Your 'anonmyized' web browsing history may not be anonymous

[Batu69]

Researchers have written computer programs that found patterns among anonymized data about web traffic and used those patterns to identify individual users. The researchers note web users with active social media are vulnerable to the attack.

 

Raising further questions about privacy on the internet, researchers from Princeton and Stanford universities have released a study showing that a specific person's online behavior can be identified by linking anonymous web browsing histories with social media profiles.

"We show that browsing histories can be linked to social media profiles such as Twitter, Facebook or Reddit accounts," the researchers wrote in a paper scheduled for presentation at the 2017 World Wide Web Conference Perth, Australia, in April.

 

"It is already known that some companies, such as Google and Facebook, track users online and know their identities," said Arvind Narayanan, an assistant professor of computer science at Princeton and one of the authors of the research article. But those companies, which consumers choose to create accounts with, disclose their tracking. The new research shows that anyone with access to browsing histories -- a great number of companies and organizations -- can identify many users by analyzing public information from social media accounts, Narayanan said.

 

"Users may assume they are anonymous when they are browsing a news or a health website, but our work adds to the list of ways in which tracking companies may be able to learn their identities," said Narayanan, an affiliated faculty member at Princeton's Center for Information Technology Policy.

 

Narayanan noted that the Federal Communications Commission recently adopted privacy rules for internet service providers that allow them to store and use consumer information only when it is "not reasonably linkable" to individual users.

 

"Our results suggest that pseudonymous browsing histories fail this test," the researchers wrote.

In the article, the authors note that online advertising companies build browsing histories of users with tracking programs embedded on webpages. Some advertisers attach identities to these profiles, but most promise that the web browsing information is not linked to anyone's identity. The researchers wanted to know if it were possible to de-anonymize web browsing and identify a user even if the web browsing history did not include identities.

 

They decided to limit themselves to publicly available information. Social media profiles, particularly those that include links to outside webpages, offered the strongest possibility. The researchers created an algorithm to compare anonymous web browsing histories with links appearing in people's public social media accounts, called "feeds."

 

"Each person's browsing history is unique and contains tell-tale signs of their identity," said Sharad Goel, an assistant professor at Stanford and an author of the study.

 

The programs were able to find patterns among the different groups of data and use those patterns to identify users. The researchers note that the method is not perfect, and it requires a social media feed that includes a number of links to outside sites. However, they said that "given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50 percent of the time."

 

The researchers had even greater success in an experiment they ran involving 374 volunteers who submitted web browsing information. The researchers were able to identify more than 70 percent of those users by comparing their web browsing data to hundreds of millions of public social media feeds. (The number of original participants in the study was higher, but some users were eliminated because of technical problems in processing their information.)

 

Yves-Alexandre de Montjoye, an assistant professor at Imperial College London, said the research shows how "easy it is to build a full-scale 'de-anonymizationer' that needs nothing more than what's available to anyone who knows how to code."

 

"All the evidence we have seen piling up over the years showing the strong limits of data anonymization, including this study, really emphasizes the need to rethink our approach to privacy and data protection in the age of big data," said de Montjoye, who was not involved in the project.

 

Article source

[steven36]

Your web browsing history contains enough information for third parties to be able to link it to your social media profile (Twitter, Facebook, Reddit), Stanford and Princeton researchers have found.

 

 

Worrying research results

“Our approach is based on a simple observation: each person has a distinctive social network, and thus the set of links appearing in one’s feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity,” they shared.

They tested their approach first on simulated browsing histories containing links originating from Twitter, then in practice with the help of 374 individuals who chose to participate in the research and “donate” their browsing histories.

 

 

The result of that last test? Over 70 percent of the individuals were correctly tied to their Twitter accounts. While not perfect, the result is impressive, and even more so because a correctly identified account is one of over 300+ million opened on Twitter.

Granted, users are not expected to hand over their browsing history to anyone who would like to peruse them, but for this approach to be successful they don’t have to.

“Several online trackers [e.g. Google, Facebook, ComScore, AppNexus] are embedded on sufficiently many websites to carry out this attack with high accuracy,” they noted, despite claims by ad tech companies that online tracking is not a threat to user privacy.

How to protect your privacy?

“Any social media site can be used for such an attack, provided that a list of each user’s subscriptions can be inferred, the content is public, and the user visits sufficiently many links from the site. For example, on Facebook subscriptions can be inferred based on ‘likes,’ and on Reddit based on comments, albeit incompletely and with some error,” the researchers explained.

“Further, it is inherent in the web’s design and users’ behavior, and is not due to specific, fixable vulnerabilities by browsers or websites, unlike previous de-anonymization attacks. It simultaneously confirms the fingerprintability of browsing profiles and the easy availability of auxiliary information. Application-layer de-anonymization has long been considered the Achilles’ heel of Tor and other anonymity systems, and our work provides another reason why that is the case,” they concluded.

 

 

The researchers’ approach is less potent if employed by network adversaries – Internet service providers, open Wi-Fi network sniffers, state actors – because of the increasingly widespread adoption of HTTPS. When basing their testing just on HTTP requests, of the 374 individuals who participated in the research only 31% were tied correctly to their Twitter account.

“We hypothesize that the attack will still work in this scenario but will require a greater number of links per user,” they noted, and added that tools like HTTPS Everywhere can help make the attack harder and more time-consuming to execute.

 

 

Unfortunately, HTTPS is no protection against third-party trackers. To make their task harder users will have to use tracker-blocking tools such as Ghostery, uBlock Origin, or Privacy Badger, and/or give up social media accounts, especially if they are opened under their real name.

 

By Zeljka Zorz

https://www.helpnetsecurity.com/2017/02/07/web-browsing-history-privacy/

 

[Batu69]

Topic has been merged.

[humble3d]

Anonymous Browsing Data Isn't As Anonymous As You Think

When you visit a website -- just about any website -- your visit is logged by third parties in a digital record.

Advertisers use that information to make sure you see ads that are relevant to your interests.

Content providers use it to make sure they're posting videos and articles that you'll want to watch and read.
 

For privacy reasons, the browsing data they collect is anonymized.

Advertisers aren't supposed to be able to target you with ads because they know you're you.

They're supposed to deliver ads that fit the interests of some anonymous person who browsed a specific list of web pages.

According to a new study released by Princeton and Stanford researchers, however, it's really not hard to figure out exactly who you are based on your browsing.

All it takes is as few as 30 links shared publicly on Twitter or Facebook.

If you've done that, then the research team has a 50% chance of being able to tie your anonymous browsing to your social media account.

The odds increase dramatically when they have better data to look at.

They set up a test scenario with 374 volunteers who willingly handed over their browsing histories.

The team was able to identify participants with a 70% success rate.

So while the browsing data you consent to transmit when you visit a website might be anonymous (or at least somewhat anonymous) when it's collected, it doesn't necessarily stay that way forever.

If the Princeton-Stanford team was able to link anonymous histories to social media profiles, there's a good chance that advertisers have figured out how to do it, too... or that they're working on it right now.

 

There are steps you can take to protect your digital privacy, of course. Using a VPN can help, and so can the right privacy-focused apps and services.

 

http://www.forbes.com/sites/leemathews/2017/02/17/anonymous-browsing-data-isnt-as-anonymous-as-you-think/#3f8c9ea747c1

 

[Batu69]

Another topic has been merged.