Trying to understand privacy in the Snowden era
August 15, 2013 8:03 PM Subscribe
What identifying info does your laptop send?
You buy a laptop with cash at Best Buy. You set it up minimally, say with a browser, without going online.
Then you go to a coffee shop, hop on its network, and browse a few sites without signing in to any. What identifying information have you broadcast? How, exactly, can this info identify you?
You buy a laptop with cash at Best Buy. You set it up minimally, say with a browser, without going online.
Then you go to a coffee shop, hop on its network, and browse a few sites without signing in to any. What identifying information have you broadcast? How, exactly, can this info identify you?
Your mac address is broadcast locally, so if the coffeeshop is storing access logs, that will be there.
posted by empath at 8:19 PM on August 15, 2013
posted by empath at 8:19 PM on August 15, 2013
Check out Panopticlick for some background on how unique your browser might be.
posted by nostrada at 8:21 PM on August 15, 2013 [2 favorites]
posted by nostrada at 8:21 PM on August 15, 2013 [2 favorites]
The specific scenario you're describing (new laptop bought with cash, set up a new browser, go online at a coffee shop) doesn't broadcast any identifying information about you ... yet. But it does broadcast a unique signature via its network card address (MAC address) as well as the specifics of its browser configuration.
Now, what are you going to do? Just browse the web without logging in anywhere? No problem.
Check email? Boom, you're now associated with your past history.
Check your bank accounts? Library books? Log in to Facebook? Twitter? Any login associates the new laptop profile (the unique signature) with you and now counts as identifying information.
To a limited extent, you can sanitize your history by clearing cookies routinely, using private browsing, blocking local storage on Flash ("Flash cookies") and Silverlight, using different browsers (Chrome and Firefox, say) for Facebook vs your bank - but if someone is determined enough, they can always track you online.
On the other hand, no one cares enough about your browsing to bother tracking you. Probably.
posted by RedOrGreen at 8:37 PM on August 15, 2013 [1 favorite]
Now, what are you going to do? Just browse the web without logging in anywhere? No problem.
Check email? Boom, you're now associated with your past history.
Check your bank accounts? Library books? Log in to Facebook? Twitter? Any login associates the new laptop profile (the unique signature) with you and now counts as identifying information.
To a limited extent, you can sanitize your history by clearing cookies routinely, using private browsing, blocking local storage on Flash ("Flash cookies") and Silverlight, using different browsers (Chrome and Firefox, say) for Facebook vs your bank - but if someone is determined enough, they can always track you online.
On the other hand, no one cares enough about your browsing to bother tracking you. Probably.
posted by RedOrGreen at 8:37 PM on August 15, 2013 [1 favorite]
A new area of research is deanonymization. For example, the majority of Americans can be uniquely identified using only three bits of information: ZIP code, birthdate, and sex.
Let's say I've kept a large database of your search and browsing history from before you bought the laptop, and I've associated this with your identity. Chances are you'll visit the same sites when you get the new laptop, and use some of the same search terms.
If you revisit enough of the same web pages, especially less-popular ones (say, your friend's blog, or your own MeFi profile) I can eventually guess who you are by correlating your anonymous behavior with your past behavior. Especially if I can estimate your location (via your IP address).
Not to say this is done routinely today, but once you capture the data you could do the analysis at any time in the future.
posted by RobotVoodooPower at 9:13 PM on August 15, 2013 [1 favorite]
Let's say I've kept a large database of your search and browsing history from before you bought the laptop, and I've associated this with your identity. Chances are you'll visit the same sites when you get the new laptop, and use some of the same search terms.
If you revisit enough of the same web pages, especially less-popular ones (say, your friend's blog, or your own MeFi profile) I can eventually guess who you are by correlating your anonymous behavior with your past behavior. Especially if I can estimate your location (via your IP address).
Not to say this is done routinely today, but once you capture the data you could do the analysis at any time in the future.
posted by RobotVoodooPower at 9:13 PM on August 15, 2013 [1 favorite]
Panopticlick: a demonstration from the EFF which shows how you uniquely you can be identified with very little information at all.
posted by devnull at 4:20 AM on August 16, 2013 [1 favorite]
posted by devnull at 4:20 AM on August 16, 2013 [1 favorite]
Best answer: Since "buying a laptop with cash" was mentioned as a privacy technique, it's important to understand that this technique isn't really as effective as it once may have been.
