At last week’s DEFCON hacking conference in Las Vegas, German Researchers Svea Eckert and Andreas Dewes revealed the results of their research, to the chagrin of those in the general public who pay attention to such things. The researchers obtained massive amounts of data including very detailed information about where three million Germans like to go on the internet. The data is supposed to be anonymous, but it can easily be tracked right to your device – yes, even if you’re using the ‘stealth’ mode on your browser. BBC reports:
The data analysed by the pair connected a list of sites and links visited to a customer identifier. However, he said, by drawing on public information that people share about their browsing habits, it became possible to connect that entry on a list to an individual.
“With only a few domains you can quickly drill down into the data to just a few users,” he said.
The public information included links people shared via Twitter, YouTube videos they reported watching, news articles they passed on via social media or when they posted online photos of items they bought or places they visited.
In many cases, he said, it was even easier to de-anonymise because the clickstreams contained links to people’s personal social media admin pages which directly revealed their identity.
As part of their research, Eckert and Dewes say they uncovered the porn browsing habits of a judge, exposed a cyber crime investigation, and discovered a particular politician’s drugs of choice.
Why is this data even being collected? Two words – targeted advertising. A website’s primary goal is to get you to visit, stay, and buy the product or sign up for the mailing list. To that end, developers install trackers on their site to see who you are, where you’re from, what browser you’re using, what your IP address is, and even the size of your monitor screen. Your privacy doesn’t matter – only how many hits the site gets and whether you’re buying what the site is selling.
The targeted advertising is meant to direct your travels around the web and ensure that you end up where they want you. Just like everything about a grocery store is set up to maximize your spending, everything about a website – from where and when the popups happen to how your eyes travel down the page – is geared to funnel you to an action that benefits the company or group behind the site. That’s why for sites running ads, the top center banner position is considered prime real estate; ad-free website owners want you to stay there and sign up for something – and their sites are geared to get you to do it.
The problem is that any data collected is also – as the research at DEFCON showed – fair game for anyone with a bit of talent and know-how. It doesn’t matter what that information contains. Think of every strange symptom you’ve ever looked up or anything you’ve ever looked at on the internet that you wouldn’t want everyone to know. Websites don’t care what they collect about you – they just want more – and all that information is used against you to manipulate your decisions and get you to take the actions they want you to take.
It’s not supposed to be that simple to ‘out’ people based on their data.
Before the data is used to customise the range of adverts which people see, any information that could be used to identify exactly who generated the clicks is supposed to be removed.
However, said Mr Dewes, it was “trivial” – meaning easy – to tie the information directly to people and reveal exactly where they went online, the terms they searched for and the things they bought.
Still not convinced? Think your browser can’t identify you? Check out Electronic Frontier Foundation’s Panopticlick. If that’s not creepy enough, take a look at another list of disturbing ways your data is being collected in the physical, offline world. Privacy matters – but it’ll never matter to the websites you visit. Take matters into your own hands. Quit letting the sites you visit track your every move.