B3RN3D

Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.

Privacy Controls as a Fingerprinting Attack

Privacy conscious websites and applications often give you privacy controls like “opt'ing-out” of using your browsing habits for statistics, or setting whether or not to share your profile information. If you’ve already done your job to ensure that you are not sharing any sensitive information, these pseudo-privacy controls may put you at a high risk of being labeled a suspicious account.

How Privacy Controls Actually Work

Lets take, for example, a forum where you can make changes to your settings to not include your information in the anonymized statistics gathering. Does that mean that your activities will not be tracked now that you have clicked the opt-out check box? In most cases, all this means is that your activities will not be used for statistics and reporting, but your activities will continue be logged.

In many cases, what happens in the backend is there will be an “opt-out” value assigned to your user account. A database contains your account information, your settings, and then a single True or False value dictating whether you’ve opt-out. A simple query of this database will return all users in the system that have decided to opt-out.

One specific example is the popular Simple Machines Forum which retains a value in the database named “private.” This is just an integer that controls the various levels of privacy control on your forum profile.

1
2
3
4
5
6
7
if (isset($modSettings['smfVersion']) && $modSettings['smfVersion'] <= '2.0 Beta 1')
{
  upgrade_query("
  UPDATE {$db_prefix}custom_fields
  SET private = 2
  WHERE private = 1");
}

Enabling the Privacy Zealot Flag

The problem, as you can see, is that you are vulnerable to a type of fingerprinting attack. If law enforcement wanted find the highest risk accounts on a system, they would not want to weed through thousands of accounts or use expensive analytical software. They they will partition the accounts in the simplest means necessary, one of which being users who have decided to opt-out or have enabled the various privacy features.

Target Selection

The concept of specifically targeting users concerned about privacy, and labeling them potential subjects, is nothing new. We’ve heard it happen with journalists, activists, and especially pregnant women. If you haven’t read it yet, check out the article, Here’s what happened when I tried to hide my pregnancy from the Internet and marketing companies about what happens when you actually go through all the steps to protect your privacy.

Defense

Why opt-out? Ask yourself “what does this privacy feature actually do?” In most cases, the anonymous statistics that a web application collects, are less of a risk to your privacy than the possibility that an account be given the “privacy zealot” flag. Your first goal when trying to maintain your anonymity and defend against similar attacks, is to do everything you can to not become a target of interest. This includes:

  • Not enabling any settings on your account that may make you look concerned about your privacy
  • Keeping your browser configuration similar to other users of that system (e.g. JavaScript enabled, commong UserAgent)
  • Being aware of phrases that could make you a target. Check out the list of NSA keywords to see the types of words they key in on.