It is easy to expose users' secret web habits, say researchers

<i>”What these companies are doing is illegal in Europe but they do not care,&quot; said Ms Eckert, adding that the research had kicked off a debate in Germany about how to curb the data gathering habits of the firms.</i><p>I think it’s important to be skeptical towards legislation as a solution to these things. The EU&#x2F;UK cookie law is a cautionary tale, for example. After all that talk we ended up with a law that (effectively) mandates a boilerplate nag screens and no change in behaviour. Even if it had clearer language to distinguish allowable-illegal cookie use, it would still be very difficult to enforce.<p>I don’t mean to say legislation has no part to play. Just saying that the politician outrage to legislation sausage factory has produced some duds in this area. I wouldn’t count on a solution coming from this direction.<p>Speaking of enforcement… Most countries have an advertising standards authority. They create the rules and such. If an ad is (for example) a blatant lie, they can call up the Press&#x2F;TV&#x2F;Radio station and get the ad removed. Online, it’s not obvious what authority they have, or how they would enforce that authority at all.<p>Where advertising standards are still not broken is regulated industries. If a locally regulated bank advertises “one weird trick to double your savings,” the advertising standards people can go to the regulator. They have a number to call, genuine threats to make. ..enough to promote self policing.<p>Online, even reputable newspapers allow shockingly crappy ads. Sleazy data collection, snake oils, fake products, click farms, scams even fake news (ironically). Real shyster stuff.<p>This is on the visible end of the online advertising stick, the ad content itself. We already have legislation and a custom of rules. Still, enforcement is nonexistent. Dealing with the unseen data collection end of this stick is even harder.

This business of using full HTTP requests with full cookies to domains that are secondary to the site I&#x27;m visiting needs to end. When I go to Foo.com, the browser does not need to send all my cookies and info to bar.com, even if we&#x27;re fetching resources to display on Foo.com. Bar.com in this case is acting as a dumb file server, it doesn&#x27;t need cookies.<p>Yes, this would make single-sign-on harder, but it would make it explicit and be worth the trouble so that when the user is talking to A, they&#x27;re not being tracked by A&#x27;s friends B, C, and D.<p>Of course, the big problem: the best browser is owned by the advertiser who stands to lose under such an arrangement. So at best you&#x27;d need Safari or IE to spearhead such a change. You can ape it with browser extensions, but without a big browser maker pushing for this kind of shift some sites would just break under such a model (particularly single-sign-on services like Gmail and Facebook).

This looks to be the presentation:<p><a href="https:&#x2F;&#x2F;media.defcon.org&#x2F;DEF%20CON%2025&#x2F;DEF%20CON%2025%20presentations&#x2F;DEFCON-25-Svea-Eckert-Andreas-Dewes-Dark-Data.pdf" rel="nofollow">https:&#x2F;&#x2F;media.defcon.org&#x2F;DEF%20CON%2025&#x2F;DEF%20CON%2025%20pre...</a><p>From:<p><a href="https:&#x2F;&#x2F;media.defcon.org&#x2F;DEF%20CON%2025&#x2F;DEF%20CON%2025%20presentations&#x2F;" rel="nofollow">https:&#x2F;&#x2F;media.defcon.org&#x2F;DEF%20CON%2025&#x2F;DEF%20CON%2025%20pre...</a>

<i>The pair found that 95% of the data they obtained came from 10 popular browser extensions.</i><p>So uhm, which ones are these and how did the researchers obtain the data? (Bought it?)<p>Edit: The answer to the second question is: social engineering.

I think it makes a lot of sense to start a register of data providers. I.e. so that if you want to sell user data you have to register as a provider and specify where the data comes from and what it contains.<p>That&#x27;d make it so much easier to critique the possibilities and to further legislate. It&#x27;ll also allow for independent control of how anonymous data is and independent attempts and de-anonymising the data.<p>I think it&#x27;s still not well understood by most people just how much can be known about you and it&#x27;s potential for misuse. I think an initiative like this would go a long way to bridging that gap and to better legislating for it.

