It Is Easy To Expose Users' Secret Web Habits, Say Researchers

An anonymous reader shares a BBC report: Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician. The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather "clickstreams." These are detailed records of everywhere that people go online. The researchers argue such data -- which some firms scoop up and use to target ads -- should be protected. The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals. People's browsing history is often used to tailor marketing campaigns. The results of the research by Svea Eckert and Andreas Dewes were revealed at the Def Con hacking conference in Las Vegas this weekend. The pair found that 95% of the data they obtained came from 10 popular browser extensions. "What these companies are doing is illegal in Europe but they do not care," said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.

Which browser extensions?

[Anonymous Coward]

The pair found that 95% of the data they obtained came from 10 popular browser extensions.

I can't even name 10 popular browser extensions. I didn't think the muggles installed extensions.

Re:

[cayenne8]

Yeah...why didn't they list the 10 most dangerous extensions...??

Re:

[arth1]

Yeah...why didn't they list the 10 most dangerous extensions...??

To not make themselves targets of civil lawsuits, I would imagine.

Re:Which browser extensions?

[Anonymous Coward]

You have no idea. Number one infection vector: Youtube downloaders. Not quite coincidentally, "proxtube" is one of the 10 browser extensions which leak every URL you visit. You can get an ordinary user to install anything. Just tell them they can get something for free that they would otherwise have to pay for.

Re:

[DontBeAMoran]

Youtube downloaders?

Step 1. Disable CSS
Step 2. Scroll to the video
Step 3. Right-click and select "Save video as..."

Done.

You are not anonymous online

[bobbied]

Despite the appearance or how hard you try, you are NOT anonymous online. You may be harder to trace than the next person, but you are not able to totally hide. Increasingly, with the advent of "big data" and "data mining", smart people are going to make inroads in tracing every jot and tittle of what you do. The question is only about where the data collection is happening that drives this data mining effort.

Re:

[Anonymous Coward]

Despite the appearance or how hard you try, you are NOT anonymous online.

If your standard for "anonymous" is perfection and impossibility of tracing, you're right. But that's a very hard standard. I'd prefer to think of it like security. How hard is it to track you, and how badly does someone want to track you.

You don't have to be perfectly anonymous. You just have to be more anonymous than the effort someone wants to go through to do so. For most people, simply turning on some anti-tracking software i

Re:

[arth1]

You don't have to be perfectly anonymous. You just have to be more anonymous than the effort someone wants to go through to do so.

Or, in some cases, more anonymous than his neighbor. Making sure you're not low hanging fruit goes a long way.

In one way, the boundless data collection is an improvement on the lower volume and better targeted data collection we had before. The haystack grows bigger, and even though the data is there, it becomes permutationally harder to sift through.
Police investigations have shown this many times now - the data was there, but they couldn't find it until the perpetrator had been identified by other mean

Re:

[ColdWetDog]

The haystack grows bigger, and even though the data is there, it becomes permutationally harder to sift through.

Except for the fact that computers are extremely capable of sorting through piles of data, this might be true. Perhaps the Stasi had issues, but anybody with a decent Internet connection and a half powerful computer can sort through a whole bunch of hay bales.

Re:

[arth1]

Except for the fact that computers are extremely capable of sorting through piles of data, this might be true.

Faster computers and networks allow you to sift through bigger bales of hay in the same time. However, if they give you 0.1% of the haystack as a result with a small haystack, they will give you 0.1% of the haystack as a result with a much bigger haystack, which is less useful.
Add that the amount of different data types change too, which is where the permutations come in. You now have green hay, yellow hay, straws of various lengths and curvature, and needles made out of different materials, with and wit

Re:

[Falos]

This. You're not throwing one wrench at one machine.

You're spewing whatever you can at an invisible army who are all using a thousand different sets of conditions, scopes, techniques etc. and you usually can't tell what sticks. It doesn't matter, throw anyway, if only for the principle of it.

Being less harvestable than the Next Guy may also help, as sister post mentions.

Re:

[Anonymous Coward]

Well, here's the actual presentation: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Svea-Eckert-Andreas-Dewes-Dark-Data.pdf [defcon.org]

It appears they opted not to name the extensions.

Not so helpful.

