'Anonymous' browsing data can be easily exposed, researchers reveal

[Delicieuxz]

'Anonymous' browsing data can be easily exposed, researchers reveal

 

Quote

 

A judge’s porn preferences and the medication used by a German MP were among the personal data uncovered by two German researchers who acquired the “anonymous” browsing habits of more than three million German citizens.

 

“What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.”

 

Eckert, a journalist, paired up with data scientist Andreas Dewes to acquire personal user data and see what they could glean from it.

 

Presenting their findings at the Def Con hacking conference in Las Vegas, the pair revealed how they secured a database containing 3bn URLs from three million German users, spread over 9m different sites. Some were sparse users, with just a couple of dozen of sites visited in the 30-day period they examined, while others had tens of thousands of data points: the full record of their online lives.

 

Getting hold of the information was actually even easier than buying it. The pair created a fake marketing company, replete with its own website, a LinkedIn page for its chief executive, and even a careers site – which garnered a few applications from other marketers tricked by the company.

 

...

 

The data they were eventually given came, for free, from a data broker, which was willing to let them test their hypothetical AI advertising platform. And while it was nominally an anonymous set, it was soon easy to de-anonymise many users.

 

Dewes described some methods by which a canny broker can find an individual in the noise, just from a long list of URLs and timestamps. Some make things very easy: for instance, anyone who visits their own analytics page on Twitter ends up with a URL in their browsing record which contains their Twitter username, and is only visible to them. Find that URL, and you’ve linked the anonymous data to an actual person. A similar trick works for German social networking site Xing.

 

For other users, a more probabilistic approach can deanonymise them. For instance, a mere 10 URLs can be enough to uniquely identify someone – just think, for instance, of how few people there are at your company, with your bank, your hobby, your preferred newspaper and your mobile phone provider. By creating “fingerprints” from the data, it’s possible to compare it to other, more public, sources of what URLs people have visited, such as social media accounts, or public YouTube playlists.

 

A similar strategy was used in 2008, Dewes said, to deanonymise a set of ratings published by Netflix to help computer scientists improve its recommendation algorithm: by comparing “anonymous” ratings of films with public profiles on IMDB, researchers were able to unmask Netflix users – including one woman, a closeted lesbian, who went on to sue Netflix for the privacy violation.

 

Another discovery through the data collection occurred via Google Translate, which stores the text of every query put through it in the URL. From this, the researchers were able to uncover operational details about a German cybercrime investigation, since the detective involved was translating requests for assistance to foreign police forces.

 

So where did the data come from? It was collated from a number of browser plugins, according to Dewes, with the prime offender being “safe surfing” tool Web of Trust. After Dewes and Eckert published their results, the browser plugin modified its privacy policy to say that it does indeed sell data, while making attempts to keep the information anonymous. “We know this is nearly impossible,” said Dewes.

 

 

This article reminded me of this other article: Big Data should not be a faith-based initiative

 

I think it's important for people to remember that when companies, including Microsoft, tell their customers that their data is anonymous, that's just marketing. None of it is anonymous, and companies like Microsoft do not even need to go through a process of de-anonymizing data, because all Windows license owners' data that is sent to Microsoft is associated with a unique system ID, and at any moment that Microsoft wishes to know where any particular data came from, they can.

 

I think that privacy rights have to be made to extend to software, and I don't see a person's computing activities as being any less personal than their activities in their own home. They actions are expressions of themselves, and the product of those actions is naturally their personal property.

 

When people visit online webspaces, they're entering the environments of other people who own those spaces, and so they make a choice to accept that the owners of those spaces may use the data they generate by their activities there for their own purposes. However, in offline spaces, or in non online-service spaces, there is no such concession being made by a person, and no logical need for a person to reveal or share their personal activities and data with an outside person or company. I believe it is innate logic that such spaces should be protected from data-mining.

[Billy_Mays]

Fun now I gotta get a VPN now  

[Guest]

People need to be careful in this world especially if browsing data can be exposed by millions of different users without them knowing.

[Guest]

4 minutes ago, Billy_Mays said:

Fun now I gotta get a VPN now  

Tunnel Bear! Tunnel bear is a free VPN service that lets you browse privately as if you were in one of 20 different countries

[vanished]

As bad as this might be, at least it's just a list of URLs and not like, actual content of the pages (passwords, banking details from a banking page, etc.)

