It Is Easy To Expose Users' Secret Web Habits, Say Researchers (bbc.com)

← Back to Stories (view on slashdot.org)

It Is Easy To Expose Users' Secret Web Habits, Say Researchers (bbc.com)

Posted by msmash on Monday July 31, 2017 @04:00AM from the privacy-woes dept.

An anonymous reader shares a BBC report: Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician. The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather "clickstreams." These are detailed records of everywhere that people go online. The researchers argue such data -- which some firms scoop up and use to target ads -- should be protected. The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals. People's browsing history is often used to tailor marketing campaigns. The results of the research by Svea Eckert and Andreas Dewes were revealed at the Def Con hacking conference in Las Vegas this weekend. The pair found that 95% of the data they obtained came from 10 popular browser extensions. "What these companies are doing is illegal in Europe but they do not care," said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.

42 of 95 comments (clear)

Min score:

Reason:

Sort:

Which browser extensions? by Anonymous Coward · 2017-07-31 04:08 · Score: 2, Informative

The pair found that 95% of the data they obtained came from 10 popular browser extensions.
I can't even name 10 popular browser extensions. I didn't think the muggles installed extensions.
1. Re:Which browser extensions? by cayenne8 · 2017-07-31 04:14 · Score: 1
  
  Yeah...why didn't they list the 10 most dangerous extensions...??
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
2. Re:Which browser extensions? by arth1 · 2017-07-31 04:20 · Score: 1
  
  Yeah...why didn't they list the 10 most dangerous extensions...??
  To not make themselves targets of civil lawsuits, I would imagine.
3. Re:Which browser extensions? by Anonymous Coward · 2017-07-31 04:49 · Score: 5, Interesting
  
  You have no idea. Number one infection vector: Youtube downloaders. Not quite coincidentally, "proxtube" is one of the 10 browser extensions which leak every URL you visit. You can get an ordinary user to install anything. Just tell them they can get something for free that they would otherwise have to pay for.
4. Re:Which browser extensions? by DontBeAMoran · 2017-07-31 04:55 · Score: 1
  
  Youtube downloaders?
  Step 1. Disable CSS
  Step 2. Scroll to the video
  Step 3. Right-click and select "Save video as..."
  Done.
  
  --
  #DeleteFacebook
You are not anonymous online by bobbied · 2017-07-31 04:09 · Score: 4, Insightful

Despite the appearance or how hard you try, you are NOT anonymous online. You may be harder to trace than the next person, but you are not able to totally hide. Increasingly, with the advent of "big data" and "data mining", smart people are going to make inroads in tracing every jot and tittle of what you do. The question is only about where the data collection is happening that drives this data mining effort.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
1. Re:You are not anonymous online by Anonymous Coward · 2017-07-31 04:16 · Score: 1
  
  Despite the appearance or how hard you try, you are NOT anonymous online.
  
  If your standard for "anonymous" is perfection and impossibility of tracing, you're right. But that's a very hard standard. I'd prefer to think of it like security. How hard is it to track you, and how badly does someone want to track you.
  You don't have to be perfectly anonymous. You just have to be more anonymous than the effort someone wants to go through to do so. For most people, simply turning on some anti-tracking software is sufficient for those purposes.
2. Re:You are not anonymous online by arth1 · 2017-07-31 04:31 · Score: 2
  
  You don't have to be perfectly anonymous. You just have to be more anonymous than the effort someone wants to go through to do so.
  Or, in some cases, more anonymous than his neighbor. Making sure you're not low hanging fruit goes a long way.
  In one way, the boundless data collection is an improvement on the lower volume and better targeted data collection we had before. The haystack grows bigger, and even though the data is there, it becomes permutationally harder to sift through.
  Police investigations have shown this many times now - the data was there, but they couldn't find it until the perpetrator had been identified by other means. And then they call that a success, and use it as a justification for collecting even more data...
3. Re:You are not anonymous online by ZorroXXX · 2017-07-31 05:06 · Score: 1
  
  "Data can be useful or anonymous, but never both" - Paul Ohm
  And Paul is not just anyone, he has done a lot of research and publications about privacy.
  This does not come as a surprise for anyone that has not ignored privacy issues the last couple of decades. There are countless examples of the fallacy of we can just "anonymize" data and then there are no longer any privacy problems, like AOL search data leak, 87% of USA's population is uniquely identified by birth date, sex and postal number/zip code (backstory), etc.
  
