
It is easy to expose users' secret web habits, say researchers - 0xbadf00d
http://www.bbc.co.uk/news/technology-40770393
======
dalbasal
_”What these companies are doing is illegal in Europe but they do not care, "
said Ms Eckert, adding that the research had kicked off a debate in Germany
about how to curb the data gathering habits of the firms._

I think it’s important to be skeptical towards legislation as a solution to
these things. The EU/UK cookie law is a cautionary tale, for example. After
all that talk we ended up with a law that (effectively) mandates a boilerplate
nag screens and no change in behaviour. Even if it had clearer language to
distinguish allowable-illegal cookie use, it would still be very difficult to
enforce.

I don’t mean to say legislation has no part to play. Just saying that the
politician outrage to legislation sausage factory has produced some duds in
this area. I wouldn’t count on a solution coming from this direction.

Speaking of enforcement… Most countries have an advertising standards
authority. They create the rules and such. If an ad is (for example) a blatant
lie, they can call up the Press/TV/Radio station and get the ad removed.
Online, it’s not obvious what authority they have, or how they would enforce
that authority at all.

Where advertising standards are still not broken is regulated industries. If a
locally regulated bank advertises “one weird trick to double your savings,”
the advertising standards people can go to the regulator. They have a number
to call, genuine threats to make. ..enough to promote self policing.

Online, even reputable newspapers allow shockingly crappy ads. Sleazy data
collection, snake oils, fake products, click farms, scams even fake news
(ironically). Real shyster stuff.

This is on the visible end of the online advertising stick, the ad content
itself. We already have legislation and a custom of rules. Still, enforcement
is nonexistent. Dealing with the unseen data collection end of this stick is
even harder.

~~~
DiThi
> and no change in behaviour

In some cases, even the opposite. I used to use self-destructing cookies but
stopped after so many websites required using cookies to stop showing that
message. I know there are extensions for removing those, but the point is that
they made more difficult to avoid what they wanted to avoid in the first
place.

~~~
frandroid
You'd think they'd use localStorage...

~~~
DiThi
In most cases, when you delete cookies, localStorage is deleted as well.

------
Pxtl
This business of using full HTTP requests with full cookies to domains that
are secondary to the site I'm visiting needs to end. When I go to Foo.com, the
browser does not need to send all my cookies and info to bar.com, even if
we're fetching resources to display on Foo.com. Bar.com in this case is acting
as a dumb file server, it doesn't need cookies.

Yes, this would make single-sign-on harder, but it would make it explicit and
be worth the trouble so that when the user is talking to A, they're not being
tracked by A's friends B, C, and D.

Of course, the big problem: the best browser is owned by the advertiser who
stands to lose under such an arrangement. So at best you'd need Safari or IE
to spearhead such a change. You can ape it with browser extensions, but
without a big browser maker pushing for this kind of shift some sites would
just break under such a model (particularly single-sign-on services like Gmail
and Facebook).

~~~
catamorphismic
Why do you mention Safari and IE but but Firefox?

~~~
falcolas
Because these are the first party web browsers associated with the two most
popular OSes - he didn't mention Chrome either.

Firefox and Chrome doing the right thing won't help a large majority of non-
technical users of the internet.

~~~
Pxtl
I didn't mention Chrome because Google is an advertising company that benefits
from cookie tracking and so I expect them to look out for their own interests.

------
zeristor
This looks to be the presentation:

[https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre...](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Svea-
Eckert-Andreas-Dewes-Dark-Data.pdf)

From:

[https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre...](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/)

~~~
amelius
I get this: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

~~~
ChristianBundy
Are you on Chrome Canary? I'm on the stable branch and I'm not having any
issues.

~~~
amelius
I'm using Chromium:

Version 48.0.2564.82 Ubuntu 14.04 (64-bit)

------
gcp
_The pair found that 95% of the data they obtained came from 10 popular
browser extensions._

So uhm, which ones are these and how did the researchers obtain the data?
(Bought it?)

Edit: The answer to the second question is: social engineering.

~~~
FT_intern
I hope companies uninterested in the data go undercover as potential buyers
and expose these extensions.

Maybe we can crowdsource a purchase to expose them.

~~~
craigmi
i had to dns sinkhole requests to pixel.intenta.io that a browser extension
was creating, every site site I visited was sent along in an ajax request to
this domain.

Couldn't isolate what extension it was.

