Reconstructing Users' Web Histories From Personalized Search Results

An anonymous reader sends along this excerpt from MIT's Technology Review: "Personalization is a key part of Internet search, providing more relevant results and gaining loyal customers in the process. But new research highlights the privacy risks that this kind of personalization can bring. A team of European researchers, working with a researcher from the University of California, Irvine, found that they were able to hijack Google's personalized search suggestions to reconstruct users' Web search histories (PDF). Google has plugged most of the holes identified in the research, but the researchers say that other personalized services are likely to have similar vulnerabilities."

Reconstructing?

[General+Wesc]

The attack described on the first page of TFA didn't involve any 'reconstruction'. They were able to access the web histories by stealing cookies and using them to access the web histories Google provides. In the second page they talk about using the cookies to view a users' Google Suggest results.

Still, this is relatively unsurprising. If you snoop on my non-https transmissions, yeah, you can get a lot of information that I consider private. It would be nice if everything were https (the EFF has been pushing for all GWS to use https for a while now), but it's not news to me that it's not. The most novel thing here is that because they could access/reconstruct web history by getting my cookies, they didn't need to be watching me when I did my searches--getting my cookie now is as good as sniffing my packets when I was doing criminal activity yesterday.

Re:Reconstructing?

[maxume]

Cookie white-listing seems saner and saner.

Re:Reconstructing?

[wdavies]

+1 mod this to 5 and then re-edit the article & title please. This is not the same as the work identifying people from their movie ratings for example.

Re:Reconstructing?

[Simon80]

If you had read the paper you would see that Google asks for a reauth when an attempt is made to access the web history, so instead they choose the most frequent prefixes that are used in searches, and use them to ask google for search suggestions. Reconstruct is a perfectly suitable word to describe this process.

Re:Reconstructing?

[carp3_noct3m]

Totally agreed. One of the first things I do when I do a new install (for me personally) is to make sure in FF that either I have cookies turned off or to have FF ask me everytime. its just like noscript, where yes, it can get annoying for a while, but then once your whitelist is fairly complete it is very worth it. Or you can just always start FF in a private browsing session too.

Re:Reconstructing?

[wdavies]

The title of the original paper is: Private Information Disclosure from Web Searches.

They found a security vulnerability, and retrieved the information using probable prefixes. The reason I dislike the title is because it sounds a lot like the SIGIR 06 paper

http://video.google.com/videoplay?docid=6474169875352273382#

where they actually did reconstruction using publicly available information combined with
collaborative filtering like technology against anonymized data.

This article isn't a bad one, and interesting, but it's title is misleading. Its a security hole, not a fundamentally powerful data-mining technique.

W

Re:Reconstructing?

[General+Wesc]

You want me to read the summary, the article, and the paper? I already went way beyond my duties as a Slashdot commenter. :-)

Re:Reconstructing?

[Simetrical]

Cookie white-listing seems saner and saner.

Um, do you understand the attack at all? The attackers intercepted your cookies from Google, using a standard man-in-the-middle attack, and used them to access your account. Cookie whitelisting is useless here: the only cookies are legitimate ones from Google, and if you deny those, you can't log in (as with any cookie-based authentication).

Re:Reconstructing?

[maxume]

Yes, exactly. If you are rejecting the cookies, you aren't logged in, and your search history is tracked less. I don't consider the personalization a feature, so I prefer not to be logged in.

(I do this in a somewhat hilarious fashion, I log into Google to use gmail, and then I delete the cookies for google.com (but not for mail.google.com). Paranoia, I am doing it wrong.)

Bullshit

[Jah-Wren+Ryel]

"Personalization is a key part of Internet search

No thank you. All I need is for my searches to be even more limited by what somebody else thinks.
Keep the spam to a minimum and leave this 'personalization' waste-of-time out of it.

Obvious EU centrism

[Beretta+Vexe]

>>A team of European researchers, working with a researcher from the University of California, Irvine,

Dear /.

Europe isn't a country. The Inria isn't a European research institution, it's only a French institution.

Best regards

Re:Obvious EU centrism

[icebraining]

And French people aren't European as well?

Besides, if you had RTFA, you'd see that two are French, but there's also Emiliano De Cristofaro, and Italian from the UCI (University of Palermo), Italy. So describing them as French would be wrong.

Re:Obvious EU centrism

[Beretta+Vexe]

>>And French people aren't European as well?

Who said they are French ? You don't need to be french or european to work in the inria.

If I follow your logic mention the University of Irvine is unnecessary since all researchers are European.
If the article refers to the research facility they works for, it's wrong too because the INRIA isn't European.

 

Re:Obvious EU centrism

[DNS-and-BIND]

Well, for a place that's not a country, the EU sure behaves like one. Got a flag, currency, legitimately elected leaders, the whole deal. Taking pride in one's nation is bad. You'd think a European would know that the graveyards in Europe are filled with firm believers in nationalism.

