Slashdot Mirror
72% of 'Anonymous' Browsing History Can Be Attached To the Real User (thestack.com)
An anonymous reader quotes a report from The Stack: Researchers at Stanford and Princeton have succeeded in identifying 70% of web users by comparing their web-browsing history to publicly available information on social networks. The study "De-anonymizing Web Browsing Data with Social Networks" [PDF] found that it was possible to reattach identities to 374 sets of apparently anonymous browsing histories simply by following the connections between links shared on Twitter feeds and the likelihood that a user would favor personal recommendations over abstract web browsing. The test subjects were provided with a Chrome extension that extracted their browsing history; the researchers then used Twitter's proprietary URL-shortening protocol to identify t.co links. 81% of the top 15 results of each enquiry run through the de-anonymization program contained the correct re-identified user -- and 72% of the results identified the user in first place. Ultimately the trail only leads as far as a Twitter user ID, and if a user is pseudonymous, further action would need to be taken to affirm their real identity. Using https connections and VPN services can limit exposure to such re-identification attempts, though the first method does not mask the base URL of the site being connected to, and the second does not prevent the tracking cookies and other tracking methods which can provide a continuous browsing history. Additionally UTM codes in URLs offer the possibility of re-identification even where encryption is present. Further reading available via The Atlantic.
As long as my wife can't see my porn browsing history, no worries!
Well, there's your problem. STOP USING SOCIAL NETWORKS.
#DeleteFacebook
Do not use social media
Do not write reviews
Stack up on social media icon blockers and ad blockers
Destroy cookies every time
Do not use Chrome, Google Voice, Google Hangout, etc
Use Linux or better yet BSD
Only post on Slashdot comments (and hope for the best!)
That should bring it down to about 50%!
First, they talk about a user's identity. Later they merely talk about Twitter links and finding the user's Twitter ID. So what is it? Can they identify users or Twitter accounts? If it's the former, that's concerning. But it seems to be more likely that they found a Twitter account user by comparing the browser history to a Twitter account that had been sharing those links. The latter doesn't seem as impressive now does it?
Wouldn''t this part of the problem be solved simply by using the privacy mode of the browser? If not, use a Linux Live distribution, which typically have no persistent storage (although some of them have an overlay filesystem that can be enabled especially for this purpose). This can be combined with anonymizing software like Tor for enough protection against everybody else but government-backed attackers.
Deja vu: In the 80s we had a 70ish actor as POTUS, a woman PM in the UK, and a bald leader of that other nuke superpower
People's Twitter profiles have been found out when following Twitter.
"they were able to correctly pick out the volunteers’ Twitter profiles" with the reason "People’s basic tendency to follow links they come across on Twitter"
The remaining 28% that they didn't correctly pick out probably didn't use Twitter and had nothing but cat videos.
...then they can identify you 72% of the time, otherwise the trail is cold. Brilliant!
Twinstiq, game news
Can they tell which bathroom you're more likely to use from your social media trail?
Don't use permanent social media accounts, keep in touch with friends and family directly.
Use throw away social media accounts, don't reveal personal info, propagate with false info. I don't mean you have to pretend to be someone else. It can be as simple as declaring love/hate for things you don't care about etc...
Rotate search engines (or avoid Google etc...). Try Startpage or DuckDuckGo maybe. Try the FF Addon TrackMeNot for laughs.
Use DNSCrypt, change server regularly.
Browsing modifications: Whitelist javascript, force HTTPS, Adblocking, auto delete cookies, change browser agent regularly, local emulation of CDN's, remove obfuscated links... (For the lazy, FF Addons: NoScript, HTTPS Everywhere, Ublock Origin, Self-Destructing Cookies, Random Agent Spoofer, Decentraleyes,
That's for starters. On FF, learn relevant privacy settings in about:config (also see 'Privacy Settings' addon). Read about DNS leaking. Check out https://ipleak.net Read about Canvas Fingerprinting. Check out https://panopticlick.eff.org/ I don't suggest a VPN, but not going to get into that here.
Anyway, a lot of this is for naught if you use an idiotphone and don't mirror a similar setup there. If on Android, checkout Adaway, XPrivacy, and Netguard. Root your phone and rip out bullshit you will never ever use, or serve no purpose other than data collection.
That's almost exactly what they did. First, they need your browser history. And your Twitter / Facebook profile needs to be wide open publicly. And you have to use Twitter regularly.
If they had been smarter, they would have just looked at which Facebook and Twitter profiles you visited most often, and from there inferred those are probably your closest friends. A list of your closest friends fairly well identifies your profile. They decided to make it a tad more complex, though.
