Is your browser leaking your online secrets? Could it be letting your Rule 34 train obsession out of the bag, without even an inkling of remorse? And if it is, how on earth would you know?
We place an incredible amount of trust in our internet browsers. We look at all manner of personal and private information in the full knowledge that some identifying aspects are being stored. Most agree to the storage to keep their internet browsing easy and to keep their services free.
But are browsers keeping their end of the deal? Which browsers maintain your inner sanctum, and which are more akin to a desperate, leaky tap? Let’s take a look.
What Your Browser Knows about You
Your browser maintains a steady stream of personally identifying information that can be easily accessed by other websites. The vast majority of the time, you’re being tracked around the web so that those free services we already spend countless hours on can provide vastly more personalized advertising. Your browser will usually provide the following information, without much prodding:
- Location: The provision of your location seems relatively obvious. Most browsers have a built in geolocation API that websites and other services will use to determine which version of a site to serve to you. In other cases, it’ll determine that the service you’re attempting to use is unavailable at that location, such as BBC iPlayer or Netflix. Most services just want to gauge which country you’re accessing the internet in, and as such you’ll see search results like this:
I am nowhere near London. I am, in fact, 311 miles (500km) west of that location, but using a cloud internet service in a bar (yes I am aware I’m in a bar at 9am. Bottomless coffee, anyone?). Geolocation APIs may be able to ask for a location, but they won’t always be accurate, and certainly will not be as accurate as information provided by your smartphone, which has GPS tracking.
- Hardware and Software: Your browser will provide information about your system hardware and the software you have installed. This is to ensure the website served actually suits your device. As well as this, it will reveal your installed extensions and add-ons so the site or service provider can decide how to interact.
- Connection: Some websites and services will request your connection information. Again, this is to determine which website content to serve you. Streaming services will use this data to dynamically alter the stream you’re viewing.
- Social Media: As I’ve already mentioned, your social media accounts will track you around the internet. As the vast majority of social media sites are free, funded by advertising, it is in their owners’ interest to continue this practice.
You might not mind being tracked around the web, but it can cause problems. For instance, if you leave Facebook logged in, and head directly to a site offering nefarious wares or adult content, the social media sites will make a log of this. Now, due to their own advertising rules, your screen won’t be emblazoned by naked ladies, or festooned by adverts for your local cannibalism groups — but that log will not disappear.
- Gyroscope: This only really applies to mobile devices, but your browser still sends this information out even when using a laptop or desktop computer. The only difference is with laptops and desktops certain results will be returned falseor null.
Interestingly, your browser can (disturbingly?!) assess if your device is currently in hand, or on a table.
This information was easily located using What Every Browser Knows About You, a site designed to illustrate the ease that this information can be found. This website is built with this in mind, and does come with a number of useful suggestions as to how you might cover your online tracks just a little more. It isn’t the only webpage you can use to assess what basic information you might be leaking. TryPanopticlick to see if your browser is safe against tracking:
As the caption states, the site cannot measure each and every method and variant of tracker. Some are complex, subtle, and in all honestly, don’t want you to know you are being tracked. What makes this site interesting is its browser fingerprint logging. My browser “appears to be unique among the 129,859 tested so far.” Now, 129,859 is a drop in the ocean. Google alone estimate their Chome browser has over 1 billion users. That is 0.0001% of just Chrome users. But it illustrates the ease of identifying individual users via their browsers.
Are All Browsers Made the Same?
In a word, no. But not necessarily for the reasons you think.
Way back, when the internet was just a series of tubes, Internet Explorer ruled the browser roost, bossing around anyone with ideas about internet access. After schoolyard fights, and bruised egos, Microsoft eventually had to admit that they had somewhat monopolized the market. Somewhat. The answer was to introduce a delightful new screen to the mix, advising users that there were, in-fact, other browsers available, and that Internet Explorer wasn’t god’s (Bill Gates) gift to the world.
This, of course, changed things.
You see, during the time of Internet Explorer dominance, any nefarious individual who wanted to extrapolate private and personal information from a user would, in many cases, simply find an exploit in Internet Explorer, and do their worst (or best, depending on how you look at it). Being the number one browser throughout the world made Internet Explorer the main target.