~~~
tyingq
Someone else noticed the "page refresh" chrome extension making requests to
that domain: [https://frenchcoding.com/2015/11/12/faites-attention-aux-
ext...](https://frenchcoding.com/2015/11/12/faites-attention-aux-extensions-
google-chrome-que-vous-installez/)

------
usgroup
I think it makes a lot of sense to start a register of data providers. I.e. so
that if you want to sell user data you have to register as a provider and
specify where the data comes from and what it contains.

That'd make it so much easier to critique the possibilities and to further
legislate. It'll also allow for independent control of how anonymous data is
and independent attempts and de-anonymising the data.

I think it's still not well understood by most people just how much can be
known about you and it's potential for misuse. I think an initiative like this
would go a long way to bridging that gap and to better legislating for it.

~~~
gcp
It's worth looking at the actual presentation. It looks like they didn't buy
the data, but used social engineering attacks.

~~~
usgroup
No they bought the click-through data and then used social engineering attacks
and other sources (YouTube, Google, etc) to connect it to other identities.

~~~
ThePhysicist
Researcher here, `gcp` is correct in that the NDR acquired the clickstream
data from a data provider as part of an investigative story (the data was
provided as a free sample), the deanonymization was demonstrated by linking
individual URLs with publicly available information from various sources
(Twitter, Youtube, Google+, ...), though this often wasn't necessary as many
users had URLs that contained direct identifiers (e.g. their full name) as
part of the URL and that we could use for efficient de-anonymization.

------
ust
I find this reasoning by prof. Orin Kerr pretty interesting, in respect to
whether always collecting the full URLs of users (by IPS) is actually legal.
His argument is that it might not be legally OK to do so, and that there
already are restrictions, even with rescinding the privacy rules by the FCC:

[https://www.washingtonpost.com/news/volokh-
conspiracy/wp/201...](https://www.washingtonpost.com/news/volokh-
conspiracy/wp/2017/04/06/the-fccs-broadband-privacy-regulations-are-gone-but-
dont-forget-about-the-wiretap-act/?utm_term=.cb7dea7302e8)

------
mnw21cam
And apparently the BBC thinks it needs to explain what the word "trivial"
means.

~~~
rpns
I don't think you'll find 'easy' as a definition of trivial in a mainstream
dictionary (rather things like 'of little value or importance'). It probably
is just computing jargon, though I recall it being used when studying
mathematics and meaning 'self-evident' (e.g. a trivial solution).

~~~
RandomTrees
Mathematics books are full of "trivial" for things easy enough to require no
explanation (not only trivial solutions etc.). Probaby CS inherited it.

~~~
jsty
Some mathematicians do have a definite over-fondness for handwaving away
statements they can't be bothered to prove with the "it follows trivially that
...". It's all well and good when such a proof would be 20 minutes of basic
algebra, but that's frequently not the case.

One of our lecturers at university was so renowned for this, everyone taking
that module organised to write "the answer to this question is trivial, and is
left as an exercise to the marker" for any question they couldn't figure out
in the exam.

------
DarkKomunalec
I'm confused.. the article claims the extensions doing the clickstream
gathering are illegal... but that the collected data is 'supposed to' be
anonymized? Supposed to by what standard? If they're already breaking the law
by gathering the data, why would they bother to anonymize it?

~~~
gcp
Breaking the law in Europe != breaking the law in the country where the click-
stream gathering company sits.

------
Jonnax
The article mentions that the data comes from 10 browser extensions. Didn't
mention which though.

------
amelius
That's why I inject noise into the web on a regular basis. Just do some random
searches, click some random links.

~~~
mbillie1
From the presentation:

> Can I hide in my data by generating noise? (e.g. via random page visits)

> Usually not

~~~
xj9
what about adnauseum ? my browser appears to click every as I am exposed to,
but I don't see them.

better or worse?

~~~
lightbyte
I'd imagine that is much worse. It's not random at all, you're basically
giving them huge amounts of extra data points. That extension was supposed to
used to mess up click rates for ads, not stop you from being tracked.

------
crystaln
There have been exposés on this in there part, resulting in fast action from
Google. Sadly the behaviour alerts to have crept up on us again.

