De-Anonymizing Browser History Using Social-Network Data

Interesting research: "De-anonymizing Web Browsing Data with Social Networks":

Abstract: Can online trackers and network adversaries de-anonymize web browsing data readily available to them? We show -- theoretically, via simulation, and through experiments on real user data -- that de-identified web browsing histories can\ be linked to social media profiles using only publicly available data. Our approach is based on a simple observation: each person has a distinctive social network, and thus the set of links appearing in one's feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity. We formalize this intuition by specifying a model of web browsing behavior and then deriving the maximum likelihood estimate of a user's social profile. We evaluate this strategy on simulated browsing histories, and show that given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50% of the time. To gauge the real-world effectiveness of this approach, we recruited nearly 400 people to donate their web browsing histories, and we were able to correctly identify more than 70% of them. We further show that several online trackers are embedded on sufficiently many websites to carry out this attack with high accuracy. Our theoretical contribution applies to any type of transactional data and is robust to noisy observations, generalizing a wide range of previous de-anonymization attacks. Finally, since our attack attempts to find the correct Twitter profile out of over 300 million candidates, it is -- to our knowledge -- the largest scale demonstrated de-anonymization to date.

Posted on February 10, 2017 at 8:25 AM • 28 Comments

Comments

SeanFebruary 10, 2017 9:45 AM

I beleive it is, with an exhaustive NoScript blacklist, a strict cookies management, and the addition of entropy in your fingerprinting.

It will never be perfect, neither as good as TBB. Tor is risky, unconfortable and slow though.

keinerFebruary 10, 2017 10:29 AM

@Sean

...a good start is deleting each and everything NoScript has in its (scandalous, at least to me) WHITElist. It's a shame, the whole tracking stuff and much, much more is enabled by default...

JamesFebruary 10, 2017 10:39 AM

From the sounds of the synopsis, I don't think that using TOR will protect against this.

I can think of two main ways that browser history can be attained. One is by sniffing traffic (ISP or otherwise). TOR does protect against this method. The other is a lost/stolen/confiscated laptop. Which TOR does not protect against.

If you assume the hard drive will somehow be decrypted (backdoor, court order, crappy password, a plumber's wrench), then you really have only a few options.
1) Don't keep a browser history
2) Don't post to social media
3) Compartmentalize. Don't keep history when you're browsing the sort of stuff you'd post on social media.
4) Know it. Accept the reality. Try to minimize the risk and impact where it matters.

I suspect that to a vast majority of humans, #4 is probably the best option. If you're a reporter in a potentially hostile country and use social media. Use incognito mode as much as you can stand. If you're a whistleblower, do the same.

Basically don't let people get their hands on both sources of data. The best way is to not keep or produce one of the two.

AmurruFebruary 10, 2017 11:08 AM

@Sean
This will break most of the sites, besides, most people will follow the easiest path (i.e. to be tracked). An accepted solution would be a URL sanitizer.

Clive RobinsonFebruary 10, 2017 1:25 PM

@ Albert,

How does this affect folks who don't do 'social' media?

From what various Governments are doing "not doing social media" will in effect put large gross hairs on your back. We already know that there are countries demanding access to a persons social media when they attempt to enter the country. And it appears the US is looking in moving in that direction.

Something tells me that the likes of DHS wanabies are not going to take "don't do social media" as a valid response and will at the very least quadruple S you or put you on the no fly list or worse, just because they can...

A Nonny BunnyFebruary 10, 2017 2:57 PM

@Clive They'd probably believe me if I showed them my (not-smart) phone.
Not sure if it'd end up better, though, considering it's a prepaid.

albertFebruary 10, 2017 8:11 PM

@Clive,

I already have "large gross hairs" on my back!

The simple act of following this blog puts a target on my back for sure. Criticism of the Government herein makes me even more 'special'.

Social media are stupid fads for stupid people; that's why I'm not there. Surely most of the LE/IC realize that. If not, then we're all headed to Hell on the Express Train.

Frank Zappa, speaking of the Rolling Stone, said:

"...Most rock journalism is people who can't write, interviewing people who can't talk, for people who can't read...."

He probably would leave out the 'rock' today.

---------
On entropy as a metaphor: We've gotten close to Absolute Zero. Now it looks like there may be 'negative' temperatures, that is, below Absolute Zero.

Just when you thought we bottomed out, a new universe appears...

Oh well...

. .. . .. --- ....

WaelFebruary 10, 2017 8:31 PM

@albert,

Now it looks like there may be 'negative' temperatures, that is, below Absolute Zero.

Nothing can be colder than absolute zero. Well, short of some callous HR people!

Clive RobinsonFebruary 11, 2017 5:52 AM

@ Albert,

I already have "large gross hairs" on my back!

Opps that should have been a "c" not a "g", sorry about that.

