Results of the first, large-scale study of the uniqueness of users’ browsing history was presented in a paper on the 12th Privacy Enhancing Technologies Symposium (PETS 2012).

In the paper “Why Johnny Can’t Browse in Peace: On the Uniqueness of Web BrowsingHistory Patterns,” the authors have researched browsing histories of almost 400,000 Internet users in a “real world” scenario. The findings are overwhelming. The research concludes that, as a general rule, Websites and content providers can uniquely identify and track users based solely on their browsing history. What does it mean? It means that your browsing history is just like your fingerprint.

In order to try and identify users and build profiles according to their browsing history and patterns, researchers have compiled a list of the 6,000 most popular Websites, sorted by their popularity (treated as a binary vector). A profile was built for each user’s browsing history by comparing it to the popular sites’ vector. Every matching site was marked on the vector as “1,” and all others were marked as “0,” yielding a profile vector that consists of 1’s and 0’s according to the popular Websites the user visited. The striking results show that, by using a list of the 50 most popular Websites and a browsing history of more than 4 Websites occurring in that list, researchers have uniquely identified 98 percent of the users’ profiles.

But is identifying unique profiles enough for tracking? To properly track users, trackers must be able to create the same profile every time they see them. So what if users delete their browser cache and history?

Interestingly, it turns out that Web users show incredible consistency in browsing to the same topics and Websites over time, which means that they will generally have the same representation of Websites on the popular sites list in their browsing history.

So what can be done? Will constantly deleting the browser cache help? It can help, but only to some extent as there are other methods that can be used to detect users’ browsing history, such as a CSS visited mechanism and DNS queries timing. Blocking scripts may also help, but it may compromise the browsing experience and usability. Script blocking and constant cache deletion confronts users with a privacy/usability dilemma where users are required to compromise their browsing experience and be relentlessly concerned with deleting their browsing history and cache just to protect their privacy.

How does the Breadcrumbs Solution solve this privacy breach?

Breadcrumbs introduces a new approach — the “Bogus Identity” solution. Via the “Bogus Identity,” the software proactively and transparently browses the Internet in the background using the same Web browser as the user. Instead of mimicking the user’s preferred topics, it browses to Websites which reflect different interest topics.

Consequently, the browsing history gets filled with patterns and topics that continuously change the Browsing History Fingerprint of the user, enabling users to protect their privacy without compromising browsing experience or going through the trouble of deleting the browser cache.

The law’s primary objective is to protect online privacy by increasing consumers’ awareness of how information about them is being collected by Websites by enabling them to choose whether or not they wish to allow information to be collected.

How can this law be bad for the future of online privacy?

The new “Cookie Law” aims to provide users with greater control over who can track them, and their private information as cookies may only be placed on computers where the user has opted-in. This has a clear implication for trackers on EU based Websites as they will have to cope with a reduction in the amount of available customer data which will mean less targeted ads and smaller revenues.

It’s hard to believe that in light of this new legislation, advertisers and trackers would abandon their money-making, tracking activities. Instead, they are likely to implement new, intrusive tracking technologies to circumvent the present legislation while waiting for any future round of legislation. By then, they will have implemented even more sophisticated tracking technologies that will make the current legislation irrelevant.

Take, for example, identifying users’ Browser Fingerprints or Keystroke Dynamics. These identification techniques can be used as server-side tracking technologies. With server-side tracking techs, users probably won’t even be aware that they are being tracked as opposed to cookies that at least apply some level of control for users who can use tools to see, block, and delete tracking cookies.

For trackers, each anti-tracking law is an incentive to put more cash into R&D and develop new tracking methods that will prevail over any existing legislation.

The EU’s e-Privacy directive is a small step in the right direction. It is increasing the awareness amongst Internet users in regards to what information is being collected about them and in what ways. It may possibly open the door to a more transparent interaction from trackers and advertisers in the future. On the flipside, the directive may push trackers into developing more sophisticated tracking technologies to overcome the current and any future legislation.

