Your Browsing History Is for Sale: What to Do

LAS VEGAS — Are you an cyberspace privacy fanatic? Do y'all block browser tracking cookies? Practice you apply Duck Duck Go for anonymous web searches?

Credit: Pathdoc/Shutterstock — (Epitome credit: Pathdoc/Shutterstock)

Information technology doesn't matter. Your internet access provider (ISP) or your browser extensions can collect and sell your web-browsing history even if you accept the above precautions. And anyone who obtains that information, whether the data is anonymized or not, volition likely exist able to figure out your real name and see exactly what you practice online.

Those were the findings of German language tv journalist Svea Eckert and data scientist Andreas Dewes, who spoke at the DEF CON 25 hacker conference here last Fri (July 28).

Given a month'due south worth of browsing history from iii million supposedly protected German citizens, the researchers identified individuals by correlating the anonymized data with public information scraped from social-media postings.

They institute a High german politician who searched for an herbal supplement to stimulate an aging encephalon; a police detective who mixed personal and business activities on his piece of work estimator; and a judge who visited many porn sites at the same fourth dimension he shopped for a baby stroller.

The only ways to go on your web browsing history truly private, Eckert and Dewes told DEF CON, is to either run the Tor anonymizing protocol through multiple exit nodes, or to use a virtual-individual-network (VPN) service that rotates proxy servers.

If that sounds inconvenient, it is. But at present that the U.S. Senate has revoked privacy-protection rules for ISPs, every American'due south browsing history — and, past inference, identity — is up for sale to the highest bidder.

More than: Best Identity-Protection Services

Stopping the drove

High german ISPs are leap by strict privacy laws from collecting such personal data without permission. But what most American users, whose ISPs take no such constraints? Eckert and Dewes said that i solution would be to constantly run Tor, the freely available simply sometimes difficult-to-use web-anonymization protocol.

Another would be to utilize a VPN service — simply Dewes warned to do some research before signing upward with 1, because some VPN services also collect and sell user data.

In either case, your ISP wouldn't exist able to encounter where you were going online. Merely yous would have to brand sure that the "leave" IP addresses — the leave nodes in Tor, or the proxy servers in the VPN — would be regularly irresolute so that the go out IP address did not become associated with a item user.

Getting the data

Eckert and Dewes did their research for a feature called "Naked on the Net" that aired on the German television receiver news magazine Panorama in Nov 2016. They knew that hundreds of companies buy and sell web-browsing data nerveless by websites and search engines.

Huge amounts of this data can exist bought openly equally long as data that would place private users, such as a computer or smartphone's Internet Protocol (IP) address, is stripped out.

To obtain that data, Eckert and boyfriend reporters created a fake online-marketing firm, complete with a slick website full of corporate buzzwords and staffers with faux LinkedIn profiles.

Posing as representatives of the firm, they approached about 150 online-data brokers with an interest to buy browsing data. However, they were told many times that considering of strict German privacy laws, such data might exist difficult to obtain.

"They said U.S. or U.Thou. data would be no trouble, merely that Frg was hard," Eckert said.

Finally, i company said it had browsing information from German residents. Information technology offered Eckert and Dewes one month's sample for gratuitous, but didn't tell them where it came from. The information set consisted of 3 billion visits to 9 million websites past 3 million Germans.

Crunching the numbers

Each user was identified merely by a number, with no corresponding IP address. But Eckert and Dewes knew that with then much data, anonymization was incommunicable. They used a method developed in 2008 by data scientists at the Academy of Texas, who had crunched user information provided by Netflix to positively identify thousands of supposedly anonymous users.

The technique is uncomplicated. Each user'due south unabridged browsing history for a month was in the anonymized data ready. The researchers built upwards a second data set corresponding to the same month past "scraping" publicly posted data from Twitter, Facebook, YouTube, Google Maps and other online services.

Every time someone linked to, commented on or recommended a website, it went into the second data set up. Finally, a computer algorithm looked for matches between the two data sets.

Statistically, millions of people may click on a unmarried specific website in a given month. Merely a smaller number of people are going to click on 2 of the same websites in a month.

Make that iii, then four, then 5 matching websites, and then on, and the numbers get whittled down to fewer and fewer people until only person is left. If those matches come from social-media sources, as they did in this case, so the anonymous user of a sudden has a proper name.