 

Quote

A judge’s porn preferences

this is a good step though, all it will take for a radical swing from tons of data collection to super tight privacy laws is for the browsing of one significant political figure to get out  

[ChineseChef]

Really we need some mega group to legally acquire as much of this kind of data as possible.  And just start sending people letters at home with a full record of everything they did online.  Send it to politicians, local leaders.  Start a website that just lists everyone by name with everything they do/have done.  Make it as public as possible.

 

That way people actually take it serious.  Start sending people emails with the their records, call them on the phone and ask them about something they did, make it as in your face as they can.  Start calling law makers spouses, asking what they think about their partner visiting porn sites, and the type of porn.  Make billboards stating that congress person X likes these types of porn.

 

Then we might finally get some change in the way things are done.  Though more likely they will just make it illegal to talk about our dear leaders that way.

[vanished]

19 minutes ago, huilun02 said:

Won't work. Just look at America.

They're a perfect example of how it can work.  L1 Techs has mentioned a few times how the privacy laws regarding VHS rentals are very good because of this exact thing (the history of some political guy getting leaked).

[Jito463]

1 hour ago, ChineseChef said:

Really we need some mega group to legally acquire as much of this kind of data as possible.  And just start sending people letters at home with a full record of everything they did online.  Send it to politicians, local leaders.  Start a website that just lists everyone by name with everything they do/have done.  Make it as public as possible.

 

That way people actually take it serious.  Start sending people emails with the their records, call them on the phone and ask them about something they did, make it as in your face as they can.  Start calling law makers spouses, asking what they think about their partner visiting porn sites, and the type of porn.  Make billboards stating that congress person X likes these types of porn.

 

Then we might finally get some change in the way things are done.  Though more likely they will just make it illegal to talk about our dear leaders that way.

So, your proposal is to enact change, by shaming people into doing what you want?

[vanished]

Just now, huilun02 said:

That was back in old times and the damage had already been dealt to the political candidate. Today the ones profiting off our data are billion dollar corporations that have the most power to influence the people. And with the abused legal system over there? Good luck making advances against the likes of Google and Facebook when you can't even solve the shit internet and net neutrality situation.

I have a feeling that a lot of the bad decisions that are made are made because they don't understand the issue, but as soon as something impacts them personally, they'll suddenly realize what people are talking about and why it matters.

[ChineseChef]

2 minutes ago, Jito463 said:

So, your proposal is to enact change, by shaming people into doing what you want?

Sort of.  More by forcing people to acknowledge the problem.  At the moment nothing will change because no one will admit there is a problem.  The public doesn't care, the politicians don't care, the companies don't care.  Everyone either has something to gain, "nothing to lose", or they understand but don't have any power to do anything about it.

 

If we name and shame everyone, like EVERYONE everyone, then people will wake up to the potential issues this will have in the future.  Right now it is mostly just embarrassing.  But if we can get the protections in place now, we can prevent the really bad stuff from happening in the future.  Where companies won't hire you because you bought from a competitor, or voted the wrong way, or your insurance is higher because you talked about doing high risk activities at some point.

[Deli]

1 hour ago, ChineseChef said:

Really we need some mega group to legally acquire as much of this kind of data as possible.  And just start sending people letters at home with a full record of everything they did online.  Send it to politicians, local leaders.  Start a website that just lists everyone by name with everything they do/have done.  Make it as public as possible.

 

That way people actually take it serious.  Start sending people emails with the their records, call them on the phone and ask them about something they did, make it as in your face as they can.  Start calling law makers spouses, asking what they think about their partner visiting porn sites, and the type of porn.  Make billboards stating that congress person X likes these types of porn.

 

Then we might finally get some change in the way things are done.  Though more likely they will just make it illegal to talk about our dear leaders that way.

Start with Mark Zuckerberg.

[PlayStation 2]

Gasp, what a surprise.

Seriously, this just shocks me that people are naive enough to believe their data is safe with anyone besides themselves.

[mr moose]

5 hours ago, Billy_Mays said:

Fun now I gotta get a VPN now  

A vpn is not going to help if the data is being collected directly from your browser.  

 

 

Don't install plug-ins sounds like a better option.  

[Billy_Mays]

Just now, mr moose said:

A vpn is not going to help if the data is being collected directly from your browser.  

 

 

Don't install plug-ins sounds like a better option.  

Yeah I was joking around

[woowee]

I remember this years ago

https://panopticlick.eff.org/

its surely much worse now.

 

 

 

the fixation on net neutrality as if that was the only problem is a problem

[captain_to_fire]

8 hours ago, huilun02 said:

Won't work. Just look at America.

