Even your deleted secret web history isn't safe, say researchers

Think your deleted web browsing history is safe? Think again. A team of German researchers has presented new findings at the Def Con hacking conference in Las Vegas, showing how even data thought to be anonymised can be rummaged through.

Security experts Svea Eckert and Andreas Dewes were able to gather the browsing habits of three million German citizens, including that of prominent public figures such as judges and politicians, by intercepting 'clickstream' data.

Clickstreams retain every click and web visit a user makes when browsing the internet, and are used to target advertising to specific users based on their browsing habits. This should be anonymised, but the pair found that circumventing this security step was "trivial", revealing sensitive details about specific users.

Annihilating anonymity

The data was mined from just 10 popular browser extensions, providing the team with a custom identifier for each 'anonymised' individual. By cross referencing web visits noted in the clickstreams against public posts by individuals (say, a shared YouTube clip or shared Twitter picture), they could easily then identify who the anonymised identifier belonged to.

It was even easier in some cases where the user had visited their own social log-in admin pages, directly revealing their identities.

Great damage could be caused to individuals in this way if they believe their browsing habits have been carefully wiped, but secretly harvested elsewhere. In the case of the judge and politician identified in the study, the researchers were able to discover their pornography and drug preferences respectively – ideal blackmail fodder if in the right hands.

The researchers state that the way marketing firms use clickstreams is illegal, which also raises implications for how governments gather such data for security purposes.

Via BBC