Rather than looking at the friends list, they looked at links appearing in the person's feed. They reasoned that if the subject' browsing history shows them clicking in 50 links from a Twitter feed, it's probably an account that has those 50 links in their feed.
If you voluntarily use any of these things you have already forfeited all rights to complain about privacy invasion.
it could be attached to an IP address, but they dont know who is at the keyboard,
Politics is Treachery, Religion is Brainwashing
General URL obfuscation and UTM tokens and be dealt with somewhat via FF addons:
Pure URL
https://addons.mozilla.org/en-US/firefox/addon/pure-url/
and
Clean Links
https://addons.mozilla.org/en-US/firefox/addon/clean-links/
Best is simply watching what you click and what links you pass on. URL shorteners are evil and you should simply refuse to use them, period. In fact, their use is an old old IRC jedi mind trick (or the like) to grab real IP's from vhost/bouncers/etc users back in the dawn of the internet wars!
if this means anonymous browsing that web browsers have there good enough for most things its not really about beiing identified or not thpugh there are light things like asking that sight do not(nicely but nothing really technical to stop it). it is about no cookies or only while using no history and the like.
Before and after Firefox, I run the following .bat file:
[ ccleaner ]
What is your method of cleaning up before and after opening your browser? Tips appreciated.
--
taskkill /f /im iexplore.exe /f /im firefox.exe /f /im chrome.exe /auto
taskkill
taskkill
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
cd\
cd C:\Program Files\CCleaner
ccleaner
exit
--
It little behooves the best of us to comment on the rest of us.
This is hardly news. I would argue if you are browsing social media then you simply aren't browsing anonymously and many of us that have understood this ensure we behave appropriately when trying to be anonymous, this is not new. When I am using my Anonymous VPN to access content Social Media tools and sites, blogs etc are all big no no's.
simply using the built in settings and ensuring caching and browser history are not recorded, it isn't rocket science. combine that with running incognito mode or InPrivate browsing. But if you really want to be anonymous you should have a separate VM that is only used via an anonymously signed up VPN provider that doesn't keep logs.
Use Virtualbox VMs, restoring the previous snapshot after every shutdown. (There might be a way to do this automatically.) When it comes to computer security/privacy, the easiest to understand and easiest to implement options are not infrequently the most powerful ones as well.
Or you can go a step further.
You can create multiple templates and all you do in the templates is installing software and make generic configurations. The actual VM's where you run stuff is based on the templates and are reset whenever you restart them.
If they had been smarter, they would have just looked at which Facebook and Twitter profiles you visited most often
If they had been actually smarter, they would have had the browser extension read the FB and Twitter cookies to find out under which accounts/IDs they are logged in.
You probably want to use Qubes OS which provides an environment where all of this is handled for you.
I briefly covered this in a post from last year,, which I linked to in the post you just replied to. I'm using Qubes right now.
OP was talking about Windows, though, and if it's true that he's not a regular Linux user then the Virtualbox solution is probably a better place to start.
I know that I visit only a handful of sites regularly (Slashdot included). What a VPN and Tor allow me to do is not remain completely anonymous to researchers but to give a layer of plausible deniability to corporations or governments when it comes to certain laws. (Such as copyright :) )
Perhaps they can associate ... (not everybody has so called social media account) perhaps they cannot. :-D ... it is just business ..)
Anyway my point is let them work for it, do not give them those data on the gold plate.
As side effect we are creating those STEM jobs
(currently processing for customer Omniture feed
See my subject: Vs. DNS requestlogs + trackers in ads & scripts via NEW APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads & malware rob speed/security/privacy
Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!
* Via what you NATIVELY have built into the TCP/IP stack in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
I'd have thought that over 80%, not under, could be identified just by what they browse. Mainstream being stereotypically homogenous, and everything.
Don't broadcast your life on social media. Why would you have any expectation of privacy in that situation?
We'll make great pets
I've been thinking about writing some software that would allow you to download links over tor, somewhat in bulk, so that there wouldn't be a way to know which ones you were actually interested in. It would be plugin-based.
For example, there would be a slashdot plugin, that would download every article on the slashdot front page automatically. There could be a reddit plugin, that allows you to specify a subreddit (like /r/rpg) that would download all the most popular links in the past 24 hours. Or one for your favorite news site, or a Facebook page. Almost anything.
In addition to solving the problem of trying to fingerprint which links you've clicked, it would also help with the fact that tor is kinda slow, and this would effectively pre-cache pages for you.
I certainly don't have all the details worked out yet, but does anybody think this is a good or bad idea? Would anyone be interested in using it?
The PDF link: De-anonymizing Web Browsing Data with Social Networks" [PDF] (http://randomwalker.info/publications/browsing-history-deanonymization.pdf) is broken.