The Net Delusion - Evgeny Morozov [91]
But even in the absence of such tools, creative hacks will do the job just fine. A 2010 collaborative project between researchers at the Vienna University of Technology, the University of California at Santa Barbara, and Eurecom found an interesting way of de-anonymizing users of Xing, a popular German social networking site akin to Facebook and LinkedIn. Since most of us belong to a number of different social networking groups that vary according to our passions, life history, and lifestyle—for example, Save the Earth, Feed the Children of Africa, Alumni of the Best University in the World, Vegetarians of the World Unite—the probability that you and your friends belong to exactly the same groups is small (having attended the same liberal arts college in New England, your best friend may also want to save the earth and feed the children of Africa but also love Texas barbecue ribs).
Social networking sites do not usually hide lists of group members from nonmembers, so as not to erect too many communication barriers. It is thus possible to produce a nearly unique identifier, a “group fingerprint”—think of this as a list of all Facebook groups that a given user belongs to—for each of us. And the most obvious place to look for a matching fingerprint would be in our web browsers’ history, for this is where a record of all the groups—and, of course, of all other websites we visit—is kept. All it takes to steal our browser history is to have us click on a malicious link, like the one mysteriously added to RSF’s email petition, and everything we have been browsing in the last few days will no longer be private knowledge.
According to the 2010 report, producing a matching “group fingerprint” required the checking of 92,000 URLs, which took less than a minute. The researchers managed to correctly guess the identity of their target 42 percent of the time. In other words, if someone knows your Web history and you happen to be an avid user of social networking sites, she has a good chance of deducing your name. Soon, the secret police will just be able to look at the log from your favorite Internet café and learn who you are, even without asking for a copy of your passport (although that latter option is also increasingly common in authoritarian governments).
It’s hardly surprising that the secret police in authoritarian regimes are excited about exploiting such vulnerabilities to fill in gaps in their databases. They may, for example, know email addresses of government opponents but not their identities. To learn their names, they could send the opponents fake emails containing malicious links that aim to steal their browsers’ histories. In just a few minutes, they’ll be able to attach names (as well as photos, contact details, and information about related connections) to their rather sparse database entries. Another problem is that social networking sites like Facebook don’t thoroughly screen external developers—those who work on all those online games, quizzes, and applications—for trustworthiness. (Until very recently, they also did not impose clear limits on how much user data such applications could have access to, regardless of their actual needs.) This means, in essence, that a smart authoritarian regime can just put together a funny quiz about Hollywood movies and use it to gather sensitive information about its opponents. This is a nightmarish scenario for activists who struggle to keep their connections hidden from authorities; obviously, if the government knows all the Facebook friends of its fiercest political opponents, it would be silly not to pay close attention to their online activities, too, as there is always a good chance they also pose a threat.
Nor does it help that in their ill-conceived quest for innovation, technology companies utterly disregard the contexts in which many of their users operate, while significantly underestimating the consequences of