Researchers say 'anonymous' advert data can be tied to users

Project shows how compromising data could be used in blackmail attempts

Data protection

Researchers have reportedly been able to link data gathered by companies creating targeted adverts to individual users, including the drug preferences of a politician and the porn habits of a judge.

German researchers Svea Eckert and Andreas Dewes revealed their findings at the Def Con hacking conference in Las Vegas over the weekend, showing that browsing data known as "clickstreams", used by companies to create targeted adverts, can be easily tied to individual users, according to the BBC.

Companies are able to gather reams of a user's search history to customise display adverts, but any identifiable data related to the individual is supposed to be removed.

Although this data is normally anonymised, the pair demonstrated that discovering the identity of the person is "trivial", arguing marketing companies that collect the data are not doing enough to ensure it's protected.

"What these companies are doing is illegal in Europe but they do not care," said Eckert.

Datasets typically record a list of every site and link clicked by a user, and assign the history to a customer identifier in order to generate appropriate ad content. The researchers demonstrated that by using this identifier and public information shared across social media sites, it was possible to correlate the data with an individual.

Users sharing links through Twitter, announcing to their friends which YouTube videos they were watching, or sharing which items they have just bought online, could all be used to accurately pinpoint users and their history. Once paired, their entire search history could be viewed and potentially exposed.

"With only a few domains you can quickly drill down into the data to just a few users," said Dewes. "The public information about users is growing so it's getting easier to find the information to do the de-anonymisation."

In some particularly alarming cases, clickstreams would even contain links to a user's social media page, which would directly reveal who the search history belonged to. One data set revealed the porn browsing habits of an individual who was later discovered to be a judge. 

"This could be so creepy to abuse," said Eckert. "You could have an address book and just look up people by their names and see everything they did. After the research project we deleted the data because we did not want to have it close to our hands anymore. We were scared that we would be hacked."

While these specific search histories revealed nothing incriminating, the risk that users could be blackmailed is far more likely should the data fall into the wrong hands.

Under the UK's Investigatory Powers Act, ISPs are forced to collect and store the browsing histories of everyone in the UK for up to one year, in the event data is required to support criminal investigations. Technology companies argued at the time of its enactment that this would weaken encryption as a result. 

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

'Robin Hood' hackers donate stolen Bitcoin to charity
ransomware

'Robin Hood' hackers donate stolen Bitcoin to charity

21 Oct 2020
Mobile browser flaw exposes users to spoofing attacks
Security

Mobile browser flaw exposes users to spoofing attacks

21 Oct 2020
Lumen's digital portal simplifies the ordering of IT solutions
Business strategy

Lumen's digital portal simplifies the ordering of IT solutions

20 Oct 2020
US charges six Russians behind NotPetya and Olympics hacks
Security

US charges six Russians behind NotPetya and Olympics hacks

20 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020