Researchers: 'Anonymized' Browsing Data Can Reveal Identity

John Lister's picture

Researchers suggest that anonymized browsing data can be used to track users. The flaw can make it easy to reveal exactly what sites individuals have visited.

Security experts Svea Eckert and Andreas Dewes told the Def Con security conference that they'd been able to identify adult websites a particular judge had visited, as well as a politician's online interest in drugs.

The data came from so-called "clickstreams," which are simply a list of the sites an individual has visited and the order in which they visited them. They are commonly used by advertising firms to produce individually targeted ads based on the interests and attitudes revealed by a person's browser history.

Clickstreams Gathered By Browser Tools

Such 'clickstreams' can be gathered in a variety of ways, most commonly through browser extensions installed by the user. In some cases, these are rogue extensions that are installed without the user's knowledge via a security flaw, or that appear to serve a legitimate purpose but actually gather the data without the user realizing.

In other cases, the extensions are more "legitimate." The manufacturers of the addons gather the data and then anonymize it by replacing the user names with reference numbers, then pass the data onto advertisers. That means advertisers can deliver the targeted ads without knowing the individual who will see them.

According to the researchers the process of anonymizing has two big limitations. One is that the list of pages the person visited will often include account management pages, for example when somebody goes to update their settings or information on a social media site. In those cases, the user's name may be revealed in the page title or even the website URL itself. (Source:

Social Media Activity Could Be Decisive Clue

Even when this isn't the case, the researchers say it's possible to cross-reference the list with publicly accessible information - such as when a user posted or shared content on a social media site. For example, if the clickstream has several instances of the person sharing particular stories at particular times, there may only be one user whose social media activity fits that particular pattern. (Source:

The researchers have deleted the data they used in the study. They say that because it may be difficult to ensure clickstream data is kept anonymous, governments should put time limits on how long a company can store a set of data, a move designed to reduce the chances of it being stolen or exposed.

What's Your Opinion?

Do you fully vet any browser extensions you install? Would you consider tightening the privacy settings on your social media activity to reduce the chances of it being used to identify 'clickstream' data? Are we approaching the point where the only practical solution is to act as if every website you visit could become public knowledge?

Rate this article: 
Average: 5 (9 votes)


nospam_5346's picture

Personally, I don't use social media so I imagine my footprint is a bit smaller though still bigger than I would like.

As for targeted ads, I've never understood this. By the time they get any data upon which they could serve me a targeted ad or by the time I might actually notice a targeted ad, I've already either bought the item or decided not to buy the item or bought a similar item. So, sending me an ad for that or a similar item is a sheer waste of time on their part and simply an annoyance on my part.

So, what exactly is the relevance of a targeted ad?

kitekrazy's picture

I don't mind the targeted ads. It is often from vendors I've dealt with. It beats ads about enhancing your wee wee or horny Russian girls are dying to meed you.