Re:Obvious EU centrism

[Jah-Wren+Ryel]

>>A team of European researchers, working with a researcher from the University of California, Irvine,

Europe isn't a country. The Inria isn't a European research institution, it's only a French institution.

I can't tell if you are trolling or if you really did fail basic set theory.

Re:Obvious EU centrism

[slashdotmsiriv]

what are you talking about? INRIA is in France, and France is in the EU. Even more,
INRIA is largely funded by the EU

Re:Obvious EU centrism

[Beretta+Vexe]

I can't tell if you are trolling or if you really did fail basic set theory.

I'm just trolling, it's just funny that the only research institution name in the topic is the University of California, when the only researcher form this university started this study in the INRIA ( where he worked before moving to Irvine ).

It's a minor case of US monopolization ;-)

Re:Obvious EU centrism

[maxwell+demon]

The UN also has a flag and leaders, and you wouldn't call it a country.
The EU doesn't even have an official hymn (although Beethoven's "Ode an die Freude" is played whereever a hymn would be, making it an inofficial hymn).
The Euro is not currently a currency of all EU members (especially the UK has the option to keep out even if they meet the conditions for entry; others are not yet in just because they don't meet the conditions).
There's also not really an EU government. Most EU institutions are just people sent by the member countries. The Lisbon treaty made it a bit closer to a country, but it still isn't.
There's no European army. The EU cannot even collect its own taxes. Also, the EU doesn't exactly make laws, it makes directives which have to translated into national laws. There's usually some freedom in how this is done, so even for EU regulations, the laws of the member countries can differ.

The EU clearly is more than the typical federation of countries, but it as clearly is not a country of its own.

Re:Obvious EU centrism

See, it is not a country like the USA, the EU is just a group of states that work united!

Re:Obvious EU centrism

[myowntrueself]

It's a minor case of US monopolization ;-)

A bit like how many US news outlets would *insist* on referring to the ISS as "The NASA Space Station Project".

If the Yanks could build a space station in a higher orbit (they can't cos the shuttle can't go very high) they'd piss on the ISS, I am sure.

Re:Obvious EU centrism

[freedumb2000]

News just in: World citizens did something!

Re:Obvious EU centrism

It sounds like a case of French nationalism.

If that's the case, well, Wait until he finds out they wrote the paper in English, that'll really send him through the roof!

Trackmenot

[MrMr]

Reconstruct that
https://addons.mozilla.org/en-US/firefox/addon/3173

Re:Trackmenot

[maxume]

It still has the flaw that you have to trust them not to make it appear that you are doing things you would never want associated with you.

Of course, trust is largely a social problem, so it isn't surprising that throwing technology at it doesn't help much.

DO NOT WANT

[iYk6]

I was going to come here to post DO NOT WANT! But you beat me to it. So instead, I will post a message saying that I was going to post a message saying DO NOT WANT! Done.

Personalized search is a terrible idea, and can only lead to bad results if it doesn't work, or insulation from variety of it does work. I can't believe anybody would want it.

I assume I am safe with cookies and/or javascript turned off. Without javascript, Google never knows what I clicked on.

Re:DO NOT WANT

[clang_jangle]

I assume I am safe with cookies and/or javascript turned off. Without javascript, Google never knows what I clicked on.

Google analytics is everywhere. The good news is it's trivial to block it using privoxy. Then you can use any browser you want.

Re:DO NOT WANT

Without javascript, Google never knows what I clicked on.

This is NOT TRUE. Google knows every search result you clicked on.

When you click on a Google search result the click is passed through Google before it returns the site ("click tracking"). If you want to keep your clicks private from Google you need to rewrite the URL so it goes straight to the site instead of passing through Google. I use an add-on called Google Optimizer to block click-tracking; there may be other tools.

Re:DO NOT WANT

[maxwell+demon]

In my experience that's normally only true for the "extra" links it provides (i.e. if directly below the main link, there's links to specific subjects on that site). For example, if you search for Wikipedia, the first hit is the Wikipedia main page, which is a direct link, and below there are links to specific subject areas, which are Google redirection links.

BTW, it shouldn't be too hard to turn them into real links through a Greasemonkey script.

Re:DO NOT WANT

Yeah, personalized search sucks, all I want is the all the results that match my keywords, all millions of them. No, wait, I want only the relevant results, but not the results that you think relevant, only the ones that I think relevant, but don't personalize my search, just do what I want, without knowing what I want. Thanks

Re:DO NOT WANT

[General+Wesc]

...or insulation from variety of it does work. I can't believe anybody would want it.

If my goal was variety, I'd be using Stumble Upon. I use GWS to find what I'm looking for. This is typically something very specific. There are also domains I'm focused on a whole lot more than the aggregate person, and those I'm much less interested in. When I search for a song title or a line from a song, I never, never, never want a link to a video site that 1. isn't YouTube or 2. doesn't use Flash. Translation: I want personalization. When I searched for Plymouth the other day, I didn't want the freaking car. I wanted the boot loader. What did I end up having to do? Manually searching for 'Plymouth Linux'. Why SHOULDN'T I want those results ranked higher for me than they would be for an auto mechanic, someone living in Plymouth, Mass, or someone who attends Plymouth State University? I want my results personalized for where I live and what I'm interested in. I work in a school in Texas, so when I search for TEA, I want the Texas Education Agency, not the drink or the nutcases. Google should know this, and personalize the results to reflect it.

