“Your entire life is online – and it might be used against you.”
That is the message of a popular viral video produced by the Belgian Federation of the Financial Sector (Febelfin), which has so far been seen by more than one-and-a-half million people.
In it, members of the public are invited to a very special mind-reading conducted by a charismatic grey-haired mystic called “Dave”. As the ham actor gets into his stride, more and more compelling information about the lives of his clients is spilled onto the table:
“I see a school in Antwerp”… “A house for sale”… “Your best friend’s name is Julie”… “Interesting love life – I see, three? Four people?”
But Dave leaves the best until last:
“I see a negative [bank] balance”… “Last month, you spent ?200 on alcohol”… “?300 on clothes”.
And then he reads out their bank account numbers, before the secret of his mind-reading power is revealed: a room full of computers operated by balaclava-clad hackers who (supposedly) had been feeding the information to the phony mind-reader in real time.
The video was intended to warn people against making available excessive amounts of what ought to be private information about themselves online, and the ease with which such data can be used to break into email addresses, commerce sites and, ultimately, bank accounts.
But Febelfin might just be wasting its time. Many people remain blasé about publishing the intimate details of their life online and, across the world, online privacy is under attack – from commercial organisations that want to know all there is to know about their customers, to governments that want to know everything that their citizens might be getting up to, online or offline.
Do be evil
Ironically, perhaps, it is YouTube owner Google – motto: “Don’t be evil” – that has drawn most criticism for repeated infringements of privacy. This summer, Google was fined a record $22.5m (£14m) by the US Federal Trade Commission for hacking its way around poorly implemented privacy settings in Apple’s Safari web browser.
Jonathan Mayer, a graduate student in Computer Science and Law at Stanford University, was one of the researchers that uncovered Google’s violation of US privacy laws. Mayer has specialised in researching “third-party web tracking”.
“When I say third-party, I mean websites that a user is not interacting with, such as an ad network or a social network,” says Mayer.
This might be done via a combination of cookies, which can be used to make a user’s browser uniquely identifiable, and the intelligence embedded within an advert or even just some of the buttons that enable a user to “like” an Plain_text or to publicise it over a social network such as Twitter.
With adverts served by an advertising network and such social networking buttons present at almost every website, intelligence-gathering companies – whether advertising networks or social networking companies – can start to put together complete profiles of users. Indeed, both Google and Facebook are also among the web’s biggest advertising companies.
“One of our projects involved trying to understand which companies were placing cookies in Apple Safari. So, we bought advertising of our own and included code in the ads that we bought that measured what cookies seemed to be in place in end-users’ browsers,” says Mayer.
The advertising appeared only for users of Safari running on Apple’s iOS mobile operating system and looked at which advertising companies had tracking cookies in place.
By default, Safari has its privacy option switched on, which restricts the setting of third-party cookies based on domain names. If, for example, someone were to visit the Computing.co.uk website, a cookie from Computing would be permitted, but one from an advertiser would be blocked.
However, when Apple updated Safari, it made a number of architectural amendments on the legitimate grounds of usability that enabled third-party web trackers, including Google, to get round its settings.
For example, if a user filled out some information on a form in a website and hit submit, and that data is submitted (legitimately or otherwise) to a third-party website, it makes sense to keep some track of it to make sure it is submitted only once.
“But it turns out that a form on a website can be submitted not only when a user clicks ‘submit’, but also when a bit of code on a website submits the form. It was a known issue that a website could create an invisible form and use a little bit of code and submit and set cookies in response to that form so that the user never sees anything, but third-party cookies can be set,” says Mayer.
Despite this known bug, the majority of companies nevertheless complied with the spirit of Safari’s privacy settings and very few cookies were in place on devices that had Safari’s privacy feature turned on, which it does by default, which ought to wipe out all cookies.
“But we found a couple of companies had placed an inordinate number of cookies – one of which was Google,” says Mayer. “Roughly 85 per cent of the browsers with this privacy mechanism in place had a Doubleclick cookie.”
Doubleclick is the advertising network that Google acquired for $3.1bn (£1.9bn) in March 2008 – after overcoming both monopoly and privacy objections.
Further investigation by Mayer revealed three other major offenders in addition to Google: Vibrant Media, Media Innovation Group and PointRoll.
The case – partly because it clearly demonstrated intent on Google’s part to circumvent people’s privacy settings – caused a storm of protest, with many arguing that the penalty was not nearly enough to hurt a company with revenues of $37.9bn (£23.4bn) in 2011.
“Google has demonstrated an ability to out-maneuver government regulators repeatedly and ride roughshod over the privacy rights of consumers. Google continues to be disingenuous about its practices,” says John Simpson, privacy project director at US organization Consumer Watchdog.
Google, he adds, has a history of “failing to either respect the privacy of its users or even to comply with prior privacy undertakings”. Consumer Watchdog has called for tougher sanctions against the internet giant.
The issue of third-party web tracking can be dated back to the first popularisation of the internet in the mid-1990s, says Mayer. This is when web browsers were starting to integrate more sophisticated capabilities than merely displaying static text. “There was a recognition at the time that with this sophisticated functionality came the ability to learn an awful lot about what users were doing on the web,” says Mayer.
Browser makers, though, ultimately chose not to implement counter-measures. “Meanwhile, companies started to be founded based on the notion that they could follow individual consumers round the web, learn what their interests are, and make predictions on what could be relevant to them and sell that information for targeted advertising,” says Mayer.
