Researchers say 'anonymous' advert data can be tied to users

Project shows how compromising data could be used in blackmail attempts

Data protection

Researchers have reportedly been able to link data gathered by companies creating targeted adverts to individual users, including the drug preferences of a politician and the porn habits of a judge.

German researchers Svea Eckert and Andreas Dewes revealed their findings at the Def Con hacking conference in Las Vegas over the weekend, showing that browsing data known as "clickstreams", used by companies to create targeted adverts, can be easily tied to individual users, according to the BBC.

Companies are able to gather reams of a user's search history to customise display adverts, but any identifiable data related to the individual is supposed to be removed.

Although this data is normally anonymised, the pair demonstrated that discovering the identity of the person is "trivial", arguing marketing companies that collect the data are not doing enough to ensure it's protected.

Advertisement - Article continues below

"What these companies are doing is illegal in Europe but they do not care," said Eckert.

Datasets typically record a list of every site and link clicked by a user, and assign the history to a customer identifier in order to generate appropriate ad content. The researchers demonstrated that by using this identifier and public information shared across social media sites, it was possible to correlate the data with an individual.

Users sharing links through Twitter, announcing to their friends which YouTube videos they were watching, or sharing which items they have just bought online, could all be used to accurately pinpoint users and their history. Once paired, their entire search history could be viewed and potentially exposed.

"With only a few domains you can quickly drill down into the data to just a few users," said Dewes. "The public information about users is growing so it's getting easier to find the information to do the de-anonymisation."

In some particularly alarming cases, clickstreams would even contain links to a user's social media page, which would directly reveal who the search history belonged to. One data set revealed the porn browsing habits of an individual who was later discovered to be a judge. 

"This could be so creepy to abuse," said Eckert. "You could have an address book and just look up people by their names and see everything they did. After the research project we deleted the data because we did not want to have it close to our hands anymore. We were scared that we would be hacked."

While these specific search histories revealed nothing incriminating, the risk that users could be blackmailed is far more likely should the data fall into the wrong hands.

Under the UK's Investigatory Powers Act, ISPs are forced to collect and store the browsing histories of everyone in the UK for up to one year, in the event data is required to support criminal investigations. Technology companies argued at the time of its enactment that this would weaken encryption as a result. 

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019