up for a free Spyjax account and putting the code in their blog (and then they can view reports, manually add URLs of their own choice to check, even add the top 8 results for any Google search with optionally 4 ads - which seems to be static, it's the top 8 results at the time you add a search to check, it doesn't seem to do a fresh search at the time of the visit). Plus, as you saw above there's code to display a widget to show the list of sites visited by a particular visitor too. Or else a site can just take the code and adapt it for their own use.

From a privacy / security viewpoint, this trick isn't good news; for marketers and nosy parkers, obviously it is. The Spyjax script by default only shows which domains you've visited rather than the exact pages, and only shows aggregated anonymous info - but it would be possible for a site to test for specific pages, and sites where you have to log in could well couple your "visited links" history with your login details to see whether you've been to certain specific URLs.

So how do you protect the privacy of your visited links?

The Spyjax site says the only sure way is to turn off Javascript, which of course stops you from benefiting from helpful uses of Javascript / Ajax on sites. I'd rather not do that.

So how else can you defend yourself against visited links spying? Stepping back a bit, there seem to be 3 basic ways to protect the privacy of your visited links:
  • don't save your visited links history
  • delete your visited links history, or
  • don't let websites check your visited links history.
However there's a gotcha to note: your history of visited links is not the same as your history of visited pages. So, depending on the browser, turning off storage of visited pages does not necessarily stop it storing (and revealing to Spyjax) your history of visited links. And deleting your history of visited pages from time to time will not necessarily delete your history of visited links either. As well as letting you delete your history wholesale, browsers let you view your history and then delete selected individual pages or sites from your history - however, again this may or may not delete your visited links history for those pages or sites.

Another gotcha: be warned before you try to set your browser to store 0 sites in your history that (1) it may not hide your visited links, as mentioned above, plus (2) it may delete your entire history in the process.

Different browsers deal differently with the saving or deletion of your history. Here's a table showing what I found after some initial testing of Internet Explorer, Opera and Firefox (I don't have a Mac so couldn't test Safari); if anyone has had different experiences I'd be grateful to hear about it:

BrowserSet "remember history" to 0After setting "remember history" to 0Deleting visited pages historyDelete just links history?
Internet Explorer 7Clears historyVisited links not savedDeletes visited links historyNo
Firefox 2Does NOT clear history until restart
Visited links not savedDeletes visited links historyNo
Opera 9Clears historyVisited links STILL savedDoes NOT delete visited links historyYes but best to restart
SafariSpyjax doesn't work??

Here's some more info, browser by browser.
This browser offers the best (finest) level of user control - but, you have to exercise it. In Opera 9.21, I found that deleting a site from the history panel manually doesn't delete it from the visited links history. Spyjax could still check that it had been visited.

Telling Opera to remember 0 history i.e. changing remembered addresses from say 500 to 0, clears your existing history - but only stops it from saving the visited pages history, not the visited links history.

The only surefire way with Opera is to delete the visited links history specifically, but fortunately it lets you do just that (though I found that sometimes even that didn't work, I had to delete visited links history, then close and restart Opera). It's the only popular browser that enables such selectivity:

Internet Explorer
You can delete your history in Internet Explorer (in IE 7 Tools, Internet Options, under Browsing History select Delete):

And also you can limit the number of days IE should keep your visited pages in history (in IE 7 Tools, Internet Options, under Browsing History select Settings, see the History section).

Killing or not saving history of visited pages deals with visited links history too. But you can't selectively delete just visited links history, unlike with Opera.
I don't have a Mac, but reportedly Spyjax doesn't work in Safari, which is good news for Mac users' privacy. Can anyone confirm further?
Telling Fox to remember 0 days of visited pages doesn't automatically kill your existing history until a restart of Firefox (so you may have to manually delete that, or individual items from that, if you want to).

But disabling saving of history (Tools, Options) does seem to stop it from saving the history of visited links. And deleting the history, or individual items from the history, also seems to delete the visited links history for those pages too. So that's good.

Even better, with Firefox you can get the free Stanford SafeHistory extension (how to install Firefox extensions - was on Greasemonkey, but applies generally). This "protects your privacy by silently defending against visited-link-based tracking techniques. It allows offsite visited links to be marked only if the browser's history database contains a record of the link being followed from the current site." or, as per the description on the Mozilla site (though the software is more uptodate on the SafeHistory site):
Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites. A link on pointing at will only be marked visited if you previously visited the page with a referrer in the domain of On-site links work normally. Checks cookie settings (allow, originating site only, deny) to determine your desired privacy level (segmented by origin, don't mark links visited in offsite frames, or never mark links visited).

Once you install it, you can access SafeHistory from the Privacy pane of your Tools, Options - although it's just one extra box to tick:

You can't selectively delete or not save just visted links history, but with SafeHistory you shouldn't need to.


Different browsers offer different levels of control as to the saving and deletion of your browsing history. As I mentioned earlier, to defend yourself in this context there seem to be 3 possible ways:
  • don't save your visited links history
  • delete your visited links history, or
  • don't let websites check your visited links history.
Choosing not to save your visited links history, just your visited links history, isn't currently possible with the most popular browsers (I'm not including Safari as I don't know much about it, sorry). You have to disable saving the history of visited pages too. That's pretty drastic. I use my history of visited pages all the time, and I don't want to lose access to it.

Of course you could turn off history saving altogether, and try to find your previously visited pages when you need to via something like Google Desktop Search (free with the Google Pack of Google-recommended software - ). Desktop search software automatically indexes webpages you visit and saves a searchable index on your computer separately from your browser history. But I've not found GDS to be reliable or consistent in capturing sites I visit via my main browser, Firefox.

Furthermore, in Opera 9 turning off remembering the history of visited pages won't help at all, because Opera still remembers your visited links history (that's just how Opera is) - so Spyjax can still spy on you.

Is deleting visited links history an option? In IE and Firefox you can't do that without deleting your entire history, or at least your "visited pages" history for the particular page or site. Plus, you have to remember to do the deletion periodically, and even with automatic calendar reminders or the like it's a bit of a pain. Opera does let you delete only your visited links history while preserving your history of visited pages, but that sometimes needs a restart of Opera to work for sure, and again you have to remember to clear out the visited links from time to time; and it's all too easy to forget or stop bothering.

What about not letting websites check your visited links history via Spyjax or similar? You could turn off Javascript in your browser altogether. But again that's pretty drastic.

My personal preferred solution is to use Firefox and the free extension SafeHistory to block other sites from checking your visited links. So, yet again, my favourite browser wins out. (If you don't already have Firefox - ).

(Via sl0wdjin's Clipmark)


ResearchWizard said...

Looks like you might be interested in Operator.

"OperaTor is a software bundle that can be easily installed on a portable memory (pendrive, usb stick, hard drive) to allow anonymous surfing while at an internet cafe, library etc.

It combines the power of the Opera Browser, The Onion Router and Privoxy.

With OperaTor no data will be stored at the computer you plugged your portable memory into."

Improbulus said...

Thanks researchwizard, sounds interesting - I've been meaning to try out Tor on my main computer anyway. Will definitely give it a go sometime.

You've tried it yourself, I presume?