As mentioned in Section 4.2.2, our use of hash-chaining is similar to its use in certain micropayment schemes, specifically the PayWord scheme due to Rivest and Shamir [RS95]. This similarity is perhaps not coincidental, in that the deployment of a micropayment scheme, or more generally any digital cash scheme, could be a useful tool to counter hit shaving. In this case, the target of a referral could be required to pass a digital coin back to the referrer in the referral protocol, e.g., using the techniques of Section 4. The referrer could thus collect immediate payment for referrals it gives, and detect when payment is not being received.
Other potential developments that could expand our options for countering hit shaving include the adoption of a richer security model for JavaScript. For example, Anupam and Mayer [AM98] propose a JavaScript security model in which a script can selectively allow other scripts to access portions of its namespace by configuring access control lists accordingly. If adopted, this could enable other cooperative solutions in which pageB.html allows a script in pageA.html to access some portion of its namespace, so that the script in pageA.html can confirm when pageB.html has loaded and notify site A. Such solutions have the advantage of allowing pageB.html to be a static page (as opposed to one dynamically generated by a CGI script on site B), though they also place requirements on pageA.html that the solutions of Section 4 do not.
Although the techniques proposed in this paper are effective for
detecting hit shaving, they do have the adverse effect of eroding user
privacy further than the web already does today. That is, the web
today, via the Referrer HTTP header, often reveals to a site the
page that a user visited previously. Our techniques further enable
the referring site to learn the page that the user visits next.
Mechanisms for anonymously surfing the web, such as the Anonymizer,
the Lucent Personalized Web Assistant [GGMM97], and
Crowds [RR98]![[*]](foot_motif.gif)
are generally incompatible with click-through payment
programs on two counts: they strip out the Referrer field, and
they preclude monitoring of user IP addresses for the purposes of
detecting hit inflation. The former can be remedied by configuring
these systems to let the Referrer field remain; the latter
obstacle appears more difficult to overcome.
This work leaves several open problems. In particular, we have not attempted to address the problem of hit inflation, but have only attempted to not exacerbate it. More robust approaches for detecting or preventing hit shaving should also be explored.