Your web browsing history contains enough information for third parties to be able to link it to your social media profile (Twitter, Facebook, Reddit), Stanford and Princeton researchers have found.
Worrying research results
“Our approach is based on a simple observation: each person has a distinctive social network, and thus the set of links appearing in one’s feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity,” they shared.
They tested their approach first on simulated browsing histories containing links originating from Twitter, then in practice with the help of 374 individuals who chose to participate in the research and “donate” their browsing histories.
The result of that last test? Over 70 percent of the individuals were correctly tied to their Twitter accounts. While not perfect, the result is impressive, and even more so because a correctly identified account is one of over 300+ million opened on Twitter.
Granted, users are not expected to hand over their browsing history to anyone who would like to peruse them, but for this approach to be successful they don’t have to.
“Several online trackers [e.g. Google, Facebook, ComScore, AppNexus] are embedded on sufficiently many websites to carry out this attack with high accuracy,” they noted, despite claims by ad tech companies that online tracking is not a threat to user privacy.
How to protect your privacy?
“Any social media site can be used for such an attack, provided that a list of each user’s subscriptions can be inferred, the content is public, and the user visits sufficiently many links from the site. For example, on Facebook subscriptions can be inferred based on ‘likes,’ and on Reddit based on comments, albeit incompletely and with some error,” the researchers explained.
“Further, it is inherent in the web’s design and users’ behavior, and is not due to specific, fixable vulnerabilities by browsers or websites, unlike previous de-anonymization attacks. It simultaneously confirms the fingerprintability of browsing profiles and the easy availability of auxiliary information. Application-layer de-anonymization has long been considered the Achilles’ heel of Tor and other anonymity systems, and our work provides another reason why that is the case,” they concluded.
The researchers’ approach is less potent if employed by network adversaries – Internet service providers, open Wi-Fi network sniffers, state actors – because of the increasingly widespread adoption of HTTPS. When basing their testing just on HTTP requests, of the 374 individuals who participated in the research only 31% were tied correctly to their Twitter account.
“We hypothesize that the attack will still work in this scenario but will require a greater number of links per user,” they noted, and added that tools like HTTPS Everywhere can help make the attack harder and more time-consuming to execute.
Unfortunately, HTTPS is no protection against third-party trackers. To make their task harder users will have to use tracker-blocking tools such as Ghostery, uBlock Origin, or Privacy Badger, and/or give up social media accounts, especially if they are opened under their real name.