23 comments

[ 3.4 ms ] story [ 58.8 ms ] thread
ELI5?

I get that a browsing history C is unique, but if I clear it, how can you identify that my new history D is tied to C and not unique?

This isn’t about the history stored on your computer, this is about the browsing habits observed in real time by eg: ad agencies who get lots of information about where you have been because their ads run everywhere.
Because you visit the same domains across sessions. Throw in some less common domains like HN (i.e. top 1000 instead of top 100 website), and you're trivial to reidentify. (This is what "reidentification" is referring to in the quoted part of the paper in TFA)
Also even if say you and I visit the same exact 100 sites. Order, time on site, sub pages visited, and time of day I use the sites, all can mater. Ad network can also leak out data as you may see a different set of ads than me.
Now I feel even better about disabling my browser history in Firefox.
The only thing that does is prevent you from getting anything useful out of your history. It does not prevent the topic at hand.
Exactly, for this they'd need to run an ad blocker and a script blocker, such as uBlock Origin and NoScript.
Indeed! The day I started ignoring my bank statement was the day I became truly secure.
I doubt you could accurately identify a specific person
Why do you doubt this? Even if you can't always trust the 'unique' part, it is still information which can be combined to produce a more accurate profile.
33 yes-no questions which each split the audience in half, uniquely identifies slightly more than the world population.

But any given website is much tighter than that: a regular visitor to Cambridge Evening News is unlikely to be based in राजनांदगांव, and vice versa.

Someone is regularly accessing the website of one local take-away restaurant in Larnaca, a gay men-only dating website, and Ars Technica? That’s probably already got you down to 2-15 people out of the ~3e9 on the internet, with just three specific websites in their history.

You appear to be engaging in denialism. Would you care to further elaborate on your claim for everyone else reading?
"High uniqueness hold seven when histories are truncated to just 100 top sites." This is similar to the app finger printing they do with mobile phones, identify you by the unique assortment of apps on your device.

Should the top concern be about identification or deep collection of browsing history?

Does iOS allow access to that information?
Making a request to any 3rd party domain on every page of the internet is what gives people access to that information.

It's not talking about a browser.getHistory() API. Owning the 3rd party resource (CDNs, analytics) that is loaded on most big websites is far better than that.

The point is that browser history collection is the same as cross-site tracking. Any 3rd party analytics operation like Google Analytics is able to access your browser history. To such a point that whether they do or not shouldn't matter and couldn't be proven anyways.
So researchers at Mozilla have replicated the findings of a 2012 study that allows users to be identified through the collation of data from third-party trackers as the users browse popular websites.

Question: Was Mozilla replicating using a "vanilla" browser (e.g. no adblocking/tracker protection)? Or is this even after tracking mitigations are put into place? Mozilla's own Firefox now has built-in "tracker" protection in all versions of its browser, so it seems like they would be well-positioned to test whether the de-anonymization is thwarted with tracking protection toggled on or off.

Not sure about with Firefox's built in tracker protection. But I recall reading that having ad/tracker blocking could actually make a user easier to uniquely identify, because the browser now behaves differently than most: https://panopticlick.eff.org/about. My hope would be that built-in tracker will make ad-blocking browser traffic more ubiquitous.
Correct, as most people are non technical, they will leave their cookies alone and they can be identified. Those who wipe their cookies stand out as a subset of internet users, then other metadata can be used to further fingerprint the user using things like the time it takes to log into a website, do they use a search engine to access their webmail or do they use a bookmark on their toolbar or a bookmark in the main browser list of bookmarks. When keystrokes are sent back in realtime, like when people log into Amazon and other websites, your typing pattern can be used to identify you, as can your machine settings, like display size, fonts, addons etc etc. In a different domain, internet connected tv boxes and smart tv's can be used to identify the user from the InfraRed signals from the remote control, ie how long the user holds down a button, the speed they react to switching channels, fast forwarding, rewinding, changing channel, channels being watched (interests). The bottom line is, all this technology, not just web browsers, can be used to record meta data and then work out who is using it. When combined at the state level, the security services can work out if someone is/was really at home or has left their home without their mobile and then gone to commit some activity that might be criminal. When combined with biological sciences, you can work out even more about an individual, when they are sleep deprived, stressed etc.

Thats why its truthful to say Science stole your privacy.

Pretty sure mine is highly distinctive for exactly that reason, no cookies + no JS, but if all you can tell from me is when I'm online, what useful info will that give you to sell me to advertisers. Nothing. I'm worthless. Track away.
Page 11 of the original doc has "Theoretical third-party reidentifiability rates" by company: https://www.usenix.org/system/files/soups2020-bird.pdf

I'm surprised how many companies (Facebook, Verizon, Adobe, Oracle, Twitter) are almost matching Google's tracking networks. Google's makes sense based on the amount of Adsense / Analytics trackers there are out there, but I hadn't realized these other companies are just as pervasive.

Edit: typo.