Browser cookies: How they could be undermining your privacy
New research shows cookies picked up by your web browser can tell snoopers a lot about you
Through the eyes of an online advertising network, I'm not Dan Misener.
Rather, I'm 002113fd47dacc02c64de16f75.
That's just one of the unique IDs assigned to me by an online ad company. It's stored in a cookie on my computer, and according to new research from Princeton University it's part of what makes it surprisingly easy to piece together a fairly complete picture of my web browsing history.
In a new paper called "Cookies that give you away," researchers describe how an eavesdropper could use cookies from advertising and tracking companies to "reliably link 90 per cent of a user's web page visits to the same pseudonymous ID."
- Digital surveillance: How you're being tracked every day
- Ottawa's digital strategy targets privacy, rural internet
- Data Privacy Day highlights need for action: Dan Misener
What's more, those pseudonymous IDs can often be linked to real-world identities. "Many sites display real-world attributes such as real name, username, or email on unencrypted pages to logged in users, which means that the eavesdropper gets to see these identifiers," the report says.
To be clear, the link between cookies and tracking isn't new. But what is new is the extent to which an eavesdropper can use those cookies to build a very accurate picture of your browsing history.
"It's pretty astounding," says Dillon Reisman, an undergraduate researcher who co-wrote the paper.
The technique, called "cookie linking," works in part because of the ubiquity of third-party trackers. They're everywhere, and they're largely invisible to most web users.
The technique, called "cookie linking," works in part because of the ubiquity of third-party trackers. They're everywhere, and they're largely invisible to most web users.
To get a sense of this, I used the tracking visualization software Lightbeam to snoop on some of my own web surfing.
I started by visiting cbcnews.ca. Lightbeam reported connections not only to CBC's servers, but also to 28 third-party sites: advertising networks, tracking services, social media sites, and so on. Then I visited Buzzfeed, which connected to 17 third-party sites.
Now here's the important bit: cbcnews.ca and Buzzfeed use some of the same third-party trackers: doubleclick.net, scorecardresearch.com, and adnxs.com.
In other words, there's overlap.
And according to Reisman, that overlap is the key to cookie linking.
"One site alone isn't really a problem," he says. "It's the fact that there are these possible hubs of sites that embed a lot of cookies that allows this cookie linking to happen."
Who's watching?
But who exactly might be eavesdropping?
Spy agencies for one.
"An inspiration for this [research] obviously was the recent news that the NSA has used third-party cookies before," Reisman says. "It could be done by a lot of people. Say, someone sitting in a coffee shop, listening in on traffic."
Since cookies are often sent without encryption, he says, an eavesdropper could listen in to traffic on an unsecured wireless network.
Cookie linking could also be done by internet service providers, or individuals with access to ISPs.
"So the threat can be from a large eavesdropper with a massive view of the network, or it could even be someone a couple of tables over."
Connection to real-world identities
In theory, cookie-based tracking IDs like mine ("002113fd47dacc02c64de16f75") are pseudonymous.
But according to the researchers, cookie linking can allow eavesdroppers to connect pseudonymous IDs to real-world identities.
Over half of popular sites with account creation leak some form of real-world identity.- Princeton University researchers
Reisman gives an example: "Say, if I log into a website and it says, 'Hi, Dillon,' that might be transmitted across the wire in a way that an eavesdropper can read it."
The researchers found that "over half of popular sites with account creation leak some form of real-world identity."
Due to the nature of cookie linking, those leaks can spread, according to the report. "If one website leaks your identity, then your identity has now been leaked for all of these websites you can connect with third-party tracking cookies."
Privacy tools
If you don't like the idea of this kind of tracking, there are a few countermeasures individuals can take.
The first is to use anti-tracking tools. These block or limit trackers and cookies as you browser around the web.
Ghostery and Disconnect are popular free options.
The researchers also suggest that the anonymity tool Tor can thwart cookie linking threats.
Reisman believes the onus also falls on website operators. "Actions should be taken on the parts of the sites you visit to use HTTPS to encrypt your traffic, and also take better care when they transmit personal information, or cease the transmission of personal information if it's not necessary.
"These are all action that, unfortunately, a user can't take upon themselves," Reisman adds. "But [they] should be encouraging the services they use to take."