If I want something outside my usual scope, I can specify that--very occasionally I do intentionally go for non-personalized results because the 'insulation from variety' prevents me from finding what I want, but if customization means I get less 'variety' when I'm not looking for 'variety', and instead gets me what I'm looking for (not what the aggregate person is most frequently looking for), how is that a bad thing? It's silly to assume the same defaults make sense for everyone. I'm pretty sure that you benefit from the fact that Google personalizes the results to mostly return pages written in English. Taking it further can be a disaster, but it can also be incredibly beneficial.

Pointless

[Quiet_Desperation]

[1] What's the point of past searches when most of the time I do a search it's to find out something new?

[2] It never works.

Netflix has years of my rental history and algorithms devoted specifically to movies, have held contests to develop a better algorithm and yet their recommendation system is full of fail. It's always notifying me about films you'd have to tie me down to watch, forcing my eyelids open like Malcom McDowell in that scene from Clockwork Orange.

Amazon is the same way, although they are maybe a couple molecules better. However, a lot of their recommendations are later books in series where I have bought the earlier ones.

"If you enjoyed book 1 and 2, you might enjoy book 3 and 4!"

Ummm, thanks?

Re:Pointless

[bipbop]

Occasionally this is helpful for me. "Oh, there's a new book by such-and-such? Didn't know."

Re:Pointless

[Quiet_Desperation]

Yeah, that's the few extra molecules I mentioned, but I tend to track authors I like anyway. I get more use looking at *other* people's lists that happen to have something I read on them.

Nicely played

[ksandom]

Foreword: We would really like to acknowledge Google’s positive attitude toward our report and results. Google has been very responsive to our findings and is taking actions to fix them. We are very pleased about it.

I think its great when the people discovering the problem, and the people being alerted about the problem behave so well to each other. (They sent the paper to google a month before releasing the final thing.)

Re:Nicely played

[shoehornjob]

I think its great when the people discovering the problem, and the people being alerted about the problem behave so well to each other. (They sent the paper to google a month before releasing the final thing.)

That only works for Google. You know damn well if they sent that data to Microsoft they would have denied it for several months only to fix it when an exploit was released in the wild.That's how the Redmond spin works

Re:Nicely played

[ksandom]

That only works for Google. You know damn well if they sent that data to Microsoft they would have denied it for several months only to fix it when an exploit was released in the wild.That's how the Redmond spin works

Not to mention legal gun fire as well. But there are positive examples out there like this, and I think it's really good to encourage this.

Actually - yes

[Snaller]

You do what it - what you don't want - or what you fear is that someone else will abuse the knowledge (which I think is legitimate )

But personalized means better results for YOU - not worse.

Re:Actually - yes

[Jah-Wren+Ryel]

But personalized means better results for YOU - not worse.

No it doesn't. It means results that better conform to what someone else thinks I want and has overly simplified into a set of basic heuristics.

If it really meant better results for me, that would require an actual ME to make the evaluation of each potential result.

Re:Actually - yes

All web search is based on a set of heuristics trying to guess what you want. Personalized search simply means that the heuristics are more adaptive. If you want completely unfiltered search results you must have a lot of free time to go through millions of results for every query

Re:Actually - yes

[Jah-Wren+Ryel]

All web search is based on a set of heuristics trying to guess what you want. Personalized search simply means that the heuristics are more adaptive.

What you call 'adaptive' I call insular and misdirected. The presumption that what someone searched for yesterday, or even half an hour ago should narrow their search results for a new search is just about universally false for anyone more inquisitive than an airhead. And if what I searched for 1 minute ago ought to affect the results of the next search I type - I'll add the necessary keywords to the new search myself.

I'm cool with having a web history

[OrwellianLurker]

I just want to have access to it and control over it. If I want to stop using Google's services, I should be able to delete my web history and they should be able to remove all of it in a reasonable time frame. My problem is that the Feds are almost certainly able to access Google's information on us, and so are other entities that Google might share their data with. If I knew that only Google would get my information, that I could control it, and that it would only be used to target advertisements to me, I would be content.

Re:I'm cool with having a web history

I would like to be compensated for the information about me and my family google sells to others. I block as much of their crap as I can, but I can't block everything (friends with gmail accounts I send to, websites filled with google features).

I can't opt out, can I? Then pay me or leave me alone.

Re:I'm cool with having a web history

[OrwellianLurker]

I agree that your data being used for any purpose should be opt-in, and its sale or transfer to a third party should also be opt-in. I don't really see how you can complain that they use your data for targeted advertising when you use their services. If you are on sites using their services, you are indirectly using their services.

NOT University of California

Two researchers out of three are NOT from the University of California, but from INRIA, a French public founded computer research organization.