German Anonymous Browsing Data Exposed

The success of two researchers in uncovering the personal browsing habits of 3 million internet users is a terrifying reminder of just how vulnerable browsing data really is.

Anonymous Browsing Data Exposed
Claire Broadley
By Claire Broadley

German researchers have uncovered the browsing history of three million German internet users. Among them was a politician on medication, and a judge that liked to watch porn. The researchers also unwittingly dug into the intimate details of an ongoing criminal investigation.

You’d be forgiven for thinking that this was another hack. But it wasn’t. It was revealed by legally acquiring “anonymized” data. Far from being anonymous, it was easy to comb through to reveal a “full record of [individuals’] online lives”.

The journalist and data scientist that conducted this experiment said that finding real people among the noise was “trivial”. That absolutely should scare you. And it proves that privacy campaigners are right to warn about increased logging, tracking, and surveillance.

This case is a great experiment in social engineering, but it’s also a stark example of the ticking privacy time-bomb created by recent legislative changes in the US, UK, and Australia.

Face It: Your Browsing History is Not Private

What do you have to do to get browsing histories for three million people?

Simple. Create a fake company and ask to buy them.

Journalist Svea Eckert and data scientist Andreas Dewes used no hacking techniques. They did not breach any servers. They did not break any laws.

They simply created a legitimate-sounding company and used simple social engineering techniques to access the data they needed to test a non-existent machine learning algorithm. It worked like a charm – they were actually given it for free by a data broker.

Eckert and Dewes approached almost one hundred companies for their experiment. They did meet some resistance. But only because they wanted German data, which is more difficult to obtain than data from the US or UK. This in itself should act as a huge wake-up call to anyone that thinks they have nothing to hide online.

Around the world, the privacy landscape is changing daily. China and Russia have implemented VPN bans in the past week. And in 2016, the UK passed a law that makes mass surveillance and state hacking completely legal, to barely a whimper of protest from the general population.

With the recent repeal of the broadband protections in the US, Internet Service Providers (ISPs) have been green lit to collect and sell this kind of data unless their customers explicitly opt out.

Your privacy is no longer someone else’s problem. Anyone that does not proactively protect their privacy is going to be at risk — and next time, the so-called hackers may not be so benign in their intentions.

Who’s Selling Your Data?

We tend to think of ISPs and governments having access to our data. And this is certainly true. But we need to think bigger. Who else has access to your browsing history? How many Terms and Conditions documents have you blindly accepted without reading them?

In the UK, more than 16,000 non-security cleared individuals can access yours right now under the Investigatory Powers Act. And the services and tools that we use online are constantly tracking and storing information about what we do, compounding the problem.

Eckert and Dewes got 95% of the 9 million URLs they analyzed from just 10 browser plugin providers. Ironically, at least one was a security tool. Many companies like this use your data as an additional income stream — but may be shy to admit it. After all, selling users’ private internet history to the highest bidder is hardly a selling point.

Of course, these companies would have you believe that they anonymize data before they send it. It doesn’t work. Eckert and Dewes described the process of identifying individuals as “trivial”, and said a less ethical company could have literally created an address book from the information they derived from the data.

Anonymization clearly isn’t working. It was “trivial” to link the highly personal and often sensitive data to individuals.

For example, Twitter users unwittingly indelibly stamp their username into their browsing history each time they view their analytics data — and it’s not the only service that carries that risk.

More complex identification — linking patterns of visits — nets the same end result; a de-anonymized data set, ripe for exploitation, blackmail, or the accidental disclosure of a private individual’s sexuality.

Face it. Your data is a commodity, and there are a lot of companies that would pay to know who you really are. In fact, they’re doing it already.

It Could Be You Next Time

If your government isn’t tracking you yet, you’re one of the lucky ones. But your browser is still piling up data in the background.

Whether it’s for advertising, diagnostics, or sharing your location, third parties have plenty of reasons to want to know what you do online.

We’re sometimes told that the right to privacy contradicts the need to thwart terrorism. This excuse is wearing thin. And blocks would make no difference to the dangers we face.

Trusting governments or corporations with your data is a fool’s game, and it will come back to bite all of us eventually. In the end, your privacy is less important than the opportunity to profit. The temptation to sell you data will only grow.