It was pretty piece of cake to accept a computer programme sift through the information and come up up with many exact matches, Eckert and Dewes said. In some cases, it took but one match.

Dewes plant that only a logged-in Twitter user could admission his or her own account-analytics page, which has a unique URL. The same was true of the German business-networking service Xing, which mandates the utilise of real names. So if either URL appeared in an anonymized user'southward history, the researchers could be pretty certain he or she was the account owner.

More: How Bearding Shopping Data Reveals Your Identity

Unmasking the users

Using these methods, the researchers found that Valerie Wilms, a fellow member of the German language federal parliament, had searched for Tebonin, an herbal supplement meant to increment blood flow to crumbling brains.

"You can come across everything — sh*t!" Wilms exclaimed when Eckert showed the politician her browsing history on camera. "This is actually bad to see something similar this — particularly if it is connected with my own name."

Wilms had tried to protect her privacy by using the Duck Duck Go search engine, which unlike Google or Bing does not log user search data. Only the Duck Duck Go search string for Tebonin was correct there in her anonymized user data.

The researchers identified a police detective who searched for a used car at the same time he was writing an electronic mail to send to a foreign ISP regarding a cybercrime investigation. The e-mail itself didn't show up in the data, but the detective used Google Translate to interpret his draft from German into English.

It turns out that Google Interpret puts the text being translated correct into the URL (endeavour it yourself). The detective had copied and pasted the entire typhoon email, including his own proper noun, email address and phone number, into Google Translate.

Worst of all was the example of a judge who visited some raunchy porn sites.

"He has really specific tastes," Eckert dryly commented as the judge's browsing history appeared on the DEF CON projection screens.

The same man also looked for babe strollers and holiday spots to which a couple with a young child could travel.

"He'due south not doing anything criminal at all. He's just a normal guy," Eckert said. "But you see how sensitive this could be, and how he could exist blackmailed, specially in his position."

Who nerveless the data

You might imagine that using a browser's "private" or "incognito" mode, or a tracker blocker, might terminate such drove of browsing history. But a private manner simply stops the browser itself from collecting the history; it doesn't cease the Isp from collecting it.

Besides, a tracker blocker but stops websites from logging that you've visited them, and doesn't stop your ISP from seeing that you lot've visited them.

However, Eckert and Dewes were pretty certain that the data they'd bought hadn't originally come from German ISPs.

In Germany, personal data such as names, addresses, IP addresses and email addresses cannot exist collected by private companies without the explicit understanding of the persons concerned. (The rules killed by the U.S. Senate in April would have fabricated American ISPs do the aforementioned.)

So where had such detailed information, which seemed to evade tracker blockers and anonymous search engines, come from? With the assist of a security researcher, Eckert and Dewes institute that a browser extension called Spider web of Trust had been collecting and selling the data.

Ironically, Web of Trust is meant to vet websites for "reputation and prophylactic information" and protect users with "secure browsing while shopping and surfing," co-ordinate to its folio in the Chrome Spider web Store. The people whose browsing history Eckert and Dewes had obtained had installed the Web of Trust extension to guard against the very matter the extension was doing.

Web of Trust had done this entirely legally. Its posted privacy policy said it might collect a user'southward IP address, device type, operating arrangement and web-browsing history, all of which would exist anonymized. But no one read the fine impress.

Following the Panorama circulate in Nov, Spider web of Trust was removed from the Mozilla Firefox, Google Chrome and Opera extension stores. The extensions returned a few months subsequently with a new feature — 1 that let users opt out of having their personal data nerveless.

"High-dimension user-related information is very hard to anonymize," Eckert said. "The increase in public data on many people make deanonymization fifty-fifty easier."

Best VPN Services and Apps
How to Protect Your Identity, Personal Data and Property
Your Privacy Is Gone. Y'all Just Don't Know It Notwithstanding

Paul Wagenseil is a senior editor at Tom'south Guide focused on security and privacy. He has likewise been a dishwasher, fry melt, long-booty driver, lawmaking monkey and video editor. He'due south been rooting effectually in the data-security infinite for more than than xv years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'due south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upward in random TV news spots and even moderated a console discussion at the CEDIA home-engineering science conference. Y'all tin follow his rants on Twitter at @snd_wagenseil.