By STEFFAN HEUER & PERNILLE TRANBERG
Steffan Heuer and Pernille Tranberg are authors of the book Fake It: A Guide to Digital Self-Defense. They cover technology and privacy issues in San Francisco and Copenhagen. In this series, Digital Self-Defense, Heuer and Tranberg report with updates from the digital identity wars and teach us how to defend our privacy in the great data grab going on all around us. Follow them at @FakeIt_Book.
Show me your search patterns, and I’ll tell you who you are. Your vacation dreams. Your health worries. Your job situation, your hobbies, if you are gay, hetero, single, or married. Your political orientation, shopping behavior, financial capabilities, food and alcohol cravings, drug habits, and all kinds of other interests and preferences.
Your searches are probably the No. 1 way to collect data about your private life. Forget about the encryption debate that’s been raging since Edward Snowden started leaking. Privacy starts with search.
Are you among the many who googled “Amphetamine mixed salts”? It’s one of the top three medications searched for, according to Google Trends charts. “Amphetamine mixed salts” is a drug used to treat attention deficit hyperactivity disorder and narcolepsy. Searching for these keywords and clicking on particular links is an indication that you or a family member may suffer from one of these conditions. Searches such as these contain highly sensitive information a data broker, pharma company, or insurer would love to get their hands on.
The more of these tell-tale bits you leave in the open, the easier it becomes to target ads and offers to a condition—or even craft a costlier health insurance policy, tailored just for you. And this isn’t doomsday worrying; it’s happening now. One health insurance manager recently told us his company is regularly approached by data brokers who offer to sell transaction data from outlets such as fast food chains in order to tie them to individual clients. Thankfully, his company currently declines such overtures. But do they all? And how long before a desire for higher profits overtakes morality?
Search engine providers such as Google tie every search to every user to allow for user profiling and more targeted ads. And they will hand those search histories, plus IP or location data, over to government agencies when, not if, they come calling. Google’s not the only one. According to Robert Beens, CEO of the anonymous search engine Startpage.com, most search engines record your search data like an OCD librarian writing down every step you take in a library.
Beens tells us:
“They capture your IP address and use tracking cookies to make a record of your search terms, the time of your visit, and the links you choose—then they store that information in a giant database. Those searches reveal a shocking amount of personal information about you.”
He continues,
“Searching is mostly done in the privacy of your home and you ‘confide’ in your favorite search engine as a friend—disclosing your innermost thoughts and interests. Aggregated together over several years, your searches reveal who you are. It completes the whole huge puzzle that you are, piece by piece.”
Add to that the fact that most people use Google & Co. without SSL encryption, and everybody else can listen in: your service provider, your mobile operator, your smartphone manufacturer, etc.
But it doesn’t have to be that way. There are alternatives—ways of preventing search engines and trackers from mining all of your personal data (but, fair warning: A new method called “device fingerprinting” makes it harder to hide your digital tracks).
These are, at the moment, mostly niche players that have received huge boosts in user traffic since Snowden blew the whistle. You can do truly anonymous searches on Startpage and its older sister site Ixquick, as well as with its U.S. competitor Duckduckgo. They’re all breaking traffic records since the NSA revelations, with search numbers nearly doubling.
Some will object that nothing comes close to Google’s massive index, but search engines such as Startpage pool your search terms, strip them of identifiable information, and, in fact, anonymously submit them to Google. You get the full stack of answers without being tracked. What’s more, you don’t get supposedly personalized results based on what they know about you. Escape the “filter bubble” and try clean, non-filtered results for a change. You’ll be surprised at what comes up when it isn’t edited. What’s more, you can view pages via a proxy, basically reading results in anonymity since the search engine pulls up the link and presents it to you privately.
From Cookies to Fingerprinting
People are finally getting sick and tired of having their curiosities and intentions tracked and logged. Here’s the explanation that Gabriel Weinberg, founder and CEO of DuckDuckGo, gave us:
“Aside from government access, there are many other reasons. Perhaps the most obvious is all those ads that follow you around the Internet now. In-between are a bunch of things that most people don’t know about yet, like being charged different prices based on your data profile or having your online info start to show up off-line, for example insurers are now testing such data for use in risk profiles.”
(DuckDuckGo and Smartpage, by the way, recently released nifty iOS apps for mobile searches that let you skirt the data-sniffers from Google & Co.—with Android versions in the works.)
But digital self-defense is an arms race. As soon as somebody develops a block or tool, someone else comes up with new ways to get around it to continue keeping tabs on every user online. Today, most advertisers and other parties on the Web still rely on a wide array of cookies. More and more users block cookies or routinely delete them, as a new study by Pew Internet Life just revealed. Mobile phones do not use cookies, but give off other valuable signals, such as device IDs.
Because cookies are becoming less effective, tracking companies are now turning to “fingerprinting,” a technique allowing a website to look at the unique characteristics of the computer or device you’re using. They analyze installed plugins, software, screen resolution, time zone, fonts, and other features. Combine that info with other data points, and companies can infer which smartphone, tablet, and laptop belong to the same person.
Fingerprinting—like the kind announced last week by Apple—may prove to be a more robust tracking technology than cookies, and it’s very hard to avoid from a user point of view. “Today, to prevent fingerprinting in a meaningful way, there is a big impact on the user experience,” says Andrew Sudbury, CTO and founder of Abine, a provider of privacy tools based in Boston. This has created catch-22 situation for the average user. Take Javascript and Flash. They have become standards to deliver rich online experiences, but they are also the backdoors through which tracking code is planted on your machine for fingerprinting.
Abine, which offers tools like DeleteMe and DoNotTrackMe, is one company among several that have been working on a solution to the fingerprinting problem—but even they admit we’re not there yet. The only simple step you can take to defend yourself is to use proxy services that change and therefore hide your real IP address—the No. 1 identifier in the absence of cookies. However, that alone is not enough, as trackers have become much better at identifying users without their IP address. So the arms race will continue.
In the meantime, here are a few tips on how to keep your searches for problems, pet peeves, pills, and porn from becoming a matter of public record:
- Use an anonymous search engine that doesn’t track you, like startpage.com (or eu.startpage.com, which only uses EU servers), duckduckgo.com, or ixquick.com. Startpage, by the way, is a Dutch company and thus not under U.S. jurisdiction like DuckDuckGo, which means they cannot be forced to turn over the meager records they might have.
- If you insist on using Google or another one of the big guys, at least make sure you’re logged out from your Google or Gmail account in the same browser. Better yet, conduct searches only in a separate browser and use a VPN service such as PandaPow or Overplay to hide your IP address, plus use a blocking extension for your browser such as Disconnect or Ghostery to prevent hundreds of third parties from following you around the web from searches to results.
- Consider using Tor (and Torbutton), which has elements designed specifically to prevent fingerprinting.
You don’t have to stand for search engine tracking. Use these tools and practice good digital self-defense to protect your anonymity online.
Art by Jason Reed