Private Browsing Really Anonymous? Incognito Mode Histories Exposed By Researchers' Fake Company

Two German researchers at the Def Con 2017 hacking conference this week demonstrated that your web browser’s incognito mode or private mode are easily bypassed by companies and advertisers.

Presenting their research at the Las Vegas Def Con conference Monday, Svea Eckert and Andreas Dewes proved that the façade of online anonymity and browsing by acquiring the exact clicking habits of more than three million German citizens without their knowledge. The presentation to the audience demonstrated how easily and often companies can log every website you’ve ever visited – data referred to as a “clickstream” – in order to improve targeted advertising.

The two said that 95 percent of the personal click data they obtained came from 10 popular browser extensions, which companies commonly and easily use to tie people’s surfing habits to their real-life identities. Their research included the uncovering of a German judge's porn preferences and a German MP's medication orders.

"What these companies are doing is illegal in Europe but they do not care," Eckert told the BBC Monday at the annual conference.

The pair unveiled the steps they took to secure a database containing more than 3 billion URLs from three million German users spread across 9 million unique sites. Among the findings, was the ominous conclusion that it’s actually easier for companies to get a hold of your web browsing information and click habits through legal algorithms rather than buying it from third-party data and marketing groups.

Eckert, a journalist, and Dewes, a data scientist, acquired users’ personal data first by creating a fake marketing company that branched out with LinkedIn, Facebook pages as well as “many nice pictures and marketing buzzwords” to attract more people to the site itself. After posing as the marketing company claiming to have developed a sophisticated machine-learning algorithm, they simply reached out to companies to test what they could glean from their data stockpiles.

"The public information available about users is growing so it's getting easier to find the information to do the de-anonymization,” Dewes told the BBC.

Fake Marketing Company Exposes Millions Of Users' Private Browsing Histories

The German data was apparently harder to come by than that of Americans and those in the U.K.

“We wrote and called nearly a hundred companies, and asked if we could have the raw data, the clickstream from people’s lives, Eckert told The Guardian. “We often heard: ‘Browsing data? That’s no problem. But we don’t have it for Germany, we only have it for the US and UK,’” she said.

Companies eventually just gave them the data for free and let them test their fake AI advertising platform, the two explained. And while it was supposed to be an anonymous set of internet users, they soon were able to de-anonymize these people’s daily online habits.

“What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.”

The “safe surfing” tool Web of Trust even updated its browser plugin and privacy policy after Dewes and Eckert initially published their findings in a March paper.

The two are pushing lawmakers in Europe and the public abroad to debate and adopt policies prohibiting the ease and magnitude in which companies can legally, or perhaps just unethically, track users’ seemingly “anonymous” browsing habits.

"This could be so creepy to abuse," Eckert told the BBC. "You could have an address book and just look up people by their names and see everything they did."

After they published their research, the two deleted their own data collection in order to avoid being hacked themselves.