But yes those who do more than lurk on this site are probably "painting" themselves in somebodies eyes. As I mentioned about the increase in asking for passwords at borders the problem is getting worse thus more precautions are required,

https://www.zdziarski.com/blog/?p=6918

Even telling jokes could in the past have gained you entry into the real equivalent of Orwell's Room 101. So they had to be kept clasified,

https://www.cia.gov/library/readingroom/docs/CIA-RDP89G00720R000800040003-6.pdf

However, safe havens, drift with time tide and the wind from politicians, which means that in this more modern world freedom from persecution is illusory,

https://www.theguardian.com/us-news/2017/feb/10/edward-snowden-russia-trump-report

albertFebruary 11, 2017 4:40 PM

@Clive, Wael,

Sorry, I had written a long answer but lost it along the way, perhaps by having two tabs open on the same page. It -is- handy when I'm replying to more than one person, but, apparently, requires one to keep ones wits about him...

Later,
. .. . .. --- ....

WaelFebruary 11, 2017 7:07 PM

@albert, @Clive Robinson,

Sorry, I had written a long answer but lost it along the way...

You mean something like 'The dog ate my homework'? Worry not. If your answer was about absolute temperature, then it maybe a good thing that you lost it! Lol :)

It -is- handy when I'm replying to more than one person

I learned the hard way. Now I use an external editor, then copy and paste, not cut-n-paste, because I got burnt a few times too. Force of habit I guess that comes from code-cutting, or from poem-cutting :)

On the subject proper, I also learned to use one tab and to make sure other social media applications aren't running. There are a few clever 'deanonymizing' attacks going on. As for the current topic on the research... well, I'm not impressed.

In need to find good lyrics to your signature song "Old McDonald" had a farm. I suggest you do that this time, though. I'm tired of doing others' homework :)

DroneFebruary 11, 2017 7:49 PM

A couple of ways to limit the amount of tracking: (1) Don't use soul-sucking Social Media services like Twitter and Facebook in the first place (this should be no problem unless you are fourteen years old), and (2) avoid anything associated with Google. This approach far from perfect, but it does have legs.

Clive RobinsonFebruary 11, 2017 11:47 PM

@ Albert,

No worries, I've got some kind of winter malady, which there is no polite way to put it, has got me going at both ends. As well as making my head spin faster than a rare particle at CERN, whilst also feeling like it's been pushed into a box not much bigger than said particle.

As for loosing a reply, yup been there a few times when Chrome goes belly up due to a memory leak or some such.

Go relax put your feet up put on some FPS game on the big screen and massacre a few million monsters from an alien hell hole...

@ Wael,

The dog does not eat cyber homework, unless it's a hell hound with red flashing eyes, a body that glowes green, three heads and foot long steel dagger teeth... which does not answer to the name of Fluffy. Further it should have bolts of lightning flying out like a power substation in Kansas shortly befor your feet land on a yellow brick road. Your most loathed teacher may have looked like the Wicked Witch of the North, but remember unless your name is Dorothy you are not alowed to disolve her...

Now the question is "homework" or the not doing it... Hmm as a start,

There was a man that had a dream,
Eee Eye Eee Eye Ohh.
And in that dream he had a dawg
Eee Eye Eee Eye Ohh.
With a Flash Crash here and a Flash Crash there. Here a bang there a bang every where a bang bang.
That old hell dawg he swallowed the server farm,
Eee Eye Eee Eye groan...

WaelFebruary 12, 2017 1:23 AM

@Clive Robinson,

I see your old McDonald and raise you a Bee Gees

Ear, my eye
In a lost and lonely part of town
Held in time
In a WEB of fears I slowly drown
Usin' Chrome
I just can't make it all alone
I really should be pawning you
Coding you
Bugging you, crushing you

Travesty
When the peeling's gone and you can't go on
It's tragedy
When the morning cries and you don't know why
It's hard to pair
With no one to shove you, you're
Goin' nowhere

Cavity
When we bruise manhole and you got no goal
It's tragedy
When the morning cries and you don't know why
It's hard to beware
With no TLA to guide you, you're
Goin' nowhere
When the feeling's gone and you can't go on

Smite and sway
There's a spurning down inside of me
Churning above
With a yearning that won't let me be
Down I go
And I just can't take it all alone
I really should be scolding you
Clubbing you
Busting you, stunning you
Maggoty

albertFebruary 12, 2017 1:08 PM

@Clive,

"I already have "large gross hairs" on my back!"

I said that because your typo made it funny; it wasn't meant as criticism.

Here in the Colonies, we are living under a storm cloud which began approaching us in the mid-90s, with the passage of the various 'anti-crime' and 'anti-terrorism' bills. In many cases, the authors of which now regret some of their provisions.

If this Borowitz cartoon is any indication:

http://www.newyorker.com/humor/borowitz-report/trump-says-he-has-been-treated-very-unfairly-by-people-who-wrote-constitution

we're in for a long haul.

@Wael,

"...You mean something like 'The dog ate my homework'?..."

