Web browsers, online tracking companies, and advertisers always claim that they only collect and analyze anonymous data and non-personally identifiable information. The browsing histories that are collected by these entities, or so they say, cannot be tied to any specific user they assure us and does not pose a threat to our individual privacies.
But is this true? Can’t this “anonymous” browsing data be easily deanonymized and traced back to a specific user by merely linking it to something as prevalent as social media activity?
This is the question a group of researchers from Standford and Princeton sought to answer with a paper titled “De-anonymizing Web Browsing Data with Social Networks” set to be presented at the 2017 World Wide Web Conference in Perth, Australia.
In this study, they conducted simulations and strategies that can prove how network adversaries, or someone with malicious intent, can de-anonymize browsing histories by simply matching them with specific social media profiles like Facebook or Twitter.
“An adversary can thus de-anonymize a given browsing history by finding the social media profile whose ‘feed’ shares the history’s idiosyncratic characteristics,” the paper states.
Their strategy included the correct matching of a simulated history of 30 Twitter browser links to a correct Twitter profile with a more than 50 percent success rate and the correct matching of 400 recruits’ donated browsing histories at a 70 percent success rate.
“Our approach is based on a simple observation,” the paper continues.” Each person has a distinctive social network, and thus the set of links appearing in one’s feed is unique.”
They further stress that since their matching attempts to locate the right profile includes over 300 million Twitter candidates, it is “the largest scale demonstrated de-anonymization to date.”
Their unmasking technique is feasible for any entity with access to browsing histories such as third-party trackers, government surveillance spies, internet service companies and public Wi-Fi snoopers. They note that any social media site can be used for this de-anonymization strategy, as long as each user’s social media subscriptions can be named, the social media content is public and the user visits enough links from the social media site.
With this study, the group states that they are making three key contributions to the study of web de-anonymization. First, they have developed a general theoretical framework for de-anonymization. Second, they have successfully implemented and evaluated social media and browsing de-anonymization and third, they have created an experiment for testing their strategy on real browsing histories.
However, the group admits that their results are proof-of-concept and their sample of 400 users is not representative of the entire population.
One thing is for sure, though – social media site activity linking is just another tool that can be used to unmask even the erstwhile most private and anonymous data that’s being collected on the web.
To read this paper “De-anonymizing Web Browsing Data with Social Networks,” click here.