Identifying People by Their Browsing Histories

guest · Aug 25, 2020

Identifying People by Their Browsing Histories
August 25, 2020
https://www.schneier.com/blog/archives/2020/08/identifying_peo_9.html

Interesting paper: "Replication: Why We Still Can't Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories":

We examine the threat to individuals' privacy based on the feasibility of reidentifying users through distinctive profiles of their browsing history visible to websites and third parties. This work replicates and extends the 2012 paper Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns[48].

The original work demonstrated that browsing profiles are highly distinctive and stable.We reproduce those results and extend the original work to detail the privacy risk posed by the aggregation of browsing histories. Our dataset consists of two weeks of browsing data from ~52,000 Firefox users.

Wethen find that for users who visited 50 or more distinct do-mains in the two-week data collection period, ~50% can be reidentified using the top 10k sites.
Finally, we observe numerous third parties pervasive enough to gather web histories sufficient to leverage browsing history as an identifier.
Click to expand...

One of the authors of the original study comments on the replication.
Click to expand...

Web browsing histories are private personal data - now what

The user’s Web browsing history is usually defined as a list of websites the user has visited, such as “google.com, facebook.com, reddit.com, bbc.co.uk, random-site.org, etcetc.org.uk”. On its own, it may seem innocuous. It turns out browsing history can be processed to extract insight about the user (or tracking the user).
Confirmed - Web browsing histories are unique
It turns out that our initial indicative work is now significantly upheld by recent (2020) research from Mozilla (by Sarah Bird, Ilana Segall, and Martin Lopatka) that has replicated our original study, using very refined data. This work provides an even more stringent assessment of how sensitive the list of user-visited sites really is. The case is stronger, which should be a call to action for many.
Click to expand...

The uniqueness rate of the web browsing history, using methods similar to ours, turned out to be 99%. They indicate that users can be reidentified via such a fingerprint, in 80% cases. Such numbers are shockingly high.
Summary
I commend the Mozilla team for tackling this unpopular and unobvious problem that is not much spoken of, and so far did not catch the interest of academics, yet nonetheless it was and is of obvious practical relevance. Both in 2011 and in 2020.

Web browsing histories are personal data. Deal with it.
Also, it feels quite great to have one’s work replicated after about 10 years!
Click to expand...

Paper: "Replication: Why We Still Can't Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories"
(PDF): https://www.usenix.org/system/files/soups2020-bird.pdf

Paper (2012): "Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns"
(PDF - 368 KB): https://hal.inria.fr/hal-00747841/document

Palancar · Aug 26, 2020

We still have to try, right? One of my counter measures is to use numerous TBB browser bundles behind VPNs. Each unique site has its own TBB and all activity stays within that one bundle package. They may be on the same linux Desktop but the bundles do a great job of segregating usage. I am hoping that IF a website gathers any info during my surfing around it will only display that I visit that one site, and via rotating IP's via TOR.

Log in or Sign up

Identifying People by Their Browsing Histories

guest Guest

Palancar Registered Member

Log in or Sign up

Identifying People by Their Browsing Histories

guest Guest

Palancar Registered Member

Useful Searches