The Changing Face of Browser Histories: Understanding and Managing the Privacy Concerns of Business Browser Histories

There’s a running joke for modern times. If you were to die unexpectedly, you should have a close friend on notice to clear your internet’s browser history to destroy your most embarrassing and private online footprints. However, as the technology landscape continues to change, data that was once considered private now exists in an ambiguous territory. Basically, we’ve reached a point where internet users can never be really sure that what they type into search engines is completely private.

Browser History

More and more, advertisers and consumer researchers are making use of data trails – and Internet providers are helping them on this mission. In fact, for many internet providers, it’s become common practice to put user’s internet histories up for grabs by selling them to advertising and market research agencies. This makes it easier for marketers to target individuals with products and services that match their specific interests.

Browser Histories for Sale: Trump Passes Rolls Back Internet Privacy Rules

Earlier this year, President Trump signed a measure to reverse cybersecurity rules that would have required internet providers to get consent before selling consumer browser histories. The rules had not yet taken effect, but internet providers now officially have the freedom to collect and sell user data – including browser search histories.

Data collection by internet providers isn’t new. For some time, providers have already been collecting data to maintain their networks. While many providers claim they won’t use or sell personal data – like children’s information, medical records or banking details – without consent, it’s becoming clear that little bits of this sensitive information is available in browser histories.

Take for example a person who googles health symptoms they may be experiencing or an individual who googles the address and transit number of their personal bank. With browser histories up for grabs, there are serious concerns about the possibility of identifying people based on these little pieces of detailed information. Not to mention, if the information is sold to the wrong buyer, these data trails increase the risk of cyber hacks and identity theft as well.

Business Considerations: Understanding Browser History Implications for a Team of Employees

The risks that data trails pose for businesses are even more dangerous. A team of employees in a modern business office probably relies on internet searches daily. Perhaps their searching work-related things like competitor and client data or maybe their searching for personal things during downtime. Regardless of what they’re searching, every word that gets typed into a search engine is connected to a business’s online data trail.

This means that if an employee uses google to get more information about a confidential company project or to try and track down contact information for a client, these search details are stored and ready to be sold. Even worse? Relying on employee’s personal searches can make it easier for cybercriminals to create data portraits of employees. This significantly heightens the risk of identity and phishing scams, where criminals convincingly impersonate company representatives to gain further data access or steal company resources.

Quick Case Study: How a Fake German Marketing Company Scored Employer Data Trails for Free

The Guardian recently published an expose on the browser history issue and it unveiled shocking results. Journalist Svea Eckert and data scientist Andreas Dewes, both from Germany, wanted to find out just how easy it was to collect browser history data in the attempt to identify users.

The pair underwent an experiment, posing as a phony marketing company to acquire the data they were looking for. They even created a fake company website and a bogus LinkedIn profile for the company’s “CEO”. They claimed to have developed a machine learning algorithm that could improve marketing tactics but told internet providers that they needed to ‘train’ the algorithm on a large collection of data – a common request by research firms worldwide.

The pair were successful in acquiring the data and didn’t even have to pay for access as they claimed they were doing research. The team presented their findings at the annual Def Con Hacker Conference in Las Vegas. A summary of their findings is listed below:

  • After contacting several internet providers, Eckert and Dewes were able to easily acquire a database holding more than 3 million visited web addresses. That data, in turn, comprised about 9 million unique sites visited by roughly 3 million German internet users.
  • The data clearly demonstrated different groups of internet users. First, the light users who visited only a few dozen sites over a 30-day span and second, the heavy users – some of which had tens of thousands of data points waiting to be examined.
  • Though the data was of course ‘anonymized’, the pair had little trouble reassembling it to create identifiable ‘data portraits’ once they dug in.
  • Identifying some users was incredibly easy simply by checking out their uniquely identified URLS’s like social media profiles or analytics searches on personal Twitter pages. This made it easy to connect certain browser histories with a specific identity right away.
  • However, even for users who didn’t have unique URL histories to tip off their identity right away, Dewes and Eckert claimed that using the data to come up with digital fingerprints made educated guesswork easy.
  • The data portraits are built using the process of elimination. Take for example an employee visiting the company’s website and then quickly checking out their bank’s website for personal finance info. If an employer has 500 employees, but only 50 of those employee’s use the bank in question, it makes it easier to shrink the pool of possible identities that could be linked to this browser history.
  • Then, the pair worked to shrink the identity pool even more. By checking out medical conditions, hobby interests and school websites that employees may visit during the workday, it becomes easier and easier to match specific browser histories with specific employees. The more data points that are available, the better the chances of dwindling down overlaps and the more quickly a single person can be linked to a specific history.
  • While the process may seem time-consuming and complex, it really isn’t as hard as it seems. Eckert and Dewes claim that it only takes about 10 URLs in total to be able to uniquely identify a user.

Managing Your Businesses Online Footprint: How to Strategically Protect Your Business

So, how can businesses and individuals alike better manage their browser history to avoid having sensitive and/or identifiable information sold to the highest bidder? We’ll break down how it works and explores strategies for protection below.

Breaking down the browser history file:

  • When you visit a Web site, your browser automatically saves the Web site address, or URL, and saves it on your hard drive in a history file or folder. This file/folder allows you to view a list of previously visited Web pages, without having to type the address again.
  • The size of your history file will grow as you browse until it meets the limit set by your browser. However, it should be noted that these limits, for most providers, are quite large. When this happens, your browser will delete some URLs, starting with the oldest. This means, no matter how big your browser history file becomes, it continually replenishes itself with the latest data you’ve searched.
  • These files – full of personal and identifiable information, are owned by internet providers who can then sell the data archives to marketers, advertisers, and researchers. As noted in the case study, buyers are then able to use a process of elimination to link browser histories with actual people.

Head spinning? Check out these strategies for reducing browser history risks:

  • Set Regular Browser History Purge Dates

Even though your browser replenishes itself automatically, clearing your history manually on a regular basis is a smart strategy. Not only does this keep browser history files small and harder to identify, regular browser history purges may help speed up your system as well.

Set regular dates – perhaps bi-weekly or monthly – where employees are expected to purge their search data and keep history files small. This will not only help avoid identification, but it will empower your employees to be more vigilant with their online searches at work.

  • Make Sure Personal and Work Devices Aren’t Syncing

In a modern business world, many employees use a combination of company and personal devices to get work done. On some devices, the browsing data can be synced from one machine to another, which can result in browser history files becoming larger and jam-packed with personal search data.

To make sure your team’s personal devices don’t sync with company devices, check out these tips and tricks for Google Chrome:

  • Explain the Dangers

The best way for employers to minimize the sale of browser history gold mines is to inform employees. Explain the risks to your staff members and help them understand that while internet searches may seem quick and anonymous, digital footprints are always recorded and can be used against them.

Arming your team with the knowledge they need will not only help reduce risk, it will also encourage team members to avoid making personal searches at work. This results in higher productivity, more informed team players and safe company data. Win-win.

The internet is becoming a massive and prosperous place to do business and get work done quicker. However, at the same time, the internet is becoming an increasingly public and non-private space, filled with marketers and cybercriminals, eager to get their hands on valuable data. Keeping these strategies in mind to protect your business is absolutely critical in a modern business environment. Don’t let the information highway drive your business into crisis.