Privacy SOS

Anonymous web browsing data is not anonymous, researchers show

Two German researchers bought “anonymous” web browsing data on millions of Germans. It didn’t take long for them to identify those people by looking through their web browsing history.

The Guardian reports:

“What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.”

Eckert, a journalist, paired up with data scientist Andreas Dewes to acquire personal user data and see what they could glean from it.

Presenting their findings at the Def Con hacking conference in Las Vegas, the pair revealed how they secured a database containing 3bn URLs from three million German users, spread over 9m different sites. Some were sparse users, with just a couple of dozen of sites visited in the 30-day period they examined, while others had tens of thousands of data points: the full record of their online lives.

Getting hold of the information was actually even easier than buying it. The pair created a fake marketing company, replete with its own website, a LinkedIn page for its chief executive, and even a careers site – which garnered a few applications from other marketers tricked by the company.

In Massachusetts right now, legislators are considering bills that would bar internet service providers (ISPs) from using or selling your sensitive information—including your browsing history—without your opt-in consent. State lawmakers in nearly 30 states introduced similar measures after the Trump administration and GOP Congress killed Obama-era FCC rules that barred them from selling our data without our consent. The ISPs hated those federal regulations, and they are trying to stop the states from filling the gap.

One of the arguments the ISP lobbyists have been making to legislators and to the public is that they don’t—and would never—sell our personal information unless it was anonymized, so it couldn’t be linked back to us as individuals. Anyone who knows anything about large data systems knows that’s a misleading claim; study after study has shown how easy it is to re-identify supposedly anonymous datasets. This latest research is yet another reminder that in the 21st century, it’s pretty easy to put names to data, despite promises from big companies who claim it can’t be done. That’s just another reason why Massachusetts lawmakers should pass commonsense internet consumer privacy law. If you agree, tell your state legislators to support H.3698 and S.2062.

© 2017 ACLU of Massachusetts.