In recent years we have witnessed an exponential growth in the number of companies that rely on the process of tracking, aggregating, analyzing, and eventually selling Internet users’ online activities, typically without their recognition or consent. What makes this practice so appealing is the opportunity to make substantial revenues without any resistance from users.

Tracking companies clearly benefit from the current state of affairs where users are meant to rely on outdated technologies and on regulations more suitable for the previous decade’s Internet technology to protect their online privacy. Take tracking cookies, for example. They have been used for tracking users across the Internet for many years now, but only recently have regulators finally started to define what constitutes permissible usage and what is considered a prohibited practice.

The same goes for anti-tracking technologies. Most of them are simply outdated and can only respond to yesterday’s problems (e.g. blocking cookies) instead of dealing with more sophisticated tracking methods such as browser fingerprints or keystrokes dynamics.

Trackers grow their lucrative cash cows from digging their gold into our information mines. With such comfortable digging, they will keep allocating money and resources for lobbying against any unwelcome regulation and for technological developments that will always keep them a step ahead of us users. In other words, the users will lose in the battle over privacy.

A real change will occur only when users regain control over their private information and be given the tools to protect it in a proactive way. We can’t rely on regulation because it’s slow, tends to lag behind, varies between countries, and in most cases doesn’t solve the real problem. Tracking companies aren’t going to provide us with the solution either. Our private information generates their revenues, and “business ethics” will always be secondary to maximizing sales.

There has to be a shift towards a user-controlled solution. A new model is needed that is proactive, independent, and not reliant on regulators or trackers’ goodwill. A model that will force trackers to recognize users’ rights to keep their information private will shift the power balance back towards the users.

Keystrokes Dynamics research has rapidly evolved in recent years, and commercial companies already supply typing dynamics identification systems that provide good user identification results.

When it comes to the Web, Keystroke Dynamics may become a real privacy threat as it can be used to individually identify and track users even when and where they do not want to be identified or tracked.

Many Websites immediately transmit any keystrokes we enter directly to the Website or Webserver. For example, Google Instant transmits every keystroke to Google’s servers which in turn transmit back the search suggestions according to what we have typed. No one knows if Google records and analyzes our typing dynamics while we do so.

Alternatively, Websites can use JavaScript to record and analyze our Keystroke Dynamics on Webpages we visit and send the results to the Webserver.

Google Instant - Every keystroke is transmitted to Google.

Personally, I don’t believe this intrusive tracking and identification technology is already being applied to us Web users. Maybe I am too optimistic, but currently there are much cheaper and easier ways for trackers to track and identify us, Tracking Cookies are the most known and obvious.

But as more and more people are becoming aware of the privacy threats Cookies impose, they block and delete them. This is causing tracking companies to adapt and deploy more sophisticated tracking technologies in order to maintain the vast revenues that online tracking and profiling yield for them, and Keystroke Dynamics may have become one of them. (Hope I haven’t given any ideas to anyone.)

Reference and further reading:

Privacy: Gone with the Typing! Identifying Web Users by Their Typing Patterns (PDF)

Identity Theft, Computers and Behavioral Biometrics. (PDF)

Keystroke Dynamics. (Wikipedia)

Online tracking and profiling is the process in which these parties collect and aggregate all of our online activities and comprehensively analyze it to create a unique profile on each individual.

This process may reveal more about us than we are willing to disclose, thus it creates major privacy concerns that will no doubt come into effect in the near future.

At present, personal profiles are used mainly for advertising purposes, however with the rapid growth in the “information industry” it’s anyone’s guess what these profiles are going to be used for in the future. Imagine having your unique profile traded without your consent and used in a “Big Brother” fashion by future employers (recruiters and employers today already inspect candidates’ facebook profiles and information found on the web), government officials, commercial companies (they get access to your most private preferences) and so forth. In other words, this profile may have massive consequences on your future and your ability to make choices.