Roll on a few years and Google Chrome, Mozilla Firefox, Opera, Safari, Comodo Dragon, Maxthon, and a host of other browsers (including the new Microsoft Edge) have firm followings throughout the online community. In fact, in April 2016, Google Chrome actually finally overtook Internet Explorer as the most used browser in the entire world, potentially marking the beginning of what I expect to be a very long denouement for an unfortunate stalwart in the history of internet browsers.
Depending on where you get your figures from, this may have actually taken place in April 2011, some five years before the information I have linked above.W3Schools, who measure browser statistics and trends each and every month believe this to be the case.
Anyway, I digress.
Add-ons, Extensions, Plugins, and More
The new wave of browsers brought forth a torrent of shiny new add-ons, extensions, plugins, applets, and more, with the aim of streamlining and expanding our internet browsing options. Where Internet Explorer had an extremely limited number of additional browsing options, the new browsers encourage users to download and use these extensions, most of which can be added with a couple of button presses.
Their arrival and widespread use created another potential vulnerability. As many extensions require access to the common data we’ve listed above, as well as more personally identifying information, if their security practices aren’t up to scratch regular users can easily see their personal data leaked. Of course, this is exactly what happened.
Researchers for anti-scraping and IT security specialists, ScrapeSentry, discovered a free app which was leaking personal information back to single IP address, located in the USA. The Google Chrome extension, Webpage Screenshot, was downloaded by over 1.2 million people and was located after the company “identified an unusual pattern of traffic to one of our client’s sites which alerted our investigators that something was very wrong.”
But Browsers Have Other Leaks
Aside from the “regular” data provisions requested by the myriad websites we visit, browsers are known to leak all manner of personal data.
For instance, in early 2016 security researchers at Canada’s Citizen Lab found the web browser provided by Chinese web-giant Baidu was leaking monumental amounts of information. They concluded that:
“[it] collects and transmits a lot of personal user data back to Baidu servers that we believe goes far beyond what should be collected, and it does so either without encryption, or with easily decryptable encryption”
The version of the browser developed for Windows systems was found to leak search terms, hard drive serial numbers, network MAC addresses, webpage titles, and even GPU model numbers. As well as this, browser updates arrived without code signatures, meaning they could be hijacked, injected with malicious code, and forced to execute. Furthermore, the browser development kit is used in thousands of applications used around the world, so the issue wasn’t limited to just Chinese users.
Singling out Baidu isn’t fair.
Google’s Chrome browser ran into issues when its Incognito Mode — designed to use a separate browsing session to isolate and then delete session information on termination — accidentally exposed pornographic material by storing images in a physical memory cache. The incident in question saw adult images displayed at theDiablo 3 loading screen, and the user in question found that information not erased from physical memory could be accessed by other applications, specifically Nvidia GPU’s.
Everyone’s favorite browser-come-punching-bag, Internet Explorer, is no stranger to data leaks. On numerous occasions over the years the Microsoft-developed browser has been exposed, to varying degrees. In 2014, Internet Explorer users, especially those using XP, were exposed via a memory leak. In 2012 Internet Explorer was subject to a mouse tracking issue which allowed attackers to document mouse movements on vulnerable systems (though Microsoft continually refuted this). Even the newly minted Microsoft Edge browser has experienced personal data leak issues via a poorly coded integrated PDF Reader.
Worse than a Leaky Tap
It seems our data is consistently up-for-grabs. Tim Libert, a privacy researcher at the University of Pennsylvania, published peer-reviewed research that sought to quantify the numerous privacy comprising features we encounter across the one million most popular websites in the world.
“Findings indicate that nearly 9 in 10 websites leak user data to parties of which the user is likely unaware.”
To put it plainly, there is a 90% chance the website you just visited will forward your user data to another site. While this isn’t the same as leaking personally identifying information, mass tracking is still a massive problem as it indicates the vast majority of websites are ignoring their user’s “Do Not Track” requests.
As it stands, most internet users do not realize their actions are being tracked, and that the information is being stored.
If you want to stop the leaking, the tracking, the cookies, and more, you do have a few options. Browser extensions such as Ghostery, NoScript, Disconnect, and uMatrix can provide users some vital relief from data tracking. However, at the end of the day, if there is a massive vulnerability or critical browser issue, your data will be leaked, almost regardless of your actions.