Is Privacy an Option?

Think you have privacy online? You only do to an extent. Here’s how browser fingerprinting can uniquely identify you and IP lookups can provide a starting point for personal identification. If this sounds terrifying, then I suggest a VPN.

This is (the interesting) part of an assignment I wrote for Intro to Web Analytics, from the University of British Columbia and the Digital Analytics Association’s web analytics program. Originally published January 18, 2014.

Is Privacy an Option?

Before deciding whether or not to give up one’s privacy it would be best to start with an agreement of how we define privacy. According to Wikipedia “Internet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third-parties, and displaying of information pertaining to oneself via the Internet¹.” It can be broken down further into Personally Identifying Information (PII) and non-Personally Identifying Information² (non-PII). Having complete privacy online is impossible, since most every page view, query and discernible action is logged somewhere. So should we limit the debate over privacy to PII alone? How about narrowing our scope to cookies? Would it just be third-party or does this include first-party? I plan to show that excluding all cookies is still not enough to maintain total privacy, which isn’t realistically an option. The relevant questions are how much control we have over our information and whether we give our consent to its use.

Even the most routine visit to a website exposes basic information about you. Using the Electronic Frontier Foundation’s Panopticlick³ tool shows the most baseline information provided by my browser, such as user agent, HTTP accept headers, browser plugins, time zone, screen size, colour depth, system fonts, cookie status and supercookie testing. The EFF states that my browser can be uniquely identified from the 3,651,749 tested so far. I visit the site a second time using Private Browsing Mode⁴ and see the same results. That means that even without allowing a single cookie between these sessions I have still been uniquely identified. According to the EFF, even as systems are updated and their information changed, the returning browser can still be identified with a 99.1%⁵ rate of accuracy. The false positive rate is reported at only 0.86%. This technique is called Fingerprinting and with it we are uniquely identifiable.

Fig. 1. Fingerprinting — What Your Browser Says About You

Given that we can be uniquely identified, can we be personally identified? IP addresses are exposed publicly and cannot be safeguarded. Using a tracer on my IP address shows my Internet service provider, country, province, city, GPS coordinates of the ISP’s server, level of anonymity and whether I am hiding behind a proxy. Those GPS coordinates, 48.4710:-123.3438, are easily found using Google Maps⁶ and point to a location that is only a 2.9 kilometer, 6 minute drive from my home! With that information I can now known to be assumed to be one of approximately 109,752 people living in Saanich, a suburb of Victoria. I can be uniquely identified from a pool of 3,651,749 in a city of 109,752. There are a whole host of other ways to be identified, such as legal inquiry⁷, tracking your network card’s MAC address over wifi⁸ or through IPv6⁹ and spyware/malware²⁰. After a point this information must become personally identifying and we haven’t even started talking about cookies. Given enough effort, we are personally identifiable.

Fig. 2. IP Tracing — What Your IP Address Says About You

On the other hand, you may not even need to be personally identified to have your privacy violated¹¹. In the example made at Don’t Track Us, an anonymous user performs a search using terms that suggest an embarrassing health condition. When results are presented and a link followed, these search terms are shared with the recipient domain. This information is then passed on to and sold between third-party sites. This is where cookies finally come in to play and are used by third parties to show embarrassing and revealing ads relating to this condition on a whole host of seemingly unrelated sites. Potentially this data could be sold so that the user will pay higher prices for related services, such as health insurance.

[1] Internet privacy, http://en.wikipedia.org/wiki/Online\_privacy

[2] Personally identifiable information, http://en.wikipedia.org/wiki/Personally_identifiable_information

[3] Panopticlick: How Unique — and Trackable — Is Your Browser?, https://panopticlick.eff.org

[4] Private Browsing — Browse the web without saving information about the sites you visit, https://support.mozilla.org/en-US/kb/private-browsing-browse-web-without-saving-info

[5] How Unique is Your Web Browser?, https://panopticlick.eff.org/browser-uniqueness.pdf

[6] Google Maps, https://maps.google.ca/maps?q=48.4710,-123.3438&hl=en&sll=54.112352,-126.555646&sspn=24.12625,25.268555&t=m&z=16

[7] The Debate About Warrantless Access to ISP Customer Information http://www.slaw.ca/2009/10/09/the-debate-about-warrantless-access-to-isp-customer-information/

[8] What does a MAC address tell you?, http://www.identityblog.com/?p=1131

[9] Computer IPv6 addresses & privacy, http://www.hacker10.com/tag/ipv6-shows-mac-address/

[10] Spyware, http://en.wikipedia.org/wiki/Spyware

[11] Don’t Track Us, http://donttrack.us/