Nathan Tay­lor re­veals the crit­i­cal whos and whys around in­ter­net data har­vest­ing.

APC Australia - - Software -

Nathan Tay­lor re­veals the crit­i­cal whos and whys around in­ter­net data har­vest­ing.

Have you ever both­ered to go into the Google, Mi­crosoft or Face­book ac­count set­tings to down­load your pro­file, which should (in the­ory) con­tain ev­ery­thing the com­pany has on you? Most peo­ple will be quite shocked if they do — the amount of data the com­pa­nies col­lect on their users is stag­ger­ing. With Google, for ex­am­ple, ev­ery search you’ve ever per­formed, ev­ery re­sult you’ve clicked on, ev­ery time you’ve logged in (and from where), ev­ery YouTube video you’ve watched, ev­ery re­la­tion­ship and con­tact you have, the com­plete move­ments of your mo­bile de­vices and more is col­lected and stored for­ever in Google’s data­base, un­less you ex­plic­ity ask it to delete the in­for­ma­tion.

And that’s just what in­ter­net ser­vices are track­ing. Lots of oth­ers or­gan­i­sa­tions are look­ing to track your on­line ac­tiv­ity and com­mu­ni­ca­tions as well: gov­ern­ments, ad net­works, crim­i­nals, busi­nesses and more. So let’s break it down and look at some of the or­gan­i­sa­tions that are track­ing you on­line and why they do it.


Gov­ern­ments ob­vi­ously have a keen in­ter­est in mon­i­tor­ing the com­mu­ni­ca­tions of cit­i­zens, both for­eign and do­mes­tic. Many of the world’s most dev­as­tat­ing re­cent mal­ware out­breaks came from gov­ern­ment-spon­sored skunkworks, par­tic­u­larly from Rus­sia, China and North Korea, which have highly ac­tive cy­ber­war­fare units.

The mo­ti­va­tions of gov­ern­ments vary. In more au­thor­i­tar­ian regimes it may be po­lit­i­cal, but even in demo­cratic coun­tries there are con­sid­er­able de­mands from law en­force­ment and in­tel­li­gence agen­cies for more power and ca­pa­bil­ity to mon­i­tor com­mu­ni­ca­tions.

As soft­ware to pre­vent spying has got­ten bet­ter, gov­ern­ments around the world have started push­ing back harder and harder. For many years it was mostly broad mon­i­tor­ing of in­ter­net com­mu­ni­ca­tions that served the gov­ern­ments, with mas­sive data cen­tres that mon­i­tored web traf­fic as it tra­versed the in­ter­net’s back­bones. As end-to-end en­cryp­tion has be­come more preva­lent, gov­ern­ments have turned to new meth­ods — mal­ware development, and leg­isla­tively en­forced co­op­er­a­tion from com­mu­ni­ca­tions providers and soft­ware de­vel­op­ers.

The Aus­tralian gov­ern­ment is no ex­cep­tion. In 2015 it passed data re­ten­tion laws that came into ef­fect last year, re­quir­ing that all com­mu­ni­ca­tions net­work providers (such as your in­ter­net ser­vice provider, or ISP) keep meta­data logs for at least two years. That is, your ISP logs ev­ery site you visit and when, and it must

hand over that in­for­ma­tion on re­quest. Re­cently it also in­tro­duced the draft As­sis­tance and Ac­cess Bill, which re­quires all tech com­pa­nies to (se­cretly) as­sist the gov­ern­ment and crack into their cus­tomers’ com­mu­ni­ca­tions on re­quest.

Crim­i­nals have ob­vi­ous rea­sons for want­ing to grab your per­sonal data — they want to make money from you. Per­sonal data can be used for fraud and iden­tity theft, al­low­ing them to make pur­chases from your credit card for ex­am­ple, or sign up for new credit cards in your name. It can al­low them to break into your other ser­vices and mon­i­tor your email and send spam, or to harvest the in­for­ma­tion of friends and fam­ily as well.

Per­sonal in­for­ma­tion can also be used in spear phish­ing at­tacks, where scams and at­tacks get tar­geted specif­i­cally at you, mak­ing them seem plau­si­ble. If they learn that you use a par­tic­u­lar bank, for ex­am­ple, that can make a bank phish­ing at­tack more suc­cess­ful.


Most of the world’s in­ter­net ad­ver­tis­ing is ac­tu­ally dom­i­nated by a small hand­ful of com­pa­nies. This gives them tremen­dous power to mon­i­tor and track a per­son’s in­ter­net us­age. From those us­age pat­terns they de­velop a user pro­file to de­liver ad­ver­tis­ing, since tar­geted ads com­mand a pre­mium. If you visit a lot of surf­ing-re­lated sites, for ex­am­ple, you’ll start see­ing a lot of ads for surf­boards ap­pear, even when you’re not on a surf­in­gre­lated web­site.

Here’s how it works:

1 A web page owner would like to make some money off that page, so they go to an ad net­work. Ad net­works pay site own­ers for a “slot” on their page, with rates of­ten de­ter­mined by clicks or vis­its.

2 The ad net­work will pro­vide the web­site owner with a bit of code that they can em­bed on the page. When some­one vis­its the web­page, that code grabs an ad from the ad net­work, which gets loaded into the page.

3 Of­ten a cookie gets up­loaded to the vis­i­tor’s browser to in­di­cate they vis­ited the site. So if you’re brows­ing a surf­ing site, an you see will up­load a cookie (called a track­ing cookie) to your browser.

4 Then you visit an­other site, and it also has an ad in it from

the same ad net­work as the first site. The ad code from this new site can grab the cookie that was up­loaded ear­lier and is up­dated to this sec­ond site. Now the ad net­work knows that you’re the same per­son that vis­ited the surf site.

5 As you visit more sites, the cookie gets up­dated again, let­ting the ad net­work know ev­ery site you visit. From that, it can cre­ate a com­plete pic­ture of your in­ter­ests and likes to de­liver tar­geted ads.


In­ter­net busi­nesses as a whole love to gather in­for­ma­tion on their users. Any in­for­ma­tion they can get, they want — de­mo­graph­ics, per­sonal in­for­ma­tion, re­la­tion­ships, soft­ware, site ac­tiv­ity, web­sites vis­ited. Just vis­it­ing a reg­u­lar web­site — not fill­ing out forms or giv­ing up per­sonal in­for­ma­tion — gives a site your IP ad­dress, which in turn pro­vides your gen­eral lo­ca­tion and ISP. They know your browser and op­er­at­ing sys­tem. A site can up­load cook­ies, which keeps a his­tor­i­cal log of your vis­its to that site.

When you start fill­ing out forms, things can get re­ally in­tru­sive. Sites of­ten ask for un­nec­es­sary in­for­ma­tion just so they can get a bet­ter bead on your per­son­al­ity and wants.

There are vary­ing de­grees of in­tru­sive­ness. For ex­am­ple, Google by de­fault will hoover up vast amounts of in­for­ma­tion, but gives you fairly ac­ces­si­ble tools for opt­ing out of its data gather­ing. Google’s rev­enue pri­mar­ily comes from ads at­tached to search re­sults — as such it’s doesn’t need to gather per­sonal in­for­ma­tion to make money off you. If you use Google Search, they’re al­ready mak­ing money off you.

Then you have com­pa­nies like Face­book whose en­tire busi­ness model is built on analysing your per­sonal in­for­ma­tion to de­liver tar­geted ad­ver­tis­ing. The opt-out fea­tures for th­ese ser­vices tend to be more ar­cane and less ac­ces­si­ble, de­signed to make it as hard as pos­si­ble. Like ad net­works, many of th­ese ser­vices can also track you across mul­ti­ple sites, thanks to wid­gets em­bed­ded in web pages (such as Face­book Like but­tons) that can mon­i­tor what sites you visit and re­lay that in­for­ma­tion back to the com­pany.

Of late, the Euro­pean Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) has curbed some of the worst ex­cesses of com­pa­nies, but most still gather as much as they can get away with and make it hard to be for­got­ten.

As with all track­ing, the key is to know what kind of in­for­ma­tion you’re giv­ing away, to un­der­stand how you can avoid giv­ing it away, and tak­ing mea­sures to in­su­late your­self against overly nosy in­ter­net denizens.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.