  --
  When you are sure of something, you probably are wrong (search for "Unskilled and Unaware of It").
4. Re:You are not anonymous online by Falos · 2017-07-31 05:12 · Score: 1
  
  This. You're not throwing one wrench at one machine.
  You're spewing whatever you can at an invisible army who are all using a thousand different sets of conditions, scopes, techniques etc. and you usually can't tell what sticks. It doesn't matter, throw anyway, if only for the principle of it.
  Being less harvestable than the Next Guy may also help, as sister post mentions.
5. Re:You are not anonymous online by swb · 2017-07-31 05:16 · Score: 1
  
  It seems obvious that "anonymizing data" and "targeting advertising" is a paradox. If it's effectively anonymized, it wouldn't be useful for targeting. That they're able to do targeting means that it's not really anonymous.
6. Re:You are not anonymous online by ColdWetDog · 2017-07-31 06:55 · Score: 1
  
  The haystack grows bigger, and even though the data is there, it becomes permutationally harder to sift through.
  Except for the fact that computers are extremely capable of sorting through piles of data, this might be true. Perhaps the Stasi had issues, but anybody with a decent Internet connection and a half powerful computer can sort through a whole bunch of hay bales.
  
  --
  Faster! Faster! Faster would be better!
7. Re:You are not anonymous online by arth1 · 2017-07-31 13:35 · Score: 1
  
  Except for the fact that computers are extremely capable of sorting through piles of data, this might be true.
  Faster computers and networks allow you to sift through bigger bales of hay in the same time. However, if they give you 0.1% of the haystack as a result with a small haystack, they will give you 0.1% of the haystack as a result with a much bigger haystack, which is less useful.
  Add that the amount of different data types change too, which is where the permutations come in. You now have green hay, yellow hay, straws of various lengths and curvature, and needles made out of different materials, with and without holes.
  To compensate, you need to evolve your queries and understanding of what you ask for and how. The more data types, the more intelligent the query needs to be. And I can't see the average TLA employee assembling intelligent SQL queries based on a broad range of different parameters. People put years and lifetimes into query parsing algorithms; they don't add themselves automatically just because you have more data.
  So I think the net result is that they drown themselves in results and false positives, and become less and less capable of using any of the data other than as after-the-fact "evidence" that they should have discovered beforehand, but didn't. And this is what we see happening.
8. Re:You are not anonymous online by Rick+Schumann · 2017-08-01 05:40 · Score: 1
  
  I understand all that. But I'm not going to give up and make it easy for them. In fact as of about a month or so ago I set about to making it as difficult as possible. Using Tor for everything I can. Paying cash for things I buy in person, so no purchasing history because no plastic use. I haven't used so-called 'social media' in YEARS and have no plans to do so ever again. If they really want to try to build a 'profile' of me based on my paying utility bills online and ordering the occasional (maybe once every month or so) pizza online, they're welcome to try, but it won't be anywhere near accurate, and I use several adblockers so they can't even effectively perpetrate MitM attacks to inject ads to try to sell me things. Most junk email goes directly and automatically into (NUL:) so I never even see it, and the rest gets deleted immediately and it never even registers on my short-term memory. Also, unless things get so bad that they start blackmailing people or something, I don't know what it is they think they're going to do anyway. I'm not married. I have no children. I'm not susceptible to ads in my face. Come at me, bro. :-)
9. Re:You are not anonymous online by bobbied · 2017-08-01 07:15 · Score: 1
  
  You are crazy! Hey, I know who you are.. Ted Kaczynski is it? You might consider moving to a cabin in some remote plot of land...
  For some of us, what does it matter, really? I erase my browser cookies and don't use common usernames or passwords for anything important... I also am mindful of putting any personal information in E-mail or on social media sites I might visit..... Not to mention that I don't have much disposable income anyway, so advertisers are spitting in the wind sending me ads....
  But hey, If you want to go crazy about this, have at it. I'll run a TOR node to help..
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Which ten browser extensions? by WilliamGeorge · 2017-07-31 04:09 · Score: 4, Insightful

Already checked the article, and it does not appear to say or link to a list of them. That sort of info would be quite helpful, as a major step toward solving this sort of thing *without needing the government / laws* is to publicize when companies are doing the wrong thing with our data so that people who care about it can stop using them.