It seems like a list of violating extensions maintained by an outside
organisation would help, or perhaps privately reporting to google.

------
rdiddly
Tellingly, the examples cited all involve the use of some form of social
media. (There they go thinking Facebook is the internet again.)

------
scrrr
Private browsing mode is your friend. (You can set it as your default, at
least on iPhone.) Caveat: You will have to keep confirming cookie usage popups
(EU only I guess).

~~~
Freak_NL
Private browsing does not conceal what you visit from your ISP, and it only
partially prevents trackers and beacons from tracking you (browser
fingerprinting is an issue the private browsing won't solve).

It also won't safe you from nefarious extensions installed in good faith (as
mentioned in the presentation).

Using private browsing keeps your local history clean, and prevents existing
cookies from being used to track you. That's it. It is there mainly to prevent
the letter 'p' typed in the address bar from auto-completing to the more
colourful websites just when you want to show your mother-in-law a nice quilt
you saw on Pinterest.

To prevent the level of tracking mentioned in the presentation, you should at
a minimum use a VPN, private browsing, and trusted anti-tracking extensions
such as uBlock Origin and Privacy Badger (which as far as I can tell seem to
be in the clear and above board at the moment).

If your threat level warrants it (e.g., a judge in a morally conservative
society) you would use Tor or a VPN with multiple exit points chosen at random
for each session.

------
jlebrech
don't become a person of interest and they won't go looking for dirt in your
browsing history.

~~~
jlebrech
they would rather find a bit of dirt on law abiding citizens than the 3000
terrorists they already have a list of.

~~~
awkwarddaturtle
Did you just reply to your own comment?

~~~
jlebrech
yes, rather than edit the original

------
timwaagh
instead of making this (even more) illegal, which would solve very little as
its still apparantly trivial to do, they should instead work on making that
address book.

that way when everything is transparant, paedophiles can be caught and we
might choose not to vote for somebody with a cocaine addiction.

~~~
Freak_NL
How does that not fall foul of the "I have nothing to hide" fallacy¹², and its
various dangerous consequences³?

1: [http://falkvinge.net/2012/07/19/debunking-the-dangerous-
noth...](http://falkvinge.net/2012/07/19/debunking-the-dangerous-nothing-to-
hide-nothing-to-fear/)

2: [https://steemit.com/privacy/@tomkirkham/i-have-nothing-to-
hi...](https://steemit.com/privacy/@tomkirkham/i-have-nothing-to-hide-privacy-
argument-is-a-fallacy)

3: [https://jacquesmattheij.com/if-you-have-nothing-to-
hide](https://jacquesmattheij.com/if-you-have-nothing-to-hide)

~~~
DarkKomunalec
Those articles either miss, or fail to emphasize enough, the best
counterargument: what if you _do_ have something to hide?

What if you're organizing a protest, a new political party, a business to
compete with entrenched corporations, are a whistleblower (corporate or
government), an investigative journalist (still needed in a surveillance
society - those in power know better than to turn surveillance on themselves),
or a union organizer?

Those are all activities (most) people would consider good, or at least
necessary, and all require some degree of secrecy.

~~~
emodendroket
The kind of people who would make this argument generally have authoritarian
tendencies and wouldn't approve so wholeheartedly of your examples.

------
Swizec
> Two German researchers say they have exposed the porn-browsing habits of a
> judge, a cyber-crime investigation and the drug preferences of a politician.

So how long before we as a society stop making a big deal of things like that?
Everyone watches porn, most people enjoy drugs[1].

Why does anyone still care? Why do we make such a hullabaloo if a judge
watches porn? Why is it a big deal if a politician smokes some pot to relax?
Who cares if a detective drinks a case of beer on the weekend to blow off some
steam?

I'm all for privacy and there are things I wouldn't care to expose on the
internet (like my home address and exact apartment number)[2], but I promise
you future generations will not give a shit about each other's "super secret
internet browsing habits". My fav porn site is RedTube, my drug of choice is
caffeine, and I hate that ThePirateBay has become hard to find in recent
months.

There's a lot of memes out there about deleting your browser history before
you die. But honestly who cares? And if you're doing illegal shit, use a
burner laptop. They're $100 on Amazon [3]. Don't be dumb.

[1] drugs as in psychoactive substances. Legal drugs like caffeine and alcohol
count, as do prescription drugs.

[2] you can probably triangulate those from my YouTube videos if you really
want to

[3] [https://www.amazon.com/Performance-RCA-Touchscreen-Quad-
Core...](https://www.amazon.com/Performance-RCA-Touchscreen-Quad-Core-
Processor/dp/B01MQD63WX/ref=sr_1_2?ie=UTF8&qid=1501500366&sr=8-2&keywords=cheap+laptop)

