Mozilla researchers say browser history is enough to identify a user

At the USENIX conference, Mozilla researchers said that advertising campaigns would suffice information from the user’s browser history (50-150 favorite sites) to build a reliable profile of this person.

In essence, the analysis carried out by experts dispels the myth that browsing history, even anonymous one, is completely useless for online advertisers and analysts.

This analysis is a kind of continuation of another academic study published back in 2012.

“At the time, the study was one of the largest user privacy analysis projects, and for its preparation, a team of experts collected and analyzed the browser history of more than 380,000 people”, – said Mozilla experts.

For example, between January 2009 and May 2011, researchers asked users to visit a test site, which used CSS code to determine which sites from a pre-prepared list of 6,000 domains visited participants of the experiment. Then was found out that 97% of users’ browser history contained a unique set of sites, which ultimately made it a reliable vector for fingerprinting.

What’s more, when participants were asked to visit the test site again, the experts were able to re-identify users the first time, based on their browser history. The accuracy rate was 38% when the researchers relied on datasets containing the 50 most popular user domains and 70% when they analyzed datasets with 500 domains.

Let me remind you that also recently Mozilla explored security of video conferencing applications.

Now Mozilla researchers set out to check what has changed since 2012 and whether browser history remains a solid foundation for fingerprinting. The new experiment ran from July 16 to August 13, 2019, with Firefox users participating. More than 52,000 people agreed to participate in the study and provided anonymous data of their browsers.

“Since this time the information was taken directly from Firefox, rather than through a dedicated web page with CSS, the data was more accurate and reliable. In addition, almost all modern analytical companies collect such information about users (through affiliate programs, mobile applications, advertising, and so on)”, – told in Mozilla.

The data collection was carried out in two stages: during the first week, users shared their browser history, and in the second week, Mozilla checked whether they could re-identify these people.

In total, the Mozilla team collected data on 35,000,000 sites visited across 660,000 unique domains. In doing so, it turned out that in 99% of cases, browser histories were unique for each user. This uniqueness allowed researchers easily identify users again in the second week of the experiment.

At the same time, the accuracy of “recognition” was higher than in the 2012 study.

“The re-identification rate was almost 50% for datasets containing 50 domains, and when the dataset was expanded to 150 domains, the re-identification rate rose to 80%”, – write the experts.

Considering said above, the researchers conclude that analytic firms and advertising companies do not need long lists of browsing history data at all. Users are betrayed by their favorite sites, even if the data is anonymous and the URLs are cut to remove usernames and leave only the main domains.

By the way, let me remind you that Mozilla Offers $5,000 of reward for bypassing Firefox protection.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

three Iranian hackers

US Department of Justice accuses three Iranian hackers of hacking aerospace companies

The US Department of Justice has filed charges in absentia against three Iranian hackers suspected …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.