We treat our computers like they’re staff of a Las Vegas hotel. They see us at our worst, yet we’re pretty confident they keep it to themselves.
This works pretty well with chambermaids and blackjack dealers, but not so much with Internet-connected PCs and smartphones. What you do online usually stays online; it’s captured not just by your computer, but by many others. And if somebody gets hold of that data, they can uncover some of your most sensitive and unlovely secrets.
An especially creepy example emerged in July in, of all places, Las Vegas. A group of researchers from Germany, appearing at the big annual hacker confab DefCon, demonstrated that it’s appallingly easy to ferret out all manner of information about our lives, ranging from the mundane to the embarrassing. The researchers simply analyzed data collected from our Internet browsing — information we probably don’t realize we’re sharing.
This data isn’t being grabbed by the NSA or FBI, but by commercial brokers who buy complete “clickstreams,” or Internet browsing records, of millions of people. Such clickstream data is collected by the browser extensions many of us install to do handy things like play games or translate foreign languages. It turns out that some of these extensions quietly record every site you visit and sell that data to brokers.
German TV reporter Svea Eckert set up a fake online marketing company, then began asking data brokers for samples of their wares. She persuaded one to lend her the clickstreams of 3 million Germans that came in the form of anonymized data, with no names attached. Even if it showed that somebody out there bought a plane ticket to Switzerland or visited a porn site, it would be impossible to know who.
Well, that was the theory. But Eckert’s colleague, data scientist Andreas Dewes, was able to identify thousands of the 3 million Germans by name and learn a great deal about their activities and lifestyles. For maximum impact, Dewes homed in on politicians, police officials, and judges. He identified a member of the German parliament who takes a medicine for dizziness, a detective investigating a computer fraud ring, and a judge with a fondness for pornography.
The clickstream data do appear to be anonymous at first glance. But Dewes wrote software that analyzed the websites visited by each anonymous user and also compared the clickstreams to publicly available information from popular websites like YouTube and Twitter.
Say you’ve got a YouTube account under your own name, which includes a public playlist of your favorite videos. Each video carries a unique code. That code appears in your browser’s clickstream when you view the video. A marketer can search millions of anonymous Internet clickstreams to find that one person who viewed all the videos in a particular playlist. And now he knows that person’s name.
Having identified that one portion of the clickstream, the marketer can easily search for further details of that person’s life — travel plans, favorite movies, political leanings.
If you’re a politician or celebrity who frequently checks your popularity on Twitter, identifying you is even easier. A data marketer can search each clickstream to see if its owner has visited the Tweet Activity page. The record of each visit includes the user’s Twitter handle — RealDonaldTrump, for instance. Look up the handle on Twitter, and you can usually get the person’s real name, too. Now you know who generated the entire clickstream, which can also tell you which book they bought on Amazon or whether they trolled for dates on Match.com.
Eckert and Dewes identified 10 browser extensions that appeared to be transmitting users’ clickstream data, but only one of them admitted it. It was Web of Trust, a popular extension that’s been downloaded 140 million times. Ironically, Web of Trust is intended to warn users away from websites that might threaten their privacy. The Finland-based company has since changed its software to allow users to forbid it from selling their clickstream data. But there’s nothing to stop other companies from continuing the practice.
Nothing but German law, that is. The country has strict Internet privacy regulations, and Eckert said in an interview that selling clickstream data without a user’s explicit permission is probably illegal there.
But here in the United States, there’s no such law. About the only protection we had was torn away earlier this year, when Congress overturned a regulation of the departing Obama administration that barred Internet service providers from selling their customers’ clickstream data. These companies insist they don’t do this. But there’s nothing to stop them from changing their minds.
What to do? Stop using browser extensions, or contact the maker and ask whether they sell your data. But what’s really needed is federal Internet privacy legislation. A law proposed in May by Republican US Representative Marsha Blackburn sounds like the right idea. Her law would ban any company from selling your Internet clickstream without your permission.
But for now, if it’s privacy you want, log off the Internet and hole up in Vegas.Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.