The internet’s cookie monsters are harvesting your secrets
‘On the internet, nobody knows you’re a dog.’ This has been touted as an internet mantra since The New Yorker ran its famous cartoon of two hounds using a computer in 1993. By not requiring individuals to provide identifying information, the web gave internet users an unprecedented sense of anonymity in its early days.
Cyberspace rapidly became a medium where strangers, lulled by a sensation of security created by anonymity, felt comfortable divulging more personal information than ever before.
Much has changed over the past 20-odd years. Anonymity is no longer the web’s hallmark: internet users’ readiness to share personal data has created a bonanza for marketing companies and other businesses, who rapidly found ways to mine this information.
All too often, internet users perceive marketing as innocuous, equating it with advertising. Most do not realize the full scope of the data being amassed about them — and how it is being used. By also making it cheaper to gather, store, and analyze data than ever before, the internet has spawned a £90 billion industry of ‘data brokers’, companies that collect and sell personal information.
Using aggregation techniques, firms are now able to combine seemingly unrelated data — for example, IP addresses and online purchasing history, to not only identify internet users by name but compile detailed profiles on them. These methods are even more powerful when information obtained online is combined with offline data. Perhaps most worrying is that at no point have internet users been informed of or consented to such practices.
Data brokers such as Acxiom and Epsilon have created detailed lists of individuals, which they sell to marketers. These lists group sensitive subjects, such as HIV patients, gamblers, rape victims, divorced persons, gay and lesbian adults, alcoholics, erectile disfunction sufferers and pregnant women. The industry is a veritable Wild West, operating with little regulation or oversight. Although most countries have laws that protect patient confidentiality, many data brokers — who are often USbased — circumvent them by deducing an individual’s medical information from their purchasing history. They might infer that an individual who buys certain medications has cancer, or that one who shops at plus-size clothing stores is overweight.
Data brokers gather some of this information themselves. They also purchase data from other companies. These include firms that specialize in tracking internet users’ browsing histories. Such firms operate by buying advertising on thousands of major websites, which allows them to install ‘third party cookies’ on these sites. The cookies, which are scripts that automatically download on an internet user’s computer when their browser loads the website, log the internet user’s activities and send the information to these firms.
Most websites contain dozens of third-party cookies. Data brokers also buy information from companies that have developed a second revenue source selling data on internet users who visit their websites.
According to a recent report by the US TV news magazine 60 Minutes, ‘most retailers are finding out that…the data about their customers is probably just as valuable — maybe more so — than the actual product or service they are selling to the individual’. Dating sites such as OkCupid ask users to answer very personal questions in their profiles — such things as their religious and political views, whether they smoke, drink or do drugs, and even how often they have sex — and share some of this with data brokers.
What can be done about these threats to privacy? Internet users can implement a number of technical measures to help protect their personal information online. These include methods to hide their IP addresses and encrypt data, such as using a Virtual Private Network such as Tunnel- Bear or HotspotShield.
A VPN directs all traffic from the internet user’s computer through an encrypted tunnel to the servers of the VPN provider, replacing the internet user’s IP address with that of the VPN server.
Another option is to use Tor — originally called The Onion Router — which encrypts traffic sent from the internet user’s computer and routes it via a complex and random sequence of proxies to its final destination. This creates multiple layers that mask the traffic’s origin and the internet user’s IP address.
For additional privacy protection, internet users can remove or block tracking cookies. One way is to use a browser such as WhiteHat Aviator, which clears the internet user’s computer of cookies each time the browser is restarted. Another is to install a browser extension like Disconnect, which not only allows the internet user to view the third party cookies on a website but to stop them installing.
However, the burden should not rest on individuals alone. Governments, too, must implement stronger policies. The US has taken an important step in this direction with the proposed Data Broker Accountability and Transparency Act. The Bill would give individuals the right to view the records that data brokers have accumulated on them, to correct errors — which is particularly important since many records are filled with inaccuracies — and to opt out of the practice altogether if they choose. But securing the Bill’s passage is likely to be a challenge as previous attempts at online privacy legislation have been stymied by influential lobbying groups.
The EU, which has stronger data protection laws than the US, has implemented an e-Privacy Directive — which requires websites to obtain an internet user’s consent before installing cookies on their computer. Yet, with the UK Information Commissioner’s Office viewing implied consent as a valid form of consent, major loopholes remain.
Caroline Baylon is Research Associate, Science, Technology and Cyber Security, at the Chatham House International Security Department