Seeking Serendipity

Standalone logging of an IP address might be minimally invasive (and restricting standalone recording/use would be problematic for many ‘Net systems/services) but online marketing companies don’t stop there. Far from it. Additional data (correlating an IP address to a person) is not needed from “subpoenaed ISPs”. This data leaks out continually and/or can be triangulated. Any online marketer (if not every software engineer) knows this well.

I am not claiming to be an expert, nor am I stating that any particular folks are doing what I describe. That said, I don’t understand why these considerations are not receiving more attention in the current debate:

• Cloud services (e.g. portal homepage, e-mail, IM etc.) associate a person (an account) with an IP address (at a given instance in time.) Browsers, IM tools and other ‘Net applications all do this. Every use of an online application to a customized service leaks identity.
• A dirty little secret is that some companies capture customer information from online purchases (perhaps validated against authenticated credit card information; i.e. legal name) and including IP address, and sell their databases to “marketing services” companies. Tracking databases from multiple sites are merged “behind the scenes”, running triangulation algorithms (e.g. date/time/IP/cookies) to extract correlations, even extracting identity from seemingly anonymous behaviors.
• The sites one visits (and not just one’s search queries) are becoming increasingly visible to tracking. One may not have clicked on that ad, but the act of displaying it captured your IP address associated with the site you visited. It is no longer just cookies and tracking beacons that leak information; the process of including JavaScript scripts (ads, analytics, gadgets) transmits your IP address information within site/page context.

Tying an IP address to an account…

Customizing a cloud-hosted page (a search engine or news page) associates the current IP address (at a given date/time) with an account; the HTTP request over TCP/IP carries the requestor’s IP address as well as the account cookie. If this is a home page (and/or is visited regularly) this ‘leak’ is repeated, reducing DHCP/NAT obfuscations. Cloud services typically require operable e-mail address and one such small data point can be enough to leak an identity.

But I use bogus information in my accounts, surely I’m anonymous…

I suspect that most users put real information into their online accounts, but say one was cautious enough to create accounts with only bogus information. Maybe use an OpenID ‘my bogus information profile’ to ensure auto-completion doesn’t leak one correlation detail like a real phone number, because matching does not take more than that. That still might not be enough.

Marketing companies “triangulate”, be that with cookies or IP addresses…

Take the following scenario:

• One ‘anonymously’ visits www.SomeSillySite.com from their IP address. Perhaps the page has ads/analytics from a third party server that sets a tracking cookie in the browser, and/or perhaps it just records your IP address.
• One visits and purchases from e-commerce site www.SomeSeeminglyTrustableSite.com, which uses the same third party organization.
• If the second company sells its customer/transaction/log data to that third party, your original visit’s anonymity was lost.

That third party can correlate requests to its servers (along with the tracking cookie if available, or the IP address) with the pages visited on both sites, and correlate that with the transactional data to arrive at a real name/identity. You might even have called yourself ElmerFudd2008 on the e-commerce site, but chances are the name on the credit card that was authorized was a real/legal name. Companies do sell this information, and marketing database companies (with the aid of technologies for this express purpose) do this and other matching. An IP address (when combined with URL plus time) and multiple logs are merged gives away a lot.

I was first concerned when I heard about this with cookies & banner ads, since I’d incorrectly assumed that disallowing third party cookies kept one safe from such tracking. I’ll never forget the feeling of “how wrong I was” when I first learned about these behind the scenes triangulation techniques. Maybe cookies were needed when folks used dial up and logs contained ISPs IP address, and maybe today IP addresses are more effectively static, I could believe that. I have no research to base this on, but I suspect tracking is easier/worse with IP addresses than with cookies. Cookies, at least, can be regularly/automatically purged.

Monitoring what sites you browse…

Once an IP address is associated with an account/e-mail address privacy is potentially eroded. Sure, a search engine knows what you just searched for, you accept that, but who wants it knowing what sites you subsequently visit? Maybe you just browse to a site (seemingly anonymously) only for this visit to be centrally recorded, perhaps even logged against your account. Today’s JavaScript includes for analytics and ads (let alone badges and gadgets) that are showing up on more and more sites instruct the browser to connect to the third party marketing server (transferring IP address information, and possibly cookies) and giving up information. No, not every site out there has these, but every site that serves ads or tracks analytics via that marketing service. That is more than enough, and growing. The Internet is not anonymous (far from it) but centralized stores of tracking information are clearly a significant concern.

IP addresses are Personally Private Information

Chances are that full implementation of the issues/techniques mentioned here would require overwhelming data storage, manipulation and processing power. Perhaps these make it prohibitive, but I wouldn’t make that bet. They only need to be used in small targeted areas to be invasive.

I use cloud services, I visit sites w/ ads/analytics, I just assume I am tracked up the whazoo.

IP addresses combined with “all the data that accumulates (naturally or otherwise) on a ‘Net user” is most often personally identifiable information.