Let's say that, in your scenario, your postings in the coffeeshop cause someone to really want to identify you. The first step may be to get the laptop's MAC address from the coffeeshop's wifi router logs. The MAC address is basically a manufacturer-assigned serial number, so the store where the laptop was sold can be identified.
You went to Best Buy, so they certainly have digital video cameras throughout the store and at the point of sale. The point of sale videos are probably retained for about 90 days so that they can assist with fraud investigations. The video from the other cameras in the store is probably retained for a minimum of 14 days. The store will know when the laptop was sold, and now your picture is tied to the laptop. If you drove to the store, a camera in the parking lot may have captured your license plate, and you're now identified.
But let's say you walked to the store. Did you have your cell phone on? The cellular companies keep of log of which phones are in the vicinity of which tower, and they keep those logs for up to a year. Did you have your cell phone on in the coffeeshop too? It's now an easy database search to identify all cell phones that were near Best Buy at the time of purchase, all cell phones that were near the coffeeshop at the time of posting, and which cell phones are on both lists. If there's only one phone on both lists, you're identified. If there's only a few cell phones on the list, then armed with your picture, it's trivial to knock on each cell phone owner's door and see if the person who answers the door matches the picture. Or the investigator could just save himself some shoe leather and simply check Facebook. You are now identified.
All of this is potentially within reach of a private investigator, if they bother to cultivate the right informants at the cell companies.
posted by ParticularIndividual at 8:14 AM on August 16, 2013 [2 favorites]
Let's say that, in your scenario, your postings in the coffeeshop cause someone to really want to identify you. The first step may be to get the laptop's MAC address from the coffeeshop's wifi router logs. The MAC address is basically a manufacturer-assigned serial number, so the store where the laptop was sold can be identified.
You went to Best Buy, so they certainly have digital video cameras throughout the store and at the point of sale. The point of sale videos are probably retained for about 90 days so that they can assist with fraud investigations. The video from the other cameras in the store is probably retained for a minimum of 14 days. The store will know when the laptop was sold, and now your picture is tied to the laptop. If you drove to the store, a camera in the parking lot may have captured your license plate, and you're now identified.
But let's say you walked to the store. Did you have your cell phone on? The cellular companies keep of log of which phones are in the vicinity of which tower, and they keep those logs for up to a year. Did you have your cell phone on in the coffeeshop too? It's now an easy database search to identify all cell phones that were near Best Buy at the time of purchase, all cell phones that were near the coffeeshop at the time of posting, and which cell phones are on both lists. If there's only one phone on both lists, you're identified. If there's only a few cell phones on the list, then armed with your picture, it's trivial to knock on each cell phone owner's door and see if the person who answers the door matches the picture. Or the investigator could just save himself some shoe leather and simply check Facebook. You are now identified.
All of this is potentially within reach of a private investigator, if they bother to cultivate the right informants at the cell companies.
posted by ParticularIndividual at 8:14 AM on August 16, 2013 [2 favorites]
Response by poster: Thanks all -- every answer contributes something. I marked the previous as best because, sadly, it captures the biggest picture and confirms all I knew.
Admiral Poindexter expressed this most forcefully. He was eased out, but he got it. "Capture everything," said Poindexter. "We'll figure out how to use it later."
It reminds me of the old cop joke: "You want me to tell you who did it? No, you tell me the who. I'll tell you the why, when, where, and how."
posted by LonnieK at 7:48 PM on August 16, 2013
Admiral Poindexter expressed this most forcefully. He was eased out, but he got it. "Capture everything," said Poindexter. "We'll figure out how to use it later."
It reminds me of the old cop joke: "You want me to tell you who did it? No, you tell me the who. I'll tell you the why, when, where, and how."
posted by LonnieK at 7:48 PM on August 16, 2013
This thread is closed to new comments.
And then they start tailoring the ads they send you based on what your browsing habits suggest about you.
posted by Chocolate Pickle at 8:09 PM on August 15, 2013