Currently, there is not much we can do to prevent online tracking. Commercial companies believe it’s their right to track us, and our data is used to generate big $$$ for them. But what if you could take control over your profile? What if you could use it for your own benefits? With this in mind, we have developed Breadcrumbs Bogus identity technology. This technology will let you decide who trackers will essentially think you are. I chose to be a rocket scientist…

Adding a ‘Like’ button in an online privacy blog is quit a dilemma. It causes me a slight cognitive dissonance as how can I preach about online privacy when I am giving Facebook the ability to know about every privacy seeking visitor on my blog?

Technologically speaking, embedding the Facebook ‘like’ button on a webpage, brings a whole lot of Facebook codes, scripts and cookies to the page, and these elements can be used to track the page visitors – even if they don’t click the ‘like’ button at all!

Well, I scratched my head a little and found a good trade-off. I will let users decide if they want to use the Facebook ‘like’ button on my website or not. By default only a Facebook icon shows on my blog, and if a visitor wants to ‘like’ my post (please do) clicking the Facebook icon will call the Facebook code and will bring up the actual ‘like’ button – I call it Facebook on Demand.

Not only does Facebook on Demand protect my visitors’ online privacy as well as preventing Facebook from tracking them by default, it also saves bandwidth on my website with a minor impact of User Experience.

Check out Facebook on Demand:

How is Facebook going public a privacy threat?

With such a high tag price and hype surrounding its IPO, we are likely to see Facebook’s management and executives under constant pressure by investors, shareholders and the press to provide continuous positive financial results in order to support its share price (bear in mind that revenues actually decreased recently). (See here)

To show the desired financial results, companies in different industries use various methods to improve their products. Facebook’s “product” is its users data (yep, yours and mine) and therefore we can expect more of our once private information being used.

Can we still protect our online privacy in light of Google’s new policy?

Of course we can. Breadcrumbs Privacy Solution was designed based on the assumption that Google and all other trackers will eventually combine all collected data into a single user profile. Consequently, Breadcrumbs created a software that browses the internet to sites and topics that do not represent who you really are, essentially creating a Bogus Identity for you.

Therefore, despite Google’s new privacy policy, Breadcrumbs Solutions will still protect your online privacy !

Originally, cookies were developed with good intentions, and are still used in our benefit. (save your page settings, user names, etc)
Tracking companies have taken advantage of this mechanism and instead utilize it against us by tracking us.

While we would all like to believe that our private information remains in our control, it is anything but true when speaking of online privacy. We have been conditioned to believe that if we erase cookies on our computer, then no one will ever have access to what websites, products, blogs etc we have been to or have been surfing on, as basically this activity defines us and can reveal who we are, and what our interest are. This is to say, your activity speaks for itself!

Browser fingerprints? This basically means that it is one more way to identify us without our knowledge. There was a rumor that this existed, but because we couldn’t really see the repercussions of this kind of intrusion as it was not meant for our eyes, we preferred not to believe it existed. Well, as it turns out, it is more than a rumor and it can be used to track us.

Yet, the fact that we have caught on to what once was a fairly good remedy for this, such as deleting cookies, is precisely what caused and encouraged tracking companies to develop more intrusive methods of tracking us.

“… Each of these tracking companies can track you over multiple different websites, effectively following you as you browse the web. They use either cookies, or hard-to-delete “super cookies”, or other means, to link their records of each new page they see you visit to their records of all the pages you’ve visited in the previous minutes, months and years. The widespread presence of 3rd party web bugs and tracking scripts on a large proportion of the sites on the Web means that these companies can build up a long term profile of most of the things we do with our web browsers.

Given how much tracking firms know about our browsing history, it’s worth asking whether these companies also know who we are. The answer, unfortunately, appears to be “yes”, at least for those of us who use social networking sites.

A recent research paper by Balachander Krishnamurthy and Craig Wills shows that social networking sites like Facebook, LinkedIn and MySpace are giving the hungry cloud of tracking companies an easy way to add your name, lists of friends, and other profile information to the records they already keep on you.”

EFF, Jul 21, 2009