Software Can Identify You from Your Online Habits

May 23rd, 2007

In a comment on The Ugly Truth About Online Anonymity, Cryptogon reader, cryingfreeman, wrote:

I’ve long been aware that I could be identified from anywhere on the globe due to my surfing pattern. Taking a fictional example derived loosely from my own:

1. Each day, citizen X visits a site for a small German soccer club – maybe 100 daily visitors.

2. Then he visits a news site covering a small town in rural Scotland from whence his parents come. Again, a limited readership.

3. After that, he checks out a blog site discussing weather forecast models.

How many people on earth would have those specialised interests? In that combination? In regard to my own surfing habits, I would have to conclude that mine are as unique as my DNA. But at least knowing this gives me some kind of advantage should things take a turn for the worst.

When I read that comment, it immediately rang true. It felt obvious. Simple. As it turns out, he was dead right.

Well done, cryingfreeman.

In my essay about online anonymity, I wrote:

All of the stuff that you do with your normal online persona, you know, online banking, checking email, discussion groups, etc: You can’t do any of that. The second you associate a user profile on a server with your behavior, you’re back to square one. The Matrix has you. You would have to create what the intelligence business calls a legend for your new anonymous online life. You may only access this persona using these extreme communications security protocols. Obviously, you can’t create an agent X persona via your anonymous connection and then log into some site using that profile on your home cable modem connection. To borrow another bit of jargon from the people who do this for real, full time, you must practice compartmentalization.

If that point didn’t sink in then, check this out.

Via: New Scientist:

IF YOU thought you could protect your privacy on the web by lying about your personal details, think again. In online communities at least, entering fake details such as a bogus name or age may no longer prevent others from working out exactly who you are.

That is the spectre raised by new research conducted by Microsoft. The computing giant is developing software that could accurately guess your name, age, gender and potentially even your location, by analysing telltale patterns in your web browsing history. But experts say the idea is a clear threat to privacy – and may be illegal in some places.

…analytical software could use a vast range of such profiles to perform a probabilistic analysis of a person’s browsing history.

…experts say the idea is a clear threat to privacy – and may be illegal in some places.

…”They are arguably committing offences in a number of countries under a number of different laws if they make available software that defeats the security procedures internet users deploy to protect their privacy – from export control laws to anti-hacking laws.”

13 Responses to “Software Can Identify You from Your Online Habits”

  1. DrFix says:

    While I’ve been in computing for decades I’ve spent the last five trying to find useful tools in order to anonymously connect with the online world as much as possible, in effect “sandboxing” my online life. The chance of too much information being spilled about yourself is simply staggering. The sad thing is so many entities you deal with, and not necessarily YOU, can really the weakest link. I’ve seen instances of where they won’t even allow passwords over eight characters. Thats pretty lame. I’m toying with using virtual appliances through VMware for anonymizing purposes, and every “machine” can simply be duplicated then deleted at the end of a session. Another way of trying to clean up after yourself might be to install something like “Deep Freeze” and let it completely rewrite your hard drive at night to a base image and keep all your data on a secondary drive. PGP is something I haven’t used simply because I can’t convince (read…educate) the recipients on using it. Using Macs at home has helped since I’m not pestered to the degree that my PC’s are with constant virus outbreaks. I may be a Typhoid Mary in passing infected messages on to my PC brethren but they don’t, so far, affect me.

  2. 916 says:

    This is all coming way too fast. It alarms me, yet the cynic-realist in me knows this was/is coming.

    With programs like Promis and Carnivore, not to mention God knows what other kinds of things that are in the works, seems like a hyper-techno bureaucratic police state is steadily marching toward becoming a reality. Anyone for some THX-1138?

    Back in 1975 Richard L. Rubinstein accurately predicted in his powerful book The Cunning of History: The Holocaust and the American Future that an important tool for bureaucratic domination which has made it much more simpler to keep tabs on people is the modern computer.

  3. bob m says:

    i’m surprised this is a surprise to you. i would suggest taking a look @ ‘promis’ ‘magic lantern’ ‘TIA’ et al. these are simply a few of the most ‘publicized’. it’s highly likely certain sites such as this are compromised one step out from the host and/or the host itself with or without knowledge as we are all likely defined as potential issues under current thinking.

  4. p says:

    Here is an easy-to-read paper describing how standard CGI environment variables are sufficient to identify many users, w/out having to pay attention to IP address.
    http://demuth.biz/veroeffentlichungen/pet02.pdf

    Using proxies is not enough.

    Also: Java and Javascript MUST be turned off, see http://ha.ckers.org/mr-t/ to test how much info your own javascript is leaking. Javascript data collection of this sort is perfectly suited for the tracking method described in the above paper.

  5. cajunfj40 says:

    Hey DrFix,

    Per Kevin’s writings, and others, even wiping your drive every night isn’t enough if you’re using a fixed location to log in from. The packets still get sniffed coming from your IP address, which can lead to your home address via the ISP. If all you are worried about is credit card fraud, etc. then you’re fine. If you’re worried about “Them”, re-read Kevin’s ideas.

