There's been a big fuss that with CSS you can identify if someone has
visited a certain link. I started to think about expanding this and came up with a neat little trick
you can do involving online advertising.
You run http://www.sitea.com and http://www.siteb.com and http://www.sitec.com are competitors of yours. Now you know these
companies use http://www.ad1.com and http://www.ad2.com to serve up ads on. What you don't know is how effective these ads are,
simply put without direct access to the web server logs you can't tell really. Well this isn't entirely true!
Lets say VisitorA visits your site http://www.sitea.com. You can use the CSS history stealing trick to see if they
have visited http://www.siteb.com and/or http://www.sitec.com. If they've visited a competitor you'll know that
this person is semi serious about whatever reason they're visiting your site for. Using the same CSS trick
you could also enumerate a list of links (only enumerated if the link was visited) against each competitor
website to see what they viewed on this site. This could include seeing which products/services they are
interested in, if they visited the 'contact us' page and possibly if they also visited the 'thank you for
submitting your data' (Letting you know they submitted a form). Now that you know where your visitor has
been you can utilize the same trick on websites advertising your competitors to see where they came from.
Why bother? Well now you know which ads are in fact paying off for them and can advertise with the same company.
A more elaborate example would be dynamically generating a discount if the current visitor has visited a competitor
potentially winning a deal. I suspect this use of the CSS 'trick' is going to
spread like wildfire for many of the obvious reasons above. This begs to ask the question is this legal?
UPDATED: 10/4/06
I was thinking of the uses of this regarding phishing. Say they followed my amazon phishing email, I can now
track which banks they use and other websites to see which site I should phish next (a sort of victim profiling
if you will). Even more interesting would be the creation of generic phishing emails bringing a user to a site,
and dynamically generating a phishing site based off of the urls that they've actually visited. Hmmm need to think
about this some more.
