It was the autumn of 1999 and I was utterly stumped. A young woman, whom I didn’t know from Adam, came over to me at my debs and chatted as though we knew each other well.
She was sharing the kind of details, all PG I should stress, that meant I simply had to know her. It was casual and normal, in no way forced or trying to lead me to any conclusion other than that I had to know her.
A few minutes later the perpetrator of this brilliantly executed trick revealed himself, a long-time classmate who fed her just enough information to baffle me.
This comes to mind because this past weekend a webpage went viral. Just by clicking on it I enabled it immediately to work out where I was (Badalona, Spain, at the time), the mobile internet network I was on and my IP address.
READ MORE
That was just the starter course. It also accurately inferred what my typical hours online were, the operating system, browser and processors I was using and even the battery status of my phone.
Then things got really interesting. Without me telling it anything directly, it worked out that I’m bilingual (English and Gaeilge) through my language settings, how long I was away when switching between tabs and how many data points in total I had provided.
This page was nothing special. It wasn’t using anything out of the ordinary to scout my activity and behaviour. This is what you are telling a website every time you visit before consciously offering up any information yourself.
The virality of the page provided some whimsy for those working in the IT security sector. None of this was news to them in any way. Most of it is just information that browsers disclose to make a website work properly and is generally of benefit to the end-user. This enables localisation and accurate targeting of information to you.
The problem is how little the average user is conscious of this and how it portrays the wider problems with their overall hygiene when it comes to online activity. While some of this automated data-gathering helps websites work better, the issue is what else can be done with it.
Most of us still think of online privacy in terms of what we actively provide, such as our name, email address, payment details and the like. Far more is handed over before even getting to this point.
All of the information shown in the aforementioned page, generally called Taken, can help to build a picture of the person online. Combining it makes it possible to identify patterns the user has.
What makes our lives convenient online can also be used for enhanced surveillance. The odds are the place you order your groceries from hasn’t got evil intent but the same basic data gathered can be used for nefarious purposes.
Language and location settings help users, making sure the right version of a page is provided or transport apps help to guide you the right way. Browser and device data can actually help with security in areas such as fraud detection.
Unfortunately, those very same data points increase user traceability. It’s a privacy bargain the overwhelming majority of us make without thinking. A data trail is created and the tools we use have essentially trained us to think consent is an inconvenient box-ticking exercise.
The reality is we don’t even have to tick the box to provide a great deal of useful data. It might seem a touch scary, knowing the page you’re looking at is watching your every move. It’s also what makes it seamless.
The page is an emotionless actor. Part of its value to you when you go online is in understanding your habits and adjusting accordingly. The thing is this happens at scale across all kinds of analytics tools everywhere and, in the wrong or careless hands, can be used to manipulate users.
You probably reuse the same few passwords. I seriously doubt you read cookie-consent forms, and there’s a reasonable-to-strong chance you don’t also remember to separate work and personal browsing.
The basic mechanics of the web are such that you should at least be wise enough to do the last part and get far more varied with your passwords. The ship has long sailed on expecting anyone to read cookie-consent forms so I won’t try here to convince you to do that.
Everything revealed by Taken should be of no surprise to you. Of course, for many of you reading, it is a shock. The old analogy of remembering to lock your door when leaving the house as a comparison for being smarter online tends to get ignored. This is a solid reminder to remember just how much data you turn over without even trying.
That night at the debs was a fun joke and all was taken in good fun. The reveal of course was fundamental to that being the case. With only a small bit of specific information, the con worked brilliantly. Even less is required for any of us to be caught out online.
