While news of data leaks and malware attacks seem to be on the upswing, there are forms of web surveillance that reveal just as much data, only they are completely legal and receive much less publicity.
On Sept. 5, Cornell’s Department of Computing and Information Science kicked off the first of a series of talks that aims to discuss the importance of technological advancements and the law in exploring surveillance, privacy and bias. Prof. Arvind Narayanan, computer science, Princeton University, was the first speaker of the series and presented his research with a talk entitled “Uncovering Commercial Surveillance on the Web.”
Commercial surveillance involves techniques used by companies to discreetly and legally trace the internet activity of users. Such surveillance is so widespread that it affects anyone who uses the internet, even for basic browsing.
Narayanan, whose research focuses on privacy and security on the internet, laid out a technical overview of how third-party companies gain access to users’ personal information using ingenious techniques.
A common method that companies used to rely on is known as canvas fingerprinting. The idea behind the technique is to draw a unique, invisible image on a loaded page. The hidden combination of pixels is read back as a series of bits, which will be different for every user and can be used to track internet activity back to the device used. Consequently, this information can be used to tailor the advertisements or sponsored page links that are displayed.
The question though is where these ‘tracking images’ come from. Most are loaded as visible ads and invisible websites when users open a given website. For instance, simply opening the New York Times website loads hundreds of third-party requests along with the website’s content.
Canvas fingerprinting was used to discreetly gather information on users for two years. Just days after Narayanan’s work on canvas fingerprinting was published, most companies employing the practice abruptly stopped doing so.
The exposure of one web surveillance method, however, only worked to stop a single leak in a patchwork of a large and growing network of creative ways companies try to gather information about users and their online activities.
Examples of new methods that have popped up include monitoring a user’s battery levels and using that information to trace their web activity. Such a technique is based on the premise that two users are unlikely to have the same websites open and have the same battery levels, thus, providing companies with a rough identification tool. Another mode of tracking allows companies to use the unique audio frequency of an internet browser on a specific computer to pin down the web activity of certain groups of people.
While these are fairly rough identification tools, there are others that are more direct. A user who has logged into services like Gmail or Facebook has their web activity associated with their identity. Furthermore, this information is not simply restricted to web giants. As recent events suggest, social media details are the most vulnerable to malware attacks and when trackers have this information, correlating browsing history and one’s email address is possible.
According to Narayanan, even without trackers, it is safe to conclude that anonymity does not exist on the internet. Narayanan’s group previously demonstrated that almost all browsing history can be de-anonymized and traced to specific users. According to Narayanan, Edward Snowden’s leaks on the U.S. government’s surveillance programs revealed that cookies — small pieces of information stored by a website on a user’s computer — can be used to tie that history back to specific people.
Narayanan does not take the issue of such web tracking lightly, believing instead that it limits intellectual freedom and free speech. According to him, this infringement of privacy makes it even more difficult to continue to fight for the rights of minorities, who have benefited from the ability to express their values and exchange ideas in private. The knowledge that there are trackers who can tie one’s identity to web history and activity means that people may be more apprehensive in opening non-mainstream websites. That could severely limit the possibility of vital new equality movements gaining steam.
Narayanan believes that web tracking is an unavoidable part of modern capitalism and that it should be done openly and with clear opt-out options. Web browsers, too, are beginning to take users’ privacy more seriously and have started to offer optional protection against web trackers. In the future though, Narayanan hopes that governments promote research that helps blunt the effect of these tracking techniques and helps secure the data of average netizens.