True privacy online is not viable
- 21 February, 2017 22:00
Privacy-concerned consumers desperately want a magic bullet, some simple thing they can use that will protect their identities and their web activity. And although there are a plethora of offerings today that make such a claim — VPNs, privacy-focused browsers such as Tor, privacy search engines such as DuckDuckGo, quite a few services that claim to anonymize anyone’s activity — the practical realities of human behavior make such privacy claims bogus.
Let me stress that almost all of these services do indeed help a person remain anonymous from the casual, untrained observer (the typical roommate, spouse, co-worker, boss, etc.). But any consumer who thinks that these tools will thwart a law enforcement agent, motivated cyberthief or identity thief, or anyone who is willing to spend the time to track you down is in for unhappiness.
This point was made even more unavoidable in a new paper from researchers at Stanford and Princeton universities.
“Each person has a distinctive social network and, thus, the set of links appearing in one’s feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity. To gauge the real-world effectiveness of this approach, we recruited nearly 400 people to donate their web browsing histories, and we were able to correctly identify more than 70 percent of them,” the report said. “Our theoretical contribution applies to any type of transactional data and is robust to noisy observations, generalizing a wide range of previous de-anonymization attacks. Since our attack attempts to find the correct Twitter profile out of over 300 million candidates, it is, to our knowledge, the largest-scale demonstrated de-anonymization to date.”
In short, the point of this report is that people are creatures of habit. Their face/IP address/phone number/CRM number/etc. may be obscured, but their behavior often can’t be.
A few years ago, there was a law enforcement effort to track suspects by their grocery shopping patterns. Here’s how it worked. Let’s say that you have a suspect who had no reason to hide in her local community. She used payment cards, had a library card and sought discounts at her local grocery store by participating in a loyalty and CRM program. Then she killed some people and decided to go deep into hiding. She cleared out her bank account (so she could live entirely on cash for as long as possible), destroyed her mobile devices, purchased bogus identification documents and drove thousands of miles away. She would try to live off the grid, if you will.
Armed with years of the suspect’s grocery purchase habits, law enforcement identified repeated patterns. What kind of fruit did she buy? Which flavors and brands of cereal? Which precise beverages? Even though the suspect would presumably not get a CRM card in her hideout community, anonymous basket analysis would suffice. Retail chains across the country would be asked to check their sales against the patterns of the suspect. It proved frighteningly accurate at finding someone.
And even if the suspect could avoid purchasing patterns, would she be smart enough to change all of her habits? Her face could still be detected by facial-recognition software working with security cameras. And her car’s license plate could be detected driving on some interstate.
That’s all in the physical world. But the idea is the same for the online world. We habitually visit the same sites, tend to read stories the same amount of time and are prone to click on posts by the same people in our social circle. No IP-hiding VPN is going to change that.
The quip has often been made that privacy doesn’t exist anymore. Although it may not be that bad yet, the truth is that consumers cannot rely on any anonymity product as long as their behavior — their inclinations, their friends, their patterns — itself can be tracked.
When someone asks me, “Can I be tracked if I use XYZ privacy device?” the answer is, “It depends. Who are you worried about tracking you?” Privacy apps and devices are good low-level defenses, making a person difficult enough to track that it will, in effect, block most routine efforts.
Think of these apps/defenses as akin to installing a good high-security deadbolt on every door in your house. Will it block a thief who is being paid to steal documents in your house worth $40 million? Nope. There are windows with glass that can be cut, sledgehammers that can crash though the walls and then there’s always the thief who waits for you to unlock the door and then pulls a gun on you and follows you into the house. But that deadbolt will be enough to deter the low-level thief who is quite content to rob the house next door, the house that has no deadbolt.
I personally surf as often as I can in incognito mode, hiding my IP address with a VPN and surfing with Tor as often as I can. But there are enough sites that won’t work with that setup to make it difficult to use 24/7. (Although I did have fun discovering that when YouTube blocked me from seeing a video due to country copyright issues, all I had to do was change the country on my VPN settings and the video played fine.)
Bottom line: you can hide from advertisers and others well enough with privacy devices, but if someone really wants to track you, well, you can click, but you can’t hide.