No, like closing the comment -editing- tab instead of the comment -reference- tab:) At least the dog is an excuse; I have none:)

Re: below absolute zero:
Reference: Van Flandern, T. 1993. "Dark Matter, Missing Planets, and New Comets", North Atlantic Books, Berkeley, CA.

Van Flandern was a bit of an outsider in the Physics Establishment, as was Dr. Norman Ramsey, to whom the concept (negative energy [=>>] negative temperatures) is credited.

Further reading, see: blog.hasslberger.com/docs/HotsonIE86.pdf

Anyway, the point of the metaphor is: 'impossible' outcomes may become possible, when things can't seem to get worse than we thought.

. .. . .. --- ....

WaelFebruary 12, 2017 1:19 PM

@albert,

Re: below absolute zero:..

No worries, I link to similar things. Gravity faster than light :)

impossible' outcomes may become possible, when things can't seem to get worse than we thought.

Touché, dawg :)

Clive RobinsonFebruary 12, 2017 2:05 PM

@ Albert,

I said that because your typo made it funny; it wasn't meant as criticism.

Spelling mistakes due to rhumy old eyes, big fingers and dyslexia are one of my many failings. Being an old grump when not well is another, which I am at the moment...hurumph hurumph.

Which is why "the other half" is making marmalade etc in her calderon, and I have retreated to the fold up bed in the dead tree cave, where the clanking and smell do not reach. Even the neighbors cat which normally can be found relaxing around the house away from the neighbors two year old, knows I'm best avoided when ill. In fact his disappearing is often the first clue I get I'm not well unless others mention I'm being a little irascible or picky. The final warning is loss of appetite, --and I've not been eating for three days,-- thus like a bear with a sore head I'm best left to my own company...

albertFebruary 12, 2017 2:34 PM

@Clive,

At Casa Alberto, we find Oscillococcinum (Boiron) effective for winter colds and flu. It's available here OTC, and should be there as well. Works best at onset, but provides relief later. I use as a prophylactic before dining out, take away, or public encounters, etc. The usual disclaimer applies....not affiliated, etc.

. .. . .. --- ....

WinterFebruary 13, 2017 5:27 AM

@Wael
"Nothing can be colder than absolute zero. Well, short of some callous HR people!"

This is OT, but systems with a negative temperature do exist:
https://en.wikipedia.org/wiki/Negative_temperature

That a system at negative temperature is hotter than any system at positive temperature is paradoxical if absolute temperature is interpreted as an average kinetic energy of the system. The paradox is resolved by understanding temperature through its more rigorous definition as the tradeoff between energy and entropy, with the reciprocal of the temperature, thermodynamic beta, as the more fundamental quantity. Systems with a positive temperature will increase in entropy as one adds energy to the system. Systems with a negative temperature will decrease in entropy as one adds energy to the system.
These are weird systems, indeed.

WaelFebruary 13, 2017 6:06 AM

@Winter,

This is OT, but systems with a negative temperature do exist:

Obviously you're biased! This is about temperatures colder than -273 C. Absolute zero or zero Kelvin, Mr. Winter ;)

Dirk PraetFebruary 13, 2017 6:52 AM

@ Wael, @ Winter

This is about temperatures colder than -273 C. Absolute zero or zero Kelvin, Mr. Winter

-273 C is still smoking hot as compared to the cold emanating from the hearts of some women I know 8-)

Clive RobinsonFebruary 13, 2017 12:06 PM

@ Dirk Praet, Wael, Winter,

-273 C is still smoking hot as compared to the cold emanating from the hearts of some women I know 8-)

That's positively balmy, if you want to know real cold, go to a bar in the Gorbles Glasgow Scotland, and say you fully support the English view on Brexit and you think Trump's a wonderful man to a Highland Hairy Mary...

WaelFebruary 14, 2017 12:26 AM

@Dirk Praet,

the cold emanating from the hearts of some women I know 8-)

You're an animal! You dated nurse ratched? You probably lit her up like a pinball machine (you're a champ, right?) and she paid you off in silver dollars ;)

@Clive Robinson,

if you want to know real cold, go to a bar in the Gorbles Glasgow Scotland

No, thanks! I do value my life, kinda. I'll take a hail check ;)

Dirk PraetFebruary 14, 2017 6:04 AM

@ Wael

You dated nurse ratched?

She ain't my type, and they are rather predictable. In my experience, women with angel faces are much more of a risk.

@ Clive

if you want to know real cold, go to a bar in the Gorbles Glasgow Scotland

When we were younger (and much more stupid), we actually used to do such stuff for fun and games. Like walking into the the local nazi pub and asking the barkeep if we could rent the place for a gay party. Those were the days.

RumbledSuSkinFebruary 16, 2017 6:23 AM

Dont use phone/sim (only burners for advanced users). use free wireless with tails in densely populated areas with forged mac. Don't log into or post on any social media, expose any patterns of behavior.

Destroy wireless dongle/burner & sim after use. Never use same location and alias twice.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.