German researchers have reported that the browsing data used by some companies to create customised display adverts can also be easily tracked to individual users, and could be used against us by cyber criminals.
The results of research by Svea Eckert and Andreas Dewes was revealed at the Def Con hacking conference held in Las Vegas over the weekend. It showed that a user’s search history can generate reams of information that companies can use (called ‘clickstreams’) to customise display adverts, but, that it is actually relatively easy to identify an individual user from this data (when correlated with other publicly available data).
Any data in these clickstreams that could successfully identify individual users is supposed to be anonymised and removed by marketing companies. The research has, however, highlighted the issue that marketing companies are not doing their due diligence in protecting the information gathered, and that, with the right know-how, individual users can be identified from existing, collected browsing data.
Potentially Used For Crime
The worry is, of course, that a user who has been identified and linked with dubious / potentially damaging / embarrassing browsing data and search history could be blackmailed.
In the case of crimes such as stalking, for example, it is potentially easy for a stalker now to be able to gather information about their victim by opening up an address book.
How Can A User’s Identity Be Traced?
Datasets typically record a list of every site and link clicked by a user. This assigns the history to a customer identifier so that appropriate ad content can be generated.
The two researchers demonstrated that by using this customer identifier and public information shared across social media sites, it was possible to correlate the data with an individual user.
For example, links shared through Twitter, announcements about which YouTube videos a person is watching, or shares about which items a person has just bought online, could all be used to accurately pinpoint the user and the user’s history. Once combined, the user’s entire search history could then be seen and possibly exposed.
More Public Information
Public information about users is growing because of social media sites. This means that using just a few domains, data can be found and linked to users. Some clickstreams have even been found to contain links to the social media page of the user, thereby immediately revealing who the search history belonged to.
Research Data Deleted
The two researchers have reportedly deleted the data they have gathered for the research to eliminate risks of being hacked.
What Does This Mean For Your Business?
This story illustrates how difficult it can be for individuals and businesses to use the Internet in a completely secure way. More users are now likely to use private browsing for searches (particularly sensitive searches), and it is good security practice not to publicly share too much personal information and ID details on social media. It is, however, virtually impossible to keep track of which sites data / information has been shared with e.g. via online purchasing or for services, and how much of that information may have already fallen into the wrong hands e.g. in data breaches.
It is the responsibility of all businesses to protect personal data that they have collected in a compliant way (particularly with GDPR just around the corner), and marketing / advertising companies have a clear responsibility to protect the browsing data / clickstream data that they collect. Google is known to track users and use their history, activity and content to deliver targeted ads (although it will no longer scan Gmail accounts for information). Facebook, for example, tracks likes and shares, and many websites that we all visit and share our activities with networks of third parties who share, collaborate, link and de-link personal information to generate target ads. We as users are therefore often left with just the hope that as many companies as possible in the chain of data sharing are using secure systems and practices.
One other security / privacy risk that we all now have is how securely the data collected from our browsing history as part of the Investigatory Powers Act (also known as the Snooper’s Charter) is stored. Under the Act, it has to be stored for one year.