August 05, 2008, 10:47 AM — Search engines and ISPs know who you are and where you've been. Phishers and advertisers do too. But can the average Joe learn this about you? Yes -- for good and bad.
The most common way people identify a phishing attack is that they receive an email from a bank they don't have an account with asking them to update their information. A smarter phisher would first find out who their victims are banking with. It can be done by looking at your browser history. (If you have been to the Bank of America Web site recently, you are probably a client of theirs.) For a harmless demo of how this could be done, click here.
But it is not only phishers who would like to know where you have been. Advertisers would like to know, too! Apart from being able to tell what your likely interests are, a person peeking at your browser history can tell a lot more -- like your age or gender. Take a look at this site for a demo of how that can be done.
Imagine for a minute what else can be inferred from browser history.
While nobody likes phishers poking at their browser history, and many would object to advertisers doing it in an intrusive manner, the same technique has "friendly" uses, too. For example, a site can use it to customize information you are shown. And companies can use it to boost your security by looking for evidence of bad things having happened to you, and then alerting you. (Click here for a demo). And the browser scanning can be done in a privacy-conscious manner ( Download PDF).
So like most tools, it browser history scanning has good uses and bad. But what if you don't want anyone reading your browser history? That can be dealt with on either the server side (Download PDF) or on the client (Download PDF).