It’s a revelation that will shock precisely nobody: Your private data is not as private as you think. A pair of researchers presenting at this year’s Defcon security conference in Las Vegas demonstrated how easy it would be for someone to acquire reams of “anonymized” internet-browsing history and then de-anonymize it.
According to the Guardian, Svea Eckert and Andreas Dewes were able to acquire a database containing 3 billion URLs from 3 million German users by setting up a fake marketing company with a website and LinkedIn profile, and then contacting data brokers. The data set they got came from a browser plug-in that collects browsing data.
The supposedly anonymous data was easily deciphered, in some cases using simple methods like looking for giveaway URLs. From the Guardian:
Dewes described some methods by which a canny broker can find an individual in the noise, just from a long list of URLs and timestamps. Some make things very easy: for instance, anyone who visits their own analytics page on Twitter ends up with a URL in their browsing record which contains their Twitter username, and is only visible to them. Find that URL, and you’ve linked the anonymous data to an actual person.
Among the details they uncovered by combing through the data were the porn-watching habits of a judge and a medication being taken by a German MP.
The demonstration is validation of the fears that many have about data retention of supposedly innocuous data like browsing history. This spring, Congress repealed an FCC regulation that would have prevented ISPs from selling sensitive data like browsing histories to third parties. Following the repeal, ISPs tried to save face by saying that they respect users’ privacy and only sell anonymized data. As the researchers at Defcon effectively demonstrated, that tactic is far from foolproof.