Sorry Tomek, but I “win”

As I discussed here, the EFF is running an experimental site demonstrating that browsers ooze an unnecessary “browser fingerprint” allowing users to be identified across sites without their knowledge.  One can easily imagine this scenario:

  1. Site “A” offers some service you are interested in and you release your name and address to it.  At the same time, the site captures your browser fingerprint.
  2. Site “B” establishes a relationship with site “A” whereby when it sends “A” a browser fingerprint and “A” responds with the matching identifying information.
  3. You are therefore unknowingly identified at site “B”.

I can see browser fingerprints being used for a number of purposes.  Some sites might use a fingerprint to keep track of you even after you have cleared your cookies – and rationalize this as providing added security.  Others will inevitably employ it for commercial purposes – targeted identifying customer information is high value.  And the technology can even be used for corporate espionage and cyber investigations.

It is important to point out that like any fingerprint, the identification is only probabilistic.  EFF is studying what these probabilities are.  In my original test, my browser was unique in 120,000 other browsers – a number I found very disturbing.

But friends soon wrote back to report that their browser was even “more unique” than mine!  And going through my feeds today I saw a post at Tomek's DS World where he reported a staggering fingerprint uniqueness of 1 in 433,751:

 

It's not that I really think of myself as super competitive, but these results were so extreme I decided to take the test again.  My new score is off the scale:

Tomek ends his post this way:

“So a browser can be used to identify a user in the Internet or to harvest some information without his consent. Will it really become a problem and will it be addressed in some way in browsers in the future? This question has to be answered by people responsible for browser development.”

I have to disagree.  It is already a problem.  A big problem.  These outcomes weren't at all obvious in the early days of the browser.  But today the writing is on the wall and needs to be addressed.  It's a matter right at the core of delivering on a trustworthy computing infrastructure.    We need to evolve the world's browsers to employ minimal disclosure, releasing only what is necessary, and never providing a fingerprint without the user's consent.

 

More unintended consequences of browser leakage

Joerg Resch at Kuppinger Cole points us to new research showing  how social networks can be used in conjunction with browser leakage to provide accurate identification of users who think they are browsing anonymously.

Joerg writes:

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.

The Practical Attack to De-Anonymize Social Network Users begins with what is known as “history stealing”.  

Browsers don’t allow web sites to access the user’s “history” of visited sites.  But we all know that browsers render sites we have visited in a different color than sites we have not.  This is available programmatically through javascript by examining the a:visited style.  So malicious sites can play a list of URLs and examine the a:visited style to determine if they have been visited, and can do this without the user being aware of it.

This attack has been known for some time, but what is novel is its use.  The authors claim the groups in all major social networks are represented through URLs, so history stealing can be translated into “group membership stealing”.  This brings us to the core of this new work.  The authors have developed a model for the identification characteristics of group memberships – a model that will outlast this particular attack, as dramatic as it is.

The researchers have created a demonstration site that works with the European social network Xing.  Joerg tried it out and, as you can see from the table at left, it identified him uniquely – although he had done nothing to authenticate himself.  He says,

“Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I´m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That´s weird!”

Since I’m not a user of Xing I can’t explore this first hand.

Joerg goes on to ask if history-stealing is a crime?  If it’s not, how mainstream is this kind of analysis going to become?  What is the right legal framework for considering these issues?  One thing for sure:  this kind of demonstration, as it becomes widely understood, risks profoundly changing the way people look at the Internet.

To return to the idea of minimal disclosure for the browser, why do sites we visit need to be able to read the a:visited attribute?  This should again be thought of as “fingerprinting”, and before a site is able to retrieve the fingerprint, the user must be made aware that it opens the possibility of being uniquely identified without authentication.

Electronic Eternity

From the Useful Spam Department :  I got an advertisement from a robot at “complianceonline.com” that works for a business addressing the problem of data retention on the web from the corporate point of view. 

We've all read plenty about the dangers of teenagers publishing their party revels only to find themselves rejected by a university snooping on their Facebook account.  But it's important to remember that the same issues affect business and government as well, as the complianceonline robot points out:

“Avoid Documentation ‘Time Bombs’

“Your own communications and documents can be used against you.

“Lab books, project and design history files, correspondence including e-mails, websites, and marketing literature may all contain information that can compromise a company and it's regulatory compliance. Major problems with the U.S. FDA and/or in lawsuits have resulted from careless or inappropriate comments or even inaccurrate opinions being “voiced” by employees in controlled or retained documents. Opinionated or accusatory E-mails have been written and sent, where even if deleted, still remain in the public domain where they can effectively “last forever”.

“In this electronic age of My Space, Face Book, Linked In, Twitter, Blogs and similar instant communication, derogatory information about a company and its products can be published worldwide, and “go viral”, whether based on fact or not. Today one's ‘opinion’ carries the same weight as ‘fact’.”

This is all pretty predictable and even banal, but then we get to the gem:  the company offers a webinar on “Electronic Eternity”.  I like the rubric.  I think “Electronic Eternity” is one of the things we should question.  Do we really need to accept that it is inevitable?  Whose interest does it serve?  I can't see any stakeholder who benefits except, perhaps, the archeologist. 

Perhaps everything should have a half-life unless a good argument can be made for preserviing it. 

 

Ethical Foundations of Cybersecurity

Britian's Enterprise Privacy Group is starting a new series of workshops that deal squarely with ethics.  While specialists in ethics have achieved a signficant role in professions like medicine, this is one of the first workshops I've seen that takes on equivalent issues in our field of work.  Perhaps that's why it is already oversubscribed… 

‘The continuing openess of the Internet is fundamental to our way of life, promoting the free flow of ideas to strengthen democratic ideals and deliver the economic benefits of globalisation.  But a fundamental challenge for any government is to balance measures intended to protect security and the right to life with the impact these may have on the other rights that we cherish and which form the basis of our society.
 
'The security of cyber space poses particular challenges in meeting tests of necessity and proportionality as its distributed, de-centralised form means that powerful tools may need to be deployed to tackle those who wish to do harm.  A clear ethical foundation is essential to ensure that the power of these tools is not abused.
 
'The first workshop in this series will be hosted at the Cabinet Office on 17 June, and will explore what questions need to be asked and answered to develop this foundation?

‘The event is already fully subscribed, but we hope to host further events in the near future with greater opportunities for all EPG Members to participate.’

Let's hope EPG eventually turns these deliberations into a document they can share more widely.  Meanwhile, this article seems to offer an introduction to the literature.