--
William George
1. Re:Which ten browser extensions? by Zocalo · 2017-07-31 05:03 · Score: 1
  
  The presentation is available (as a 6.2MB PDF) from the Def Con Media server, along with all the other presentations, but it doesn't provide a list either. It does provide some useful insights into how they do it though, which should enable the more clueful to run their own tests. The only plug in I could see that was mentioned was Web of Trust, but without the context of the talk it might only appear to be getting singled out for special attention. Generally speaking though it appears that any extension that is validating URLs against a central source for whatever reason - just as WoT does - is a great source of data that can then be readily mined to provide a unique identity.
  
  --
  UNIX? They're not even circumcised! Savages!
Wait... by argStyopa · 2017-07-31 04:16 · Score: 5, Funny

...does this work on someone browsing in incognito mode??!?!??!?!?!??!!?
Asking for a friend.

--
-Styopa
1. Re:Wait... by nine-times · 2017-07-31 04:29 · Score: 3, Informative
  
  Well insofar as they're saying that they obtained data from browser extensions, incognito mode might help. In Chrome's ingcognito mode, for example, extensions are disabled by default. You have to go into your extensions' settings and check a box that says "Allow in incognito" for them to remain active.
  However, in all honesty, there are other ways that you're being tracked.
2. Re:Wait... by known_coward_69 · 2017-07-31 04:53 · Score: 1
  
  that's only to hide stuff from your wife or girlfriend
3. Re:Wait... by hyades1 · 2017-07-31 04:59 · Score: 1
  
  Or both.
  
  --
  I've calculated my velocity with such exquisite precision that I have no idea where I am.
4. Re: Wait... by denis.goddard · 2017-07-31 05:27 · Score: 1
  
  A toast attributed to Benjamin Franklin: "To our wives and mistresses... may they never meet."
5. Re:Wait... by Falos · 2017-07-31 05:39 · Score: 1
  
  All incognito does is stifle some local machine stuff.
  Works good if you're 14 and parents aren't savvy enough to spot your porn. If you have a shared (lolwut) machine. If you think your girlfriend is nosing around in your machine.
  Other than that it's placebo.
6. Re: Wait... by hyades1 · 2017-08-01 01:37 · Score: 1
  
  Ben would have been a good guy to know. Bright, loved the ladies, known to take an occasional sip of alcohol...
  
  --
  I've calculated my velocity with such exquisite precision that I have no idea where I am.
Adblock Plus by Comboman · 2017-07-31 04:30 · Score: 1

I don't know about a top 10 list, but the top 1 list should be Adblock Plus. Security conscious users switched to uBlock years ago.

--
Support Right To Repair Legislation.
1. Re:Adblock Plus by WilliamGeorge · 2017-07-31 04:57 · Score: 1
  
  Interesting - uBlock.org or uBlock Origin? They appear to be different.
  I dislike when competing things have such similar names, and something similar happened with AdBlock and Adblock Plus as well.
  
  --
  William George
Just wait until everyone has IPv6 by DeplorableCodeMonkey · 2017-07-31 04:39 · Score: 2

Then these sites, Facebook, etc. will have absolutely no ambiguity about your identity. Log into Facebook and then load their code on another side and they'll know **exactly** and unambiguously that you visit that site.
Oh the flip side, even the average US Senator is likely to be so creeped out by that side of IPv6 that we might see privacy-promoting legislation in the US.
1. Re:Just wait until everyone has IPv6 by WillAffleckUW · 2017-07-31 04:43 · Score: 1
  
  Um, guy, most sites are already running IPv6, you're just seeing an IPv4 representation of the IPv6 web. We ran out of numbers last decade.
  
  --
  -- Tigger warning: This post may contain tiggers! --
2. Re:Just wait until everyone has IPv6 by Anonymous Coward · 2017-07-31 04:55 · Score: 1
  
  Not true. Not only are there big swaths of the Internet that cannot be reached from an IPv6-only system, most users still use IPv4 exclusively, even if they could technically also use IPv6. We ran out of numbers, but this actually helps privacy. With CGNAT in wide use now, IP addresses reveal very little information about individual users, as each IP-address is shared by many users. Law enforcement is trying to reduce the number of suspects by asking ISPs to make fewer users share a given IP address.
Correction: untrained anon browsing correlated by WillAffleckUW · 2017-07-31 04:42 · Score: 1

It's fairly easy to establish and maintain personae on the web, but you have to:
1. never link to your own activities.
2. don't use the same search or info services
3. be disciplined about not using the same phrasing or background sources
It's one of the first things they teach you in spy school.