Not just America though https://en.m.wikipedia.org/wiki/Five_Eyes 

 

9 hours ago, Ryan_Vickers said:

As bad as this might be, at least it's just a list of URLs and not like, actual content of the pages (passwords, banking details from a banking page, etc.)

Uhm, man in the middle attack? https://community.norton.com/en/blogs/norton-protection-blog/what-man-middle-attack 

9 hours ago, Delicieuxz said:

So where did the data come from? It was collated from a number of browser plugins, according to Dewes, with the prime offender being “safe surfing” tool Web of Trust. After Dewes and Eckert published their results, the browser plugin modified its privacy policy to say that it does indeed sell data, while making attempts to keep the information anonymous. “We know this is nearly impossible,” said Dewes.

So if the data they've collected is that massive, can they ID a specific chunk of data to a single person? To be honest, this doesn't surprise me at all. 

 

But I still think the notion, "if you've got nothing to hide then you're safe" argument is ludicrous 

 

[woowee]

 

 

https://archive.fo/YSpfs

The bay area moral majority is locking the internet down, you won't have an account, and that won't save you.

[vanished]

42 minutes ago, hey_yo_ said:

But I still think the notion, "if you've got nothing to hide then you're safe" argument is ludicrous 

 

yes, everyone who disagrees, watch this

[LAwLz]

6 hours ago, Ryan_Vickers said:

yes, everyone who disagrees, watch this

The sad thing is that people have bought into all the FUD the governments and media are spreading.

I've seen several people on this site, as well as many other, say that in order to fight terrorism we need to give up our privacy.

 

 

6 hours ago, hey_yo_ said:

Uhm, man in the middle attack? https://community.norton.com/en/blogs/norton-protection-blog/what-man-middle-attack

 

Can't do a MITM attack using this technique.

The methods they used logs data as you visit a website. In order to man-in-the-middle someone you need to block the data, which is not what is happening.

 

By the way, as someone already pointed out, a VPN will not protect you from a lot of the methods used to track you. It will protect against some, but certainly not all.

[Trik'Stari]

8 hours ago, hey_yo_ said:

But I still think the notion, "if you've got nothing to hide then you're safe" argument isludicrous 

It is fucking ridiculous because: If I've got nothing to hide, you've got no reason to look.

[dfsdfgfkjsefoiqzemnd]

10 hours ago, hey_yo_ said:

I still think the notion, "if you've got nothing to hide then you're safe" argument is ludicrous

Greenwald tackles it pretty good in his Ted Talk.  1:29 to 5:40 (the perfect argument against "nothing to hide" starts at 4:50), but all of the video is worth watching.

 

[Bananasplit_00]

Really not surprised in the slightest. Ofc this is happening. Will anything change because it's made public? Most likely not. Everyone seems to be shitting their pants and wanting the government to spy on you because "it will solve terrorism" instead 

[Delicieuxz]

"If you have nothing to hide, you have nothing to fear" - Joseph Goebbels, Nazi minister of Public Enlightenment and Propaganda

 

I guess those criminal Jew sympathizers in Germany during WW2 would've had nothing to fear if they had just went along with the Nazi persecution of Jews. Is there really anyone who doesn't see that reasoning as being fundamentally fucked-up?

 

The people who adopt that line have determined within themselves a narrowly defined and ideological worldview, which they dogmatically believe is the correct one, and are prejudice towards anything else. They're the people that everybody else has to be on guard against, and are their own counter-argument.

 

And another thing is, when a person submits to the idea that 'if they have nothing to hide then they have nothing to fear,' part of that belief is acknowledgement that up to the judgment of others to decide whether that person truly does have nothing to fear. When a person concedes judgment of theirself to others, which is the basis for "If you have nothing to hide, you have nothing to fear", then it's no longer up that person to decide either whether they have something to hide, or something to fear. It's just not their call, anymore, and it's up to other people to decide those things. So, the "If you have nothing to hide, you have nothing to fear" statement is fundamentally stupid, and meant to peer pressure less self-confident people into being slave to others' judgment over them. It's basically tricking a person into selling themselves (for free).

 

All the freedoms and rights people in Western societies have today were achieved by people who 'had things to hide' from the political powers of their time. There is no societal progression apart from people challenging the status quo, which doesn't happen when the status quo is let to preemptively review all its potential challengers.

 

And many of the people in government in the USA, the UK, in Canada, and elsewhere, are psychopaths, who have twisted ideological understanding and views on what's right, and little regard for what's actually right. And the phrase "If you have nothing to hide, you have nothing to fear" essentially makes those people judge, jury, and executioner.