Securing one’s passwords, email accounts, and banking information rightly gains the lion’s share of attention in the media. Having one’s email hacked into – even if the account contains no particularly personal or truly incriminating information – can be a terrible headache for oneself and for one’s family and friends.
But are we aware of just how much of our activity is tracked and counted and bought and sold as we browse the internet outside any personal accounts? Computer scientists at Stanford Law School’s ‘Center for Internet and Society’ have been pursing this issue for a few months now, and they trace the myriad ways our identities are shared via even the most innocuous of surfing.
For example, website privacy statements might state that the information they collect is anonymous – and, in fact, in the first instance it is. Yet the anonymity survives only as long as the company does not link your name, ZIP code, date of birth, whatever, to the computer’s ID that registered the click. As Arvind Narayanan explained this past July:
In the language of computer science, clickstreams — browsing histories that companies collect — are not anonymous at all; rather, they are pseudonymous. The latter term is not only more technically appropriate, it is much more reflective of the fact that at any point after the data has been collected, the tracking company might try to attach an identity to the pseudonym (unique ID) that your data is labeled with. Thus, identification of a user affects not only future tracking, but also retroactively affects the data that’s already been collected. Identification needs to happen only once, ever, per user.
A specific test case and report, summarized by Jonathan Mayer (also at Stanford’s Center for Internet and Society), shows how a site like OkCupid offers information to third parties as soon as one signs up, and how even simply a username used for a couple of accounts can allow aggregators to follow your browsing habits across a spectrum of sites and accounts.
Some of the worst offenders for ‘leaking’ enough information to allow de facto sharing of information from sites claiming not to offer your personal info? CNBC sent information to two companies – Reuters to five. The Weather Underground and Classmates.com sent parts of the user’s information to twenty-two sites! Whether to one or one hundred sites, you can not assume your information – ‘guaranteed’ by the site you are signing up with – will be kept anonymous by the subsequent aggregating site.
We can do some things to help stifle the flow of our personal information and browsing habits. We will discuss them next Friday, ‘Black Friday,’ so that you can implement some of the apps and practices before ‘Cyber Monday.’