True privacy online is not viable

You can hide from casual observers, but a motivated person will see through your attempts at anonymization

Privacy-concerned consumers desperately want a magic bullet, some simple thing they can use that will protect their identities and their web activity. And although there are a plethora of offerings today that make such a claim — VPNs, privacy-focused browsers such as Tor, privacy search engines such as DuckDuckGo, quite a few services that claim to anonymize anyone’s activity — the practical realities of human behavior make such privacy claims bogus.

Let me stress that almost all of these services do indeed help a person remain anonymous from the casual, untrained observer (the typical roommate, spouse, co-worker, boss, etc.). But any consumer who thinks that these tools will thwart a law enforcement agent, motivated cyberthief or identity thief, or anyone who is willing to spend the time to track you down is in for unhappiness.

This point was made even more unavoidable in a new paper from researchers at Stanford and Princeton universities.

“Each person has a distinctive social network and, thus, the set of links appearing in one’s feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity. To gauge the real-world effectiveness of this approach, we recruited nearly 400 people to donate their web browsing histories, and we were able to correctly identify more than 70 percent of them,” the report said. “Our theoretical contribution applies to any type of transactional data and is robust to noisy observations, generalizing a wide range of previous de-anonymization attacks. Since our attack attempts to find the correct Twitter profile out of over 300 million candidates, it is, to our knowledge, the largest-scale demonstrated de-anonymization to date.”

In short, the point of this report is that people are creatures of habit. Their face/IP address/phone number/CRM number/etc. may be obscured, but their behavior often can’t be.

A few years ago, there was a law enforcement effort to track suspects by their grocery shopping patterns. Here’s how it worked. Let’s say that you have a suspect who had no reason to hide in her local community. She used payment cards, had a library card and sought discounts at her local grocery store by participating in a loyalty and CRM program. Then she killed some people and decided to go deep into hiding. She cleared out her bank account (so she could live entirely on cash for as long as possible), destroyed her mobile devices, purchased bogus identification documents and drove thousands of miles away. She would try to live off the grid, if you will.

Armed with years of the suspect’s grocery purchase habits, law enforcement identified repeated patterns. What kind of fruit did she buy? Which flavors and brands of cereal? Which precise beverages? Even though the suspect would presumably not get a CRM card in her hideout community, anonymous basket analysis would suffice. Retail chains across the country would be asked to check their sales against the patterns of the suspect. It proved frighteningly accurate at finding someone.

And even if the suspect could avoid purchasing patterns, would she be smart enough to change all of her habits? Her face could still be detected by facial-recognition software working with security cameras. And her car’s license plate could be detected driving on some interstate.

That’s all in the physical world. But the idea is the same for the online world. We habitually visit the same sites, tend to read stories the same amount of time and are prone to click on posts by the same people in our social circle. No IP-hiding VPN is going to change that.

The quip has often been made that privacy doesn’t exist anymore. Although it may not be that bad yet, the truth is that consumers cannot rely on any anonymity product as long as their behavior — their inclinations, their friends, their patterns — itself can be tracked.

When someone asks me, “Can I be tracked if I use XYZ privacy device?” the answer is, “It depends. Who are you worried about tracking you?” Privacy apps and devices are good low-level defenses, making a person difficult enough to track that it will, in effect, block most routine efforts.

Think of these apps/defenses as akin to installing a good high-security deadbolt on every door in your house. Will it block a thief who is being paid to steal documents in your house worth $40 million? Nope. There are windows with glass that can be cut, sledgehammers that can crash though the walls and then there’s always the thief who waits for you to unlock the door and then pulls a gun on you and follows you into the house. But that deadbolt will be enough to deter the low-level thief who is quite content to rob the house next door, the house that has no deadbolt.

I personally surf as often as I can in incognito mode, hiding my IP address with a VPN and surfing with Tor as often as I can. But there are enough sites that won’t work with that setup to make it difficult to use 24/7. (Although I did have fun discovering that when YouTube blocked me from seeing a video due to country copyright issues, all I had to do was change the country on my VPN settings and the video played fine.)

Bottom line: you can hide from advertisers and others well enough with privacy devices, but if someone really wants to track you, well, you can click, but you can’t hide.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Evan Schuman

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?