It Is Easy To Expose Users' Secret Web Habits, Say Researchers

An anonymous reader shares a BBC report: Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician. The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather "clickstreams." These are detailed records of everywhere that people go online. The researchers argue such data -- which some firms scoop up and use to target ads -- should be protected. The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals. People's browsing history is often used to tailor marketing campaigns. The results of the research by Svea Eckert and Andreas Dewes were revealed at the Def Con hacking conference in Las Vegas this weekend. The pair found that 95% of the data they obtained came from 10 popular browser extensions. "What these companies are doing is illegal in Europe but they do not care," said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.

Which browser extensions?

The pair found that 95% of the data they obtained came from 10 popular browser extensions.

I can't even name 10 popular browser extensions. I didn't think the muggles installed extensions.

Re:Which browser extensions?

You have no idea. Number one infection vector: Youtube downloaders. Not quite coincidentally, "proxtube" is one of the 10 browser extensions which leak every URL you visit. You can get an ordinary user to install anything. Just tell them they can get something for free that they would otherwise have to pay for.

You are not anonymous online

[bobbied]

Despite the appearance or how hard you try, you are NOT anonymous online. You may be harder to trace than the next person, but you are not able to totally hide. Increasingly, with the advent of "big data" and "data mining", smart people are going to make inroads in tracing every jot and tittle of what you do. The question is only about where the data collection is happening that drives this data mining effort.

Re:You are not anonymous online

[arth1]

You don't have to be perfectly anonymous. You just have to be more anonymous than the effort someone wants to go through to do so.

Or, in some cases, more anonymous than his neighbor. Making sure you're not low hanging fruit goes a long way.

In one way, the boundless data collection is an improvement on the lower volume and better targeted data collection we had before. The haystack grows bigger, and even though the data is there, it becomes permutationally harder to sift through.
Police investigations have shown this many times now - the data was there, but they couldn't find it until the perpetrator had been identified by other means. And then they call that a success, and use it as a justification for collecting even more data...

Which ten browser extensions?

[WilliamGeorge]

Already checked the article, and it does not appear to say or link to a list of them. That sort of info would be quite helpful, as a major step toward solving this sort of thing *without needing the government / laws* is to publicize when companies are doing the wrong thing with our data so that people who care about it can stop using them.

Wait...

[argStyopa]

...does this work on someone browsing in incognito mode??!?!??!?!?!??!!?

Asking for a friend.

Re:Wait...

[nine-times]

Well insofar as they're saying that they obtained data from browser extensions, incognito mode might help. In Chrome's ingcognito mode, for example, extensions are disabled by default. You have to go into your extensions' settings and check a box that says "Allow in incognito" for them to remain active.

However, in all honesty, there are other ways that you're being tracked.

Just wait until everyone has IPv6

[DeplorableCodeMonkey]

Then these sites, Facebook, etc. will have absolutely no ambiguity about your identity. Log into Facebook and then load their code on another side and they'll know **exactly** and unambiguously that you visit that site.

Oh the flip side, even the average US Senator is likely to be so creeped out by that side of IPv6 that we might see privacy-promoting legislation in the US.

Re:Which 10 extensions?

Well, here's the actual presentation: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Svea-Eckert-Andreas-Dewes-Dark-Data.pdf

It appears they opted not to name the extensions.

Not so helpful.

Bad-ass Researcher Name

[cloud.pt]

Martin Fuchs is the name of one of the researchers. He should have to pay extra to have such a cool name at a conference like Def Con. Not a single Fuchs was given about naming the 10 extensions though. They do mention that 10.000 more extension versions (?) are affected by such problems, so I guess it doesn't really matter. We all dun Fuchs'd.

THIS

[XSportSeeker]

THIS is the sort of stuff privacy advocates should be doing everywhere.

You pick some key politicians, some judges, and some sensitive public services and show how damaging exposing information of them can be from readily available and already working services and we'll see how willingly government will start moving towards less privacy erosion and a renewed fight against personal data collection.

Security also goes that way. It's because these people live in a bubble that they don't care about anything of public interest.