Researchers say 'anonymous' advert data can be tied to users
Project shows how compromising data could be used in blackmail attempts
Researchers have reportedly been able to link data gathered by companies creating targeted adverts to individual users, including the drug preferences of a politician and the porn habits of a judge.
German researchers Svea Eckert and Andreas Dewes revealed their findings at the Def Con hacking conference in Las Vegas over the weekend, showing that browsing data known as "clickstreams", used by companies to create targeted adverts, can be easily tied to individual users, according to the BBC.
Companies are able to gather reams of a user's search history to customise display adverts, but any identifiable data related to the individual is supposed to be removed.
Although this data is normally anonymised, the pair demonstrated that discovering the identity of the person is "trivial", arguing marketing companies that collect the data are not doing enough to ensure it's protected.
"What these companies are doing is illegal in Europe but they do not care," said Eckert.
Datasets typically record a list of every site and link clicked by a user, and assign the history to a customer identifier in order to generate appropriate ad content. The researchers demonstrated that by using this identifier and public information shared across social media sites, it was possible to correlate the data with an individual.
Users sharing links through Twitter, announcing to their friends which YouTube videos they were watching, or sharing which items they have just bought online, could all be used to accurately pinpoint users and their history. Once paired, their entire search history could be viewed and potentially exposed.
"With only a few domains you can quickly drill down into the data to just a few users," said Dewes. "The public information about users is growing so it's getting easier to find the information to do the de-anonymisation."
In some particularly alarming cases, clickstreams would even contain links to a user's social media page, which would directly reveal who the search history belonged to. One data set revealed the porn browsing habits of an individual who was later discovered to be a judge.
"This could be so creepy to abuse," said Eckert. "You could have an address book and just look up people by their names and see everything they did. After the research project we deleted the data because we did not want to have it close to our hands anymore. We were scared that we would be hacked."
While these specific search histories revealed nothing incriminating, the risk that users could be blackmailed is far more likely should the data fall into the wrong hands.
Under the UK's Investigatory Powers Act, ISPs are forced to collect and store the browsing histories of everyone in the UK for up to one year, in the event data is required to support criminal investigations. Technology companies argued at the time of its enactment that this would weaken encryption as a result.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now