Who’s Spying on You, and What They Know


Reports last week that Microsoft intends to put a “do not track” button in its forthcoming release of Internet Explorer browser joins a long-line of add-ons for numerous web-browsers that would — in theory — put users in charge of whether they are targets for on-line advertising. See “Add do not track to Firefox, IE, Google Chrome by Dennis O’Reilly at CNET http://news.cnet.com/8301-13880_3-20024815-68.html

But, recent research reveals these “do-not-track” efforts may be useless.

Tracking of User Web browsers
A review of the past and present reveals the following practices to track and identify users and their web-browsers:

Old school: Cookies
A tried-and-true method and still used today. For an introduction to cookies, see: http://en.wikipedia.org/wiki/HTTP_cookie. Its author was trying to solve the “shopping-cart” problem and never intended his invention to be used for tracking purposes. It was not until years after his invention when he found advertising being served up to him based on his searches, that he realized his “shopping-cart” solution had been subverted for private-gain. Cookies combined with IP addresses and 3rd party analytics are now the most common method employed to serve-up advertising based on web-surfing behavior.

“So what” you say? Read on…

Contemporary school: LSO Super-cookies
A more contemporary approach uses Flash-based LSO super-cookies (or Silverlight cookies), that are combined with 3rd party analytics to serve-up advertising based on web-surfing behavior.
See http://en.wikipedia.org/wiki/Local_Shared_Object

No one ever tells users this is happening, and the practice continues unabated because people are visual creatures, unaware their use of the Internet is leading to more personal data being collected about them. If you want to change what’s done on your PC or laptop with Flash stored objects, you have to visit http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html but doing this does not block LSO cookies and the tracking that occurs as a result.

Users of Firefox can add plug-ins that will detect and delete these. Such plug-ins as Better Privacy, Ghostery, Request Policy, TorButton and Noscripts among others provide tools for those that do not want to be tracked. And, plug-ins for Firefox can be used to prevent Java script from hi-jacking a lot of personally identifable data.

“So what” you say? Read on….

You are Now being Fingerprinted
The new school of tracking actually fingerprints your web browser, with or without cookies, and without your knowledge or consent. When combined with the ubiquitous ability to geo-track and more importantly grab your unique IP address (unless you spoof this), the reality is that even without cookies the trackers can continue to harvest data about users for advertisers and their supporting search-engine, device, App and network-service enablers. You don’t believe this?….

Test the fingerprint of your browser
See how unique your own web browser’s fingerprint is, visit Panoptoclick at:


It doesn’t matter whether you use in-private browsing or not: you and your IP address are now being uniquely fingerprinted. The research paper from the Electronic Frontier Foundation available on the Panoptoclick site (http://panopticlick.eff.org/browser-uniqueness.pdf) reveals that browsers are overwhelmingly trackable and that policymakers should consider treating web-browser fingerprints as personally identifiable data.

The Europeans may be inclined to do this, but watch-out if you are not a citizen of a Euro-country.

Some good uses of fingerprinting browsers:
Good uses of the approach include applications being used in financial services and by goods and service providers as another check to ensure against fraud. One of many such providers of the technology is technology is 41st Parameter.
See more at http://www.the41st.com/industries.asp

Focused on financial services, the company also delivers products and services for eCommerce, Travel, DRM and Social networking applications.

Beware Traffic Analysis
Although 41st Parameters stated applications of its technology are focused on uses that many people will applaud, there is no reason the same technology from another company with a very different business model, or a hacker for that matter, cannot be used with the last item on the list — social networking applications — that should scare everyone from consumers to CEOs of the largest companies because of the ability to easily conduct traffic analysis, a technique that yields useful information about searches and sites being used by a targeted group. For an introduction to traffic analysis and a few of its applications, see http://en.wikipedia.org/wiki/Traffic_analysis

Fingerprint on the Web: meet Social media!
Social media meets fingerprinting
See more: http://www.webpronews.com/topnews/2010/12/15/gawker-attack-sends-ripples-throughout-the-web

Personal details stored by users on social media sites such as facebook, linkedin or any number of other Internet social media sites (see http://en.wikipedia.org/wiki/List_of_social_networking_websites for a more complete list of social media networks) can easily be used to link your personal information with old-fashioned cookies, LSO cookies, fingerprints, IP address and other information being collected.

Instead of a government overtly conducting spying on its citizens, the primary harvesting-engine of personal preferences and interests in the West is coming from the private-sector.

“So what”, you say? Read on…

Mobile smartphones
The Wall Street Journal reported the findings of its investigation on the personal-information data-collection and data-sharing practices that are employed for Mobile smartphones in its article “Your Apps Are Watching You” printed on December 18, 2010.
See more: http://online.wsj.com/article/SB10001424052748704368004576027751867039730.html?mod=googlenews_wsj

In their findings, the authors found the following: that personal details are routinely being collected and shared, including among others, age, gender, location and the ID of the smartphone. Of course, this is a great-practice for financial gain from the sale of advertising, but the data being collected can be used for purposes beyond advertising. And, if there is a buck to be made from the sale of personally identifiable data, you can be assured these activities are already underway. An interactive database of the Journal’s results can also be found at www.WSJ.com/WTK

Who’s got your back?
What protections can you take if you are a consumer or a business? What protections can your company employ to limit what your competitors can learn about your strategic plans, customer visits, merger and acuisition plans, or strategic partners by using traffic analysis? What about traditionally more secretive national defense or homeland security initiatives?

While the ethics of modern Internet advertising are debatable (service providers who double-dip by charging consumers for a service and then selling data for a profit that is then used to target prospective customers), the real-worry is how the information being collected can be used for traffic analysis and targeting purposes, in the public and private-sector alike. Traffic analysis knows no boundaries!

In retrospect, the “do-not-track” missive of a week or so ago appears sophomoric at best, and misleading at worst!

You tell us: is this too paranoid, or are we already in an era that is beyond privacy-that-can be legislated, where the practices on the Web already outstrip boundaries of national law and regulation, without any possible solution other than more defensive technical traps and arsenals – if there are any?


Tags: , , , ,

2 Responses to “Who’s Spying on You, and What They Know”

  1. Coby Montoya Says:

    Device finger printing is nothing more than profiling attribs which has existed for a long time in many forms. If a guy repeatedly goes into a brick & mortar store and steals from it and he is always wearing a green shirt, a red baseball cap and white sneakers and is caught on camera, than each person wearing the same thing is going to be profiled as a risk. Thats all device finger printing is. A profile of what a device looks like. Profiles of devices that initiate fraud are tracked but these profiles are easily changed and have a certain shelf life. Considering these PII would be like considering a pair of the shoes your wearing that have a stain on the front toe PII. If I go into a store I am probably the only customer wearing white Adidas that have a smudge in the exact spot my shoes have a smudge on. That does not mean when I enter that store I will be wearing the same shoes or the smudge will even be there any longer.

  2. Financial Application Says:

    Excellent post!! Very informative and easy to understand. Looking for more such posts!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: