Researchers have managed to pin anonymised web browsing histories back to an individual and reveal their identity in almost three-quarters of cases.
Stanford and Princeton university researchers matched anonymous browsing histories with publicly available information on social networks like Twitter to reveal the user's identity in their study De-anonymizing Web Browsing Data with Social Networks.
The researchers started their study with the assumption that the set of links appearing in an individual's browsing history is likely unique to a single person.
"Since users are more likely to click on links posted by accounts that they follow, these distinctive patterns persist in their browsing history," they wrote.
"An adversary can thus de-anonymise a given browsing history by finding the social media profile whose “feed” shares the history’s idiosyncratic characteristics."
They gave 374 individuals a Chrome extension that extracted their browsing history and picked out the t.co (Twitter) links to run them through a de-anonymisation program.
Within seconds, the researchers had 15 possible Twitter identities in order of probability. The subjects were asked which profile was theirs, with the algorithm spitting out the correct identity as the top candidate in the list 72 percent of the time.
In 81 percent of cases the user's profile was within that top 15 list. The more URLs in the browsing history, the greater chance of success, they found.
The same approach worked for Facebook and Reddit profiles, the researchers found: Facebook identities can be linked based on likes, and Reddit identities based on comments, "albeit incompletely and with some error".
Further work to identify the user was required in cases where the user had an anonymous social network profile, however.
The study showed that ''anyone with access to browsing histories — a great number of companies and organisations — can identify many users by analysing public information from social media accounts", the researchers said.
Anonymous browsing histories are sold to advertisers so they can better target their advertisements. Data brokers generally sell this information in pieces based on tracking cookies, but more valuable are complete profiles of a single, anonymous user.
To protect against advertisers and malicious actors being able to pin these full profiles back to a specific individual, the researchers recommended using the TOR browser as the strongest defence.
Ad blockers and VPN services can also help restrict the collection of browsing data, as will browsing only HTTPS sites, which mask details about visits to URLS with the HTTPS prefix.
While private modes like Google's incognito delete browser history once the window is closed, they don't block cookies and trackers from keeping a trail of a user's traffic.
The researchers' paper will be presented at the 2017 World Wide Web Conference in Perth in April.