I find this reasoning by prof. Orin Kerr pretty interesting, in respect to whether always collecting the full URLs of users (by IPS) is actually legal. His argument is that it might not be legally OK to do so, and that there already are restrictions, even with rescinding the privacy rules by the FCC:<p><a href="https:&#x2F;&#x2F;www.washingtonpost.com&#x2F;news&#x2F;volokh-conspiracy&#x2F;wp&#x2F;2017&#x2F;04&#x2F;06&#x2F;the-fccs-broadband-privacy-regulations-are-gone-but-dont-forget-about-the-wiretap-act&#x2F;?utm_term=.cb7dea7302e8" rel="nofollow">https:&#x2F;&#x2F;www.washingtonpost.com&#x2F;news&#x2F;volokh-conspiracy&#x2F;wp&#x2F;201...</a>

And apparently the BBC thinks it needs to explain what the word &quot;trivial&quot; means.

I&#x27;m confused.. the article claims the extensions doing the clickstream gathering are illegal... but that the collected data is &#x27;supposed to&#x27; be anonymized? Supposed to by what standard? If they&#x27;re already breaking the law by gathering the data, why would they bother to anonymize it?

The article mentions that the data comes from 10 browser extensions. Didn&#x27;t mention which though.

That&#x27;s why I inject noise into the web on a regular basis. Just do some random searches, click some random links.

There have been exposés on this in there part, resulting in fast action from Google. Sadly the behaviour alerts to have crept up on us again.<p>It seems like a list of violating extensions maintained by an outside organisation would help, or perhaps privately reporting to google.

Tellingly, the examples cited all involve the use of some form of social media. (There they go thinking Facebook is the internet again.)

Private browsing mode is your friend. (You can set it as your default, at least on iPhone.) Caveat: You will have to keep confirming cookie usage popups (EU only I guess).

don&#x27;t become a person of interest and they won&#x27;t go looking for dirt in your browsing history.

instead of making this (even more) illegal, which would solve very little as its still apparantly trivial to do, they should instead work on making that address book.<p>that way when everything is transparant, paedophiles can be caught and we might choose not to vote for somebody with a cocaine addiction.

&gt; Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician.<p>So how long before we as a society stop making a big deal of things like that? Everyone watches porn, most people enjoy drugs[1].<p>Why does anyone still care? Why do we make such a hullabaloo if a judge watches porn? Why is it a big deal if a politician smokes some pot to relax? Who cares if a detective drinks a case of beer on the weekend to blow off some steam?<p>I&#x27;m all for privacy and there are things I wouldn&#x27;t care to expose on the internet (like my home address and exact apartment number)[2], but I promise you future generations will not give a shit about each other&#x27;s &quot;super secret internet browsing habits&quot;. My fav porn site is RedTube, my drug of choice is caffeine, and I hate that ThePirateBay has become hard to find in recent months.<p>There&#x27;s a lot of memes out there about deleting your browser history before you die. But honestly who cares? And if you&#x27;re doing illegal shit, use a burner laptop. They&#x27;re $100 on Amazon [3]. Don&#x27;t be dumb.<p>[1] drugs as in psychoactive substances. Legal drugs like caffeine and alcohol count, as do prescription drugs.<p>[2] you can probably triangulate those from my YouTube videos if you really want to<p>[3] <a href="https:&#x2F;&#x2F;www.amazon.com&#x2F;Performance-RCA-Touchscreen-Quad-Core-Processor&#x2F;dp&#x2F;B01MQD63WX&#x2F;ref=sr_1_2?ie=UTF8&amp;qid=1501500366&amp;sr=8-2&amp;keywords=cheap+laptop" rel="nofollow">https:&#x2F;&#x2F;www.amazon.com&#x2F;Performance-RCA-Touchscreen-Quad-Core...</a>

This is great. I look forward to everyone&#x27;s information being made public in the future. It might be embarrassing initially but if everyone else also has embarrassing stuff released about them then it won&#x27;t be so bad; it will make people more open and encourage us to be honest. Only criminal and highly unethical activity will be negatively affected.<p>We need to re-calibrate our ideas about people and society to something more realistic. It will probably lower our overall opinion of humanity but at least people will know the truth and behave accordingly. Right now people are idealising certain things and behaving based on false information.<p>In any case, I think it&#x27;s unavoidable that all information will be public at some point in the future. It&#x27;s been heading slowly in that direction since the dawn of civilization. Several hundred years ago, even a figure as powerful and well known as the pope could behave unethically and nobody would find out until hundreds of years later.<p>Today it&#x27;s much harder to keep things secret. I think big, embarrassing revelations like the Anthony Wiener scandal should become increasingly common.