Do you ever do any of your web browsing in ‘Private’ or ‘Incognito’ mode to keep it under the radar? You’re still not under the radar.
Private browsing functionality only stops your computer from keeping a history of those sites visited. Your internet service provider (ISP) and any plugins your browser might be using still record every search you do and every page you visit. Anyone who obtains that data – even if it is supposed to be anonymous – can without much difficulty figure out exactly who you are and everything you do online.
This was demonstrated at the white-hat hacker conference Def Con 25 last Friday in Las Vegas. Journalist Svea Eckert and data scientist Andreas Dewes, showed how they had uncovered the private browsing habits of roughly three million people. Their revelations included the personal pornography tastes of a judge and the brain boosting drugs sought by a member of parliament.
They did this using clickstream data that is regularly tracked, sold, and traded online. Clickstreams are the digital record of every website click that users make online. This browsing history data is used by advertisers to target their online marketing to specific users. So, if you do a Google search for trips to Vegas, you’re going to start seeing ads for flights to Las Vegas, and Sin City hotels popping up on every site you visit.
For their experiment, Eckert and Dewes created a fake online-marketing firm, with a website and social media profiles. Then posing as reps from this firm they requested clickstream data from online data brokers. They didn’t even have to buy it. They found a firm willing to give them the sample data they needed for the purposes of “testing a new consumer marketing AI.”
The browsing data is anonymous when it is shared – with users IP addresses and any other identifying information removed, but Eckert and Dewes demonstrated how easily they could turn the mass anonymous data into individual online profiles.
While millions of people may visit a specific website in a month, a much smaller number of users are going to visit two of the same websites during that same time period. Then, when you look at five or six matching websites, suddenly the pool of visitors is narrowed down to just you. How many people will visit your company’s corporate site, use the same bank, have the same taste in movies, restaurants, or shopping as you?
Just a few cross references and boom, there you are. And if they match you to your social media sites, then you have a name and a face connected with your no-longer incognito browsing history.
They didn’t have to compare the clickstream history manually. Eckert and Dewes said that it was fairly easy to create a computer algorithm to analyze the data and come up with individual matches.
They deleted their data following their experiment for fear of being hacked themselves for the sensitive information they held on some high-profile individuals.
Referring to the judge whose pornography viewing habits they exposed, Eckert said, “He’s not doing anything criminal at all, but you see how sensitive this could be, and how he could be blackmailed. Especially in his position.”
This is just further evidence that there is no such thing as online privacy. Nothing posted to the web is ever truly deleted, and all of your online activities are tracked and recorded. Remember the recent panic that ensued when it was rumoured that Google would soon reveal your entire search history to potential employers?
Govern yourself accordingly.
