Once Again With Feeling: 'Anonymized' Data Isn't Really Anonymous

from the we-can-see-you dept

For years, the companies that hoover up your internet browsing and other data have proclaimed that you don't really have anything to worry about, because the data collected on you is "anonymized." In other words, because the data collected about you is assigned a random number and not your name, you should be entirely comfortable with everything from your car to your smart toaster hoovering up your daily habits and selling them to the highest bidder. But studies have repeatedly shown that it only takes a few additional contextual clues to flesh out individual identities. So in an era of cellular location, GPS, and even smart electricity data collection, it doesn't take much work to build a pretty reliable profile on who you are and what you've been up to.

The latest case in point: German journalist Svea Eckert and data scientist Andreas Dewes recently descended upon Defcon to once again make this point, releasing a new report highlighting how "anonymous" browsing data is anything but. The duo found it relatively trivial to obtain clickstream browsing data from numerous companies simply by posing as a fake marketing company, replete with a website filled with “many nice pictures and some marketing buzzwords." Ironically, some of this data was gleaned from companies that profess to offer you additional layers of privacy, including “safe surfing” tool Web of Trust.

It didn't take long before the pair was able to obtain a database containing more than 3 billion URLs from roughly three million German internet users, spread across roughly 9 million different websites. However easy obtaining the "private" and "anonymous" browsing data was, using this data to quickly and easily identify individual users was even easier:

"Dewes described some methods by which a canny broker can find an individual in the noise, just from a long list of URLs and timestamps. Some make things very easy: for instance, anyone who visits their own analytics page on Twitter ends up with a URL in their browsing record which contains their Twitter username, and is only visible to them. Find that URL, and you’ve linked the anonymous data to an actual person. A similar trick works for German social networking site Xing."

The pair also highlighted how repetitive visitation of websites specific to you (your bank, your hobbies, your neighborhood) help further narrow down your identity:

"For other users, a more probabilistic approach can deanonymise them. For instance, a mere 10 URLs can be enough to uniquely identify someone – just think, for instance, of how few people there are at your company, with your bank, your hobby, your preferred newspaper and your mobile phone provider. By creating “fingerprints” from the data, it’s possible to compare it to other, more public, sources of what URLs people have visited, such as social media accounts, or public YouTube playlists."

Of course this is nothing new, and researchers have been making this precise point for several years now. Princeton researcher Arvind Narayanan in particular has been warning that anonymous data isn't really anonymous for the better part of the last decade, yet somehow the message never seems to resonate, and everyone from broadband providers to internet of things companies continue to pretend that "anonymization" of data is some kind of impenetrable, mystical firewall preventing companies or hackers from identifying you.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymized data, privacy