    Essentially you create the equivalent of a “one time use encryption pad” for every connection to the internet. The using of different WiFi points for every connection at a distance using a “cantenna” is excellent, but it will require some planning to avoid people calling in a suspicious piece of electronics-laden tubing pointing at a cafe…

    Take care,
    -cajun

  6. Jason says:

    When you get to Guantanamo, if you think that you will be able to argue that it was someone else using your computer to view or post “objectionable material”, guess again. The technology has been around for a long time to identify you by keystroke habits. Ala http://www.freepatentsonline.com/4621334.html, again, welcome to the matrix.

  7. DrFix says:

    cajunfj40… You’re absolutely correct that it doesn’t deal with the IP matter. Besides, even with dynamic IP, its all going through an ISP who themselves must have allocated addresses, and considering how the powers that be want them to maintain “records” ad-infinitum, it makes it a moot point. Damn!

    Well, then you’re left with using other parties machines on a rotating basis and/or/in addition to, heavy encryption (and THEY really don’t like that), with some sort of “soft” MAC address spoofing system. Or, its back to handshakes and hellos over the back forty fence. Which, come to think of it, sounds better and better.

  8. cryingfreeman says:

    Thanks for the kind words at the head of the artcile Kevin – my observation is a drop in the bucket compared with your own and others’ contributions to the subject.

    @ cajun – interesting comments, to which I’d add war driving and other renegade methods might only be of use for accessing materials that would present a high risk of one being arrested / abducted and therefore not normally viewed from your domestic / work / friend’s computer. If you were to lapse into your normal online browsing routine during such a session, my concern would be your “surf-print” would immediately reveal your identity to THEM and you’d have lost all the other advantages your cloaking methods potentially would provide.

  9. Nick says:

    Interesting. It sure is annoying thinking some program could accurately guess who I am by analyzing my internet surfing habits.

    It is even more alarming the amount of personnal data that is being collected about you over the internet. Everybody have the rights to privacy. And now you look at the big picture and you feel completely overwelmed by it and you start thinking it is the way it has to be, you can’t do nothing about it unless complain.

    But it’s not true, you can do something. This information is kept on computers. Computers are really efficient at managing databases and doing calculation, but they are not invincible. When people will be tired of being categorized, spied, tracked, etc, it will only take one really effective virus to blow all this information and go back to the beginning. And with the new devices tending to be more and more connected to the web or interracting with computers (cellphones, mp3 players, pda, wireless devices, gps, memory sticks, photo cameras, etc) it could propagate reaaaally fast.

  10. Dark-Star says:

    //MOD I can’t spend my time correcting all the bad info that gets posted in comments. Every once in a while, though, I have to step in. This user provides VERY bad information. It is exactly the kind of nonsense I outed recently. I debated whether or not to allow this to be posted at all. I’m going to allow it, but with this warning: Please read my post about online anonymity before reading what this person has posted. You’ll be much better informed about the choices you’ll have to make:

    High-Traffic Colluding Tor Routers in Washington, D.C., and the Ugly Truth About Online Anonymity

    – Kevin

    Frightening but true. Thanks to the ‘Patriot’ Acts and gov’t e-spying programs, your browsing habits can be like DNA to I.D. anyone.

    But we can fight back! How?
    1:Do not EVER use any other Microsoft communication programs (Internet Explorer, Outlook, etc.). They have more security holes than a screen door and thus are terribly vulenerable to spying/hacking.
    -Use alternatives like Thunderbird and Firefox. [Good software, but offers nothing in terms of network surveillance countermeasures. -Kevin]
    2:Never search directly on Google or Yahoo!. Besides Google’s hypocrisy on ‘don’t be evil’, that and Yahoo are two of the biggest ways to track you through profiling what searches you make.
    -Go to http://www.scroogle.com; it will perform the search, but keep them from collecting records. [I wrote about scroggle specifically in my essay above. -Kevin]
    3.For the best and most anonymous internet browsing (at least for the majority of us), get Portable Firefox and run it on a flash drive. Get extensions that foil search profiling, watch out for phishing (the govt does it too!) and keep you from leaving tracks on the computer.
    4.If you can afford it, look for a professional proxy service and use it. [Make sure you pick one that’s not run by the NSA. Woops. You won’t know which ones aren’t run by the NSA. -Kevin]
    5.Use free proxy sites if you can’t or to supplement your professional service. [Idiotic advice. -Kevin]

  11. cetaceous says:

    I think it could be much easier than what’s described above.
    Every network device has a unique network address assigned to it, a MAC address. Now I’m pretty sure that the MAC address is encapsulated within the TCP/IP packet for routing, switches etc.
    Assuming that you’ve bought you computer from DelL, Apple or whoever with your credit card or you’ve completed the warranty cert. you can assume that they have a direct recorded link between the MAC addresses of your computer and your name. You can get utilities to change the MAC address for a lot of network devices which might be worth looking into if you want to be annon.
    Also, I do remember from my days as an IT sys admin many years ago that there were many others setting up “honey pots” and mail filters to identify spammers and hackers. So if some underfunded geek can manage to identify you I can imagine that we’re already OWN3D by big brother, the programmers for the Echelon and Carnivore systems would be far far more competent than any Micro$oft monkey.

Leave a Reply

You must be logged in to post a comment.