Re:

[ZorroXXX]

"Data can be useful or anonymous, but never both" - Paul Ohm

And Paul is not just anyone, he has done a lot of research and publications about privacy.

This does not come as a surprise for anyone that has not ignored privacy issues the last couple of decades. There are countless examples of the fallacy of we can just "anonymize" data and then there are no longer any privacy problems, like AOL search data leak [wikipedia.org], 87% of USA's population is uniquely identified by birth date, sex and postal number/zip code [dataprivacylab.org] (backstory [arstechnica.com]), etc.

Re:

[swb]

It seems obvious that "anonymizing data" and "targeting advertising" is a paradox. If it's effectively anonymized, it wouldn't be useful for targeting. That they're able to do targeting means that it's not really anonymous.

Re:

[Rick Schumann]

I understand all that. But I'm not going to give up and make it easy for them. In fact as of about a month or so ago I set about to making it as difficult as possible. Using Tor for everything I can. Paying cash for things I buy in person, so no purchasing history because no plastic use. I haven't used so-called 'social media' in YEARS and have no plans to do so ever again. If they really want to try to build a 'profile' of me based on my paying utility bills online and ordering the occasional (maybe once e

Re:

[bobbied]

You are crazy! Hey, I know who you are.. Ted Kaczynski is it? You might consider moving to a cabin in some remote plot of land...

For some of us, what does it matter, really? I erase my browser cookies and don't use common usernames or passwords for anything important... I also am mindful of putting any personal information in E-mail or on social media sites I might visit..... Not to mention that I don't have much disposable income anyway, so advertisers are spitting in the wind sending me ads....

But hey,

Which ten browser extensions?

[WilliamGeorge]

Already checked the article, and it does not appear to say or link to a list of them. That sort of info would be quite helpful, as a major step toward solving this sort of thing *without needing the government / laws* is to publicize when companies are doing the wrong thing with our data so that people who care about it can stop using them.

Adblock Plus

[Comboman]

I don't know about a top 10 list, but the top 1 list should be Adblock Plus [medium.com]. Security conscious users switched to uBlock years ago.

Re:

[DontBeAMoran]

And those serious about security switched to hosts files.

APK, can we get more details on that?

Re:

[WilliamGeorge]

Interesting - uBlock.org or uBlock Origin? They appear to be different.

I dislike when competing things have such similar names, and something similar happened with AdBlock and Adblock Plus as well.

Re:

[Zocalo]

The presentation is available (as a 6.2MB PDF) from the Def Con Media server [defcon.org], along with all the other presentations, but it doesn't provide a list either. It does provide some useful insights into how they do it though, which should enable the more clueful to run their own tests. The only plug in I could see that was mentioned was Web of Trust, but without the context of the talk it might only appear to be getting singled out for special attention. Generally speaking though it appears that any extension

Ok, let's figure it out

[Presence Eternal]

Logically the extensions they're so coyly mentioning must either deliver telemetry or alter requests so distinctively that they become unprivate. So the suspects should be: 1) Shopping add ons, especially cross site addons. 2) Clipper addons, such as Evernote's. 3) Good old fashioned spyware. What do you mean freecryptosearch is bad? 4) Discovery addons, like stumbleupon. 5) Antivirus addons.

Re:

[Zocalo]

Having gone through the presentation I linked above, it seems to be anything that might send back the complete URLs that you visit to a central server for any reason. Web of Trust is the only extension they mention specifically, but anything that purports to vet URLs/domains "for your safety" - like many antivirus addons - would seem to be the ones that put you at the greatest risk of this. Basically, they're looking at matching data in URLs visited with things like YouTube playlists, social media posts,

Wait...

[argStyopa]

...does this work on someone browsing in incognito mode??!?!??!?!?!??!!?

Asking for a friend.

Re:Wait...

[nine-times]

Well insofar as they're saying that they obtained data from browser extensions, incognito mode might help. In Chrome's ingcognito mode, for example, extensions are disabled by default. You have to go into your extensions' settings and check a box that says "Allow in incognito" for them to remain active.

However, in all honesty, there are other ways that you're being tracked.

Re:

[known_coward_69]

that's only to hide stuff from your wife or girlfriend

Re:

[hyades1]

Or both.

Re: Wait...

[Denis Goddard]

A toast attributed to Benjamin Franklin: "To our wives and mistresses... may they never meet."

Re:

[hyades1]

Ben would have been a good guy to know. Bright, loved the ladies, known to take an occasional sip of alcohol...

Re:

[Falos]

All incognito does is stifle some local machine stuff.

Works good if you're 14 and parents aren't savvy enough to spot your porn. If you have a shared (lolwut) machine. If you think your girlfriend is nosing around in your machine.

Other than that it's placebo.

You can be pretty incognito

[Kludge]

You can judge how incognito you are by examining the advertisements are on the pages you visit. For example, if you are browsing around to buy a chain saw on Amazon, and you later get an ad for chainsaws when you are watching a video on youtube or a porn site, you are not incognito.
Sometimes I look at the advertisements that my wife gets. They are all for woman things-- clothes, shoes, meds, etc. She is totally tracked.
To avoid this I use
1. javascript blockers
2. ad blockers
3. user agent changers
4. rando

one more good one

[Kludge]

6. Set your browsers to wipe cookies and other web site data when you log out.

Re:

[Gr8Apes]

I don't do 4 often as it slows things down too much, but 5 and 6 definitely. 6 ended the ads following me, at least until the next time you log into amazon or google (or, I guess, facebook or see what prez tweety burped today) it's pretty interesting to see when those ads come back. I block several of google, facebook, and twitter domains, so the amount of ads I see and that track me are pretty low.

Just wait until everyone has IPv6

[DeplorableCodeMonkey]

Then these sites, Facebook, etc. will have absolutely no ambiguity about your identity. Log into Facebook and then load their code on another side and they'll know **exactly** and unambiguously that you visit that site.

Oh the flip side, even the average US Senator is likely to be so creeped out by that side of IPv6 that we might see privacy-promoting legislation in the US.

Re:

[WillAffleckUW]

Um, guy, most sites are already running IPv6, you're just seeing an IPv4 representation of the IPv6 web. We ran out of numbers last decade.

Re:

[Anonymous Coward]

Not true. Not only are there big swaths of the Internet that cannot be reached from an IPv6-only system, most users still use IPv4 exclusively, even if they could technically also use IPv6. We ran out of numbers, but this actually helps privacy. With CGNAT in wide use now, IP addresses reveal very little information about individual users, as each IP-address is shared by many users. Law enforcement is trying to reduce the number of suspects by asking ISPs to make fewer users share a given IP address.

Correction: untrained anon browsing correlated

[WillAffleckUW]

It's fairly easy to establish and maintain personae on the web, but you have to:

1. never link to your own activities.
2. don't use the same search or info services
3. be disciplined about not using the same phrasing or background sources

It's one of the first things they teach you in spy school.

Bad-ass Researcher Name

[cloud.pt]

Martin Fuchs is the name of one of the researchers. He should have to pay extra to have such a cool name at a conference like Def Con. Not a single Fuchs was given about naming the 10 extensions though. They do mention that 10.000 more extension versions (?) are affected by such problems, so I guess it doesn't really matter. We all dun Fuchs'd.

What about tracker blockers?

[fasuin]

In case you are interested, other researchers have compared popular tracker blockers in a recent paper titled "Benchmark and Comparison of Tracker-blockers: Should You Trust Them?". Results shows that your mileage may vary, with some plugins performing overall quite poorly. Here is the link to the conference program [ifip.org] and here the PDF [ifip.org] of the paper.

I LOL'd

[Trax3001BBS]

That's a hard project. Should of just logged into the Usenet where everything is hidden in plain site.

THIS

[XSportSeeker]

THIS is the sort of stuff privacy advocates should be doing everywhere.

You pick some key politicians, some judges, and some sensitive public services and show how damaging exposing information of them can be from readily available and already working services and we'll see how willingly government will start moving towards less privacy erosion and a renewed fight against personal data collection.

Security also goes that way. It's because these people live in a bubble that they don't care about anything of public interest.

their web site

[aepervius]

https://sveaeckert.de/2016/bui... [sveaeckert.de]

It seems they have been at it since december 2016, and this month was their results.

Well aware of Google searches

[Rick Schumann]

I use Tor for everything I can, and I use a plugin that 'cleans' Google search links so that they aren't able to track my clicking on them. Effective against Google?