--
-- Tigger warning: This post may contain tiggers! --
Re:Which 10 extensions? by Anonymous Coward · 2017-07-31 04:52 · Score: 2, Informative

Well, here's the actual presentation: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Svea-Eckert-Andreas-Dewes-Dark-Data.pdf
It appears they opted not to name the extensions.
Not so helpful.
Ok, let's figure it out by Presence+Eternal · 2017-07-31 04:55 · Score: 1

Logically the extensions they're so coyly mentioning must either deliver telemetry or alter requests so distinctively that they become unprivate. So the suspects should be: 1) Shopping add ons, especially cross site addons. 2) Clipper addons, such as Evernote's. 3) Good old fashioned spyware. What do you mean freecryptosearch is bad? 4) Discovery addons, like stumbleupon. 5) Antivirus addons.
1. Re:Ok, let's figure it out by Zocalo · 2017-07-31 05:35 · Score: 1
  
  Having gone through the presentation I linked above, it seems to be anything that might send back the complete URLs that you visit to a central server for any reason. Web of Trust is the only extension they mention specifically, but anything that purports to vet URLs/domains "for your safety" - like many antivirus addons - would seem to be the ones that put you at the greatest risk of this. Basically, they're looking at matching data in URLs visited with things like YouTube playlists, social media posts, and so on, then looking to see which is the only "anonymous" user that matches the most entries on a given playlist.
  
  --
  UNIX? They're not even circumcised! Savages!
Bad-ass Researcher Name by cloud.pt · 2017-07-31 05:22 · Score: 2

Martin Fuchs is the name of one of the researchers. He should have to pay extra to have such a cool name at a conference like Def Con. Not a single Fuchs was given about naming the 10 extensions though. They do mention that 10.000 more extension versions (?) are affected by such problems, so I guess it doesn't really matter. We all dun Fuchs'd.
You can be pretty incognito by Kludge · 2017-07-31 06:10 · Score: 1

You can judge how incognito you are by examining the advertisements are on the pages you visit. For example, if you are browsing around to buy a chain saw on Amazon, and you later get an ad for chainsaws when you are watching a video on youtube or a porn site, you are not incognito.
Sometimes I look at the advertisements that my wife gets. They are all for woman things-- clothes, shoes, meds, etc. She is totally tracked.
To avoid this I use
1. javascript blockers
2. ad blockers
3. user agent changers
4. random VPNs
5. different browsers for different web sites. I use 3 different browsers for different levels of browsing: A. credit card and banking use, B. everyday browsing, and C. the highly questionable stuff.
Based on the mostly random rare ads that I see, I am pretty certain that no one can piece together everything that I do.
one more good one by Kludge · 2017-07-31 06:13 · Score: 1

6. Set your browsers to wipe cookies and other web site data when you log out.
1. Re:one more good one by Gr8Apes · 2017-07-31 06:36 · Score: 1
  
  I don't do 4 often as it slows things down too much, but 5 and 6 definitely. 6 ended the ads following me, at least until the next time you log into amazon or google (or, I guess, facebook or see what prez tweety burped today) it's pretty interesting to see when those ads come back. I block several of google, facebook, and twitter domains, so the amount of ads I see and that track me are pretty low.
  
  --
  The cesspool just got a check and balance.
What about tracker blockers? by fasuin · 2017-07-31 06:25 · Score: 1

In case you are interested, other researchers have compared popular tracker blockers in a recent paper titled "Benchmark and Comparison of Tracker-blockers: Should You Trust Them?". Results shows that your mileage may vary, with some plugins performing overall quite poorly. Here is the link to the conference program and here the PDF of the paper.
I LOL'd by Trax3001BBS · 2017-07-31 11:40 · Score: 1

That's a hard project. Should of just logged into the Usenet where everything is hidden in plain site.
THIS by XSportSeeker · 2017-07-31 13:23 · Score: 2

THIS is the sort of stuff privacy advocates should be doing everywhere.
You pick some key politicians, some judges, and some sensitive public services and show how damaging exposing information of them can be from readily available and already working services and we'll see how willingly government will start moving towards less privacy erosion and a renewed fight against personal data collection.
Security also goes that way. It's because these people live in a bubble that they don't care about anything of public interest.
their web site by aepervius · 2017-07-31 18:09 · Score: 1

https://sveaeckert.de/2016/bui...

It seems they have been at it since december 2016, and this month was their results.

--
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Well aware of Google searches by Rick+Schumann · 2017-08-01 05:42 · Score: 1

I use Tor for everything I can, and I use a plugin that 'cleans' Google search links so that they aren't able to track my clicking on them. Effective against Google?