The recent repeal of broadband privacy protection in the US has highlighted the highly-personal nature of browsing histories. One natural solution is to use a VPN in order to shield details of your Internet activities from your ISP. But research by a German journalist and data scientist, originally released last year at the 33rd Chaos Computer Club conference in Hamburg, and recently presented anew at Def Con 25 in Las Vegas, has some bad news on that front.
The German duo found that huge datasets of anonymized private Internet histories were being sold by Web analysis companies and data brokers, with much of the material coming from browser extensions. Since these operate before information is sent over any VPN, they can access full details of your Internet activities, and send browser data anywhere. For VPN users, that’s disappointing. Less surprising, perhaps, is the fact that it was relatively easy to discover the identities of many users found in these supposedly anonymized datasets.
The research consisted of some social engineering by the journalist Svea Eckert, followed by data analysis by Andreas Dewes. Eckert set up a Web site and LinkedIn profile for a fake company called Meez Technology, allegedly based in Tel Aviv, which purported to offer “data-driven consulting”. Using Meez Technology as cover, Eckert contacted Web analytics companies and data brokers, asking for Internet browsing histories of German citizens, which she said Meez Technology was interested in acquiring for its data analysis.
In the end, one gave her 14 days’ free access to a month’s worth of “clickstream data” – the complete browser histories – as a sample of what it could offer. The information included 3 billion URLs from three million German users, spread over 9 million different sites. Many companies said they were unable to supply URLs for