Wednesday, October 11, 2006
Let's say that you you visit a site using an anonymous proxy once and then you visit it again without using one because the proxy is usually really slow. Are you actually safe? Can the website compare the two browsing sessions and identify that the same person is behind both of them? That's the essence of a paper titled "Clickprints on the Web: Are There Signatures in Web Browsing Data?". The two authors
find that each individual may have a "clickprint" -- a unique pattern of web surfing behavior based on actions such as the number of pages viewed per session, the number of minutes spent on each web page, the time or day of the week the page is visited, and so on. The authors conclude that by observing these patterns, an e-commerce company can distinguish between two individuals with nearly 100% accuracy, sometimes with as few as three Internet sessions, and potentially use that information to deter fraud. The number of sessions needed to identify an individual rises with the number of unique users a site has because there are more people to differentiate.While the authors are rather positive about the implications of clickprinting, the AOL incident where thousands of search records were released to the public raises concerns that the data may be put to less noble uses.
What are some ways to defeat clickprinting? Well, in the wake of the AOL privacy leak, the TrackMeNot Firefox extension was released which queries search engines with random search terms so your real queries are masked. To obfuscate your real browsing patterns, you might consider using Tor, which offers more protection that a traditional anonymous proxy since it routes your requests through a series of intermediaries. That's probably the best tool available right now for defeating this sort of tracking. Anyone know of anything better?
Users can also deliberately change aspects of their browsing pattern to throw off clickprinting. You could change how long you viewed a page, or enter a site through a different entrance (say, through a deep link versus the homepage). You could also open up links that you don't intend to look at in multiple tabs and keep them open for varying intervals. Still, it's not the easiest thing for people to change their habits so a software solution is probably more effective although for now it doesn't look like any sites have started to implement clickprinting.
Research Paper (PDF)
(via Google Blogoscoped)
Those IMs Aren't as Private as You Think
Delete Most Recently Used Files List
Protect Your Email Address from Spammers
Clear Private Information from Firefox