~~~
skummetmaelk
Because even though it might be accepted in the future, these things have real
consequences now and for the foreseeable future.

~~~
Swizec
That's kind of circular isn't it? I understand we care because it has real
consequences. But _why_ does it have real consequences?

That's what I'm wondering and have been for a while. Where does the outrage
come from? We all know we all watch porn. But if it comes out that so and so
important figure watches porn, suddenly it's the end of the world? Why? Who
decides which instance breeds outrage and which doesn't?

~~~
coldtea
> _That 's what I'm wondering and have been for a while. Where does the
> outrage come from? We all know we all watch porn. But if it comes out that
> so and so important figure watches porn, suddenly it's the end of the world?
> Why? Who decides which instance breeds outrage and which doesn't?_

Well, ultimately others decide, so it's beyond your and my control.

~~~
tedunangst
Others decide because we allow them too. We could make an effort to read less
about the private habits of others. "That's private, I'm not clicking it." And
yet for all the privacy advocates on HN, there's still a great deal of
interest in salacious stories.

------
jondubois
This is great. I look forward to everyone's information being made public in
the future. It might be embarrassing initially but if everyone else also has
embarrassing stuff released about them then it won't be so bad; it will make
people more open and encourage us to be honest. Only criminal and highly
unethical activity will be negatively affected.

We need to re-calibrate our ideas about people and society to something more
realistic. It will probably lower our overall opinion of humanity but at least
people will know the truth and behave accordingly. Right now people are
idealising certain things and behaving based on false information.

In any case, I think it's unavoidable that all information will be public at
some point in the future. It's been heading slowly in that direction since the
dawn of civilization. Several hundred years ago, even a figure as powerful and
well known as the pope could behave unethically and nobody would find out
until hundreds of years later.

Today it's much harder to keep things secret. I think big, embarrassing
revelations like the Anthony Wiener scandal should become increasingly common.

~~~
acdha
> Only criminal and highly unethical activity will be negatively affected.

Because nobody has ever suffered for being outed as LGBT, minority religion or
political party, etc.? Losing a job, being beaten or killed go way beyond
embarrassment and those outcomes are a given for millions of people.

Many people like their various bigotries – whole religions feed on the social
dynamics of saying everyone outside is sinful and trying to corrupt you – and
while it'd be nice if revealing secrets lead to greater tolerance I'd bet a
lot that the more likely outcome would be rage that they'd been infiltrated
and purging anyone who had been keeping secrets.

~~~
jondubois
Yeah but a lot of people who are currently pretending to be straight or even
homophobic might actually be closeted themselves or they may have some real
dirt on them.

Your boss won't fire you for being gay if it turns out that they themselves
are closeted or if they are laundering money, avoiding taxes or doing drugs,
etc... Or even if your boss is in fact a very simple perfectly-behaved person,
then 90% of employees in the company will have something potentially
embarrassing about them and they're not going to fire 90% of the company.

The higher you go up the ranks of society, the more dirt you will find.

And the beauty of it is that people who are higher up the ranks will be
uncovered first (due to public demand). The researchers didn't go after just
anybody, they specifically looked up a politician and a judge. These are the
natural targets; people who are supposed to represent and uphold society's
moral ideals.

~~~
kenbellows
Hate to say it, but this is a rather naive perspective on human behavior and
interaction. Like the GP said, the threat goes far beyond losing a job. For
just one example, it is a very sad fact that transgender individuals face
significantly higher rates of domestic violence, sexual violence, and stranger
assault, especially trans individuals of color. More broadly, maybe it's true
that fully outing all (or most, or many) closeted LGBTQ individuals would
force faster societal change in the long term, but the short term effects may
not be worth it, and anyway, I really don't think that decision should ever be
in the hands of anyone other than the individuals themselves.

