This post is a great article on why disclosure is necessary (not going to get into an argument on which type) and security research should never ever be illegal. You may remember this story from last year where Epic Marketplace used a decade-old browser flaw to illegally analyze visitor surfing habits. By detecting the color of the links displayed to visitors, they could more easily categorize users into one of several special interest groups, including “pregnancy-fertility getting pregnant,” “incontinence,” “memory improvement,” and “arthritis.” As expected this information allowed the marketer to better serve more targeted ads.
The FTC filed a complaint against Epic Marketplace after security research Jonathan Mayer discovered and disclosed these illegal practices last year. After all was said and done, Epic Marketplace got the traditional slap on the wrist with the promise to destroy the data and curb the practice in the future. Really? Did they just used the term “curb?” We think “terminate” would have been a much more appropriate word. And relating this to the whole “Weev” saga … how is this any different? In one case an individual accessed data freely available on the AT&T servers. And in another case a company accessed data sorta-freely accessible on personal computers.
Anyway, as the story noted this vulnerability had been in all major browsers for over a decade. If security researchers had been discouraged or barred from performing their work, the vulnerability may have never been discovered and Epic Marketplace could have continued their illegal data aggregation practices.
An advertising network that served banners on cnn.com, orbitz.com, and 45,000 other sites has settled federal charges that it illegally exploited a decade-old browser flaw that leaks the history of websites users visit.
Epic Marketplace used data mined from the history sniffing exploit to assign interests to visitors so the ad network could deliver targeted ads, according to acomplaint filed by the Federal Trade Commission. Interest categories included “pregnancy-fertility getting pregnant,” “incontinence,” “memory improvement,” and “arthritis.” The FTC brought the case against New York City-based Epic Marketplace after the practice was revealed by Stanford University researcher Jonathan Mayerin July 2011.
Epic Marketplace settled the charges by agreeing to destroy the data it gathered and to curb the practice in the future, according to a release issued on Wednesday. The settlement also bars the company from making misrepresentations about the data it collects about people browsing the Web.
Do you think that Epic Marketplace’s punishment was appropriate? Post your comment below. Today’s post pic is from RingRevenue.com.