Google’s breach of Safari’s privacy settings is not the first time that companies have creatively tried to evade them to build their databases of people’s browsing history.
Some marketing networks even devised ways to exploit a bug in older browsers, enabling them to uncover a web user’s history by serving up invisible links and then interrogating the browser to find out what “colour” the link was: if a link had been clicked, then it would typically be displayed by the browser in purple rather than blue.
“We found these guys [a company called Epic Marketing] were doing this for over 15,000 URLs, including the National Institute for Health website,” says Mayer.
Many web-tracking companies build their information databases almost without discrimination. Health websites, for example, are a particularly sensitive issue ,given that they can betray deeply personal information – but information that could be highly valuable to advertisers.
Furthermore, if the “first party” website wraps a user name into a URL – which isn’t uncommon – that can be passed on to a third-party and associated with the user’s browsing history. “It only takes a little bit of identifying information ‘leakage’ to make web tracking identifiable. We found that it was going on all over the place,” says Mayer.
Often, though, the process is more straightforward, with companies simply sharing what they know – often information gleaned from registration processes.
For example, in 2011 Mayer and his Stanford research colleague John Mitchell discovered that online dating site OKCupid was sending information about how often subscribers admitted to drinking, smoking and doing drugs to Lotame, an online data company that counts publishers Condé Nast and IDG among its customers.
But for Google, the Safari breach was not a one-off, as far as online privacy campaigners are concerned.
Google Buzz was a social network launched in February 2010 and unceremoniously buried 18 months later.
It integrated Picasa, Flickr, Google Latitude, Google Reader, Google Sidewiki, YouTube, Blogger, FriendFeed, identi.ca and Twitter, and
made weak privacy settings the default. This included making public the names of Gmail contacts that the user most frequently emailed or chatted with.
Just a month after Buzz was buried, Google changed its company-wide privacy settings to enable it to unify the collection and storage of user data across the whole of its online estate. Today, user data is shared across all of Google’s websites – including search, YouTube, Google+, everything – with no opt out.
Mobile raises the stakes still further with Lotame, for example, boasting market data on 30 million Android device users, while Apple iOS users have been tracked thanks to the inclusion of the UDID unique tracking number in iOS.
Google, for example, knows every search made on an Android device via its search service – which accounts for more than 90 per cent of the UK search market, according to Experian Hitwise – and every app download in its Google Play store, too.
Given the undercurrent of discontent with commercial tracking on the web, the tracking industry itself has devised a system of self-regulation with “Do Not Track”, a supposedly universal web tracking opt-out.
Do Not Track signals a user’s opt-out from web tracking with an HTTP header field that requests a web application to disable tracking. It is currently supported by Firefox, Safari, Internet Explorer and Opera – but not Google Chrome – and is being standardised by the Worldwide Web Consortium (W3C).
However, when Mayer investigated whether web tracking companies were honouring Do Not Track, he found that more than half were simply ignoring it.
The privacy features built into all major web browsers is no solution either. Introduced when Apple Safari debuted “private browsing” in April 2005, these enable users to browse without their history being stored locally. But they don’t stop users being tracked by advertisers and marketers when they visit web sites in exactly the same way that they would in a normal session.
Cookies may be deleted at the end of the private browsing session, but the user is still identifiable by their IP address.
Anonymous proxy servers are also widely used, not for the purpose of privacy, but to enable staff to skirt corporate web blocks – because the user is connecting to the proxy and not the banned website – and for people to view content restricted to people in a certain geographic location. They are popular, for example, to enable people outside the UK to watch programmes on the BBC iPlayer.
However, while the basic service is free users have to pay a subscription for unlimited access, connections via faster servers and – surprise, surprise – no advertising.
An increasingly popular application, though, is the Tor web browser, a freely downloadable tool designed to facilitate anonymous, untrackable web browsing.
Tor works by using a system of “onion routing” (its original name was “The Onion Router”). Properly configured, it provides an encrypted connection to other nodes in the Tor network through which online sessions are conducted.
As the data is transferred through the network, it is encrypted and re-encrypted multiple times, then sent through successive Tor relays, each one of which decrypts a “layer” of encryption before passing the data on to the next relay and, ultimately, its destination.
However, that last hop from the final node to the destination server has to be unencrypted, opening up a key weakness of the system.
Dan Egerstad, a Swedish security researcher, ran five Tor nodes. Sniffing exit data traffic from these nodes, he was able to uncover server IP addresses, email accounts and their passwords for sensitive data from – in particular – developing countries’ embassies, the UK Visa Application Centre in Nepal and more than 1,000 corporate accounts.
“Because anyone can join the Tor network, Tor users necessarily pass their traffic to organisations they might not trust: various intelligence agencies, hacker groups, criminal organisations and so on,” said security expert Bruce Schneier, at the time the flaw was uncovered by Egerstad in 2007.
Some people conjecture that it was deliberately architected to be insecure by design. It was, after all, established in 2002 having been originally sponsored by the US Naval Research Laboratory, and continues to be supported by the US State Department. At the same time, Tor is also a haven for all kinds of very illegal activities.
Cynics have argued that state agencies – normally US-based – are almost certainly crawling all over Tor, only tolerating its worst excesses to provide a cover for their own nefarious activities – while using its shortcomings to gather the intelligence they want from people seeking Tor’s supposed anonymity.
It does, though, perhaps illustrate that while the activities of Google and many other over-eager online marketing companies are irritating, it is various governments’ own online surveillance efforts that ought to be feared.