“Your entire life is online – and it might be used against you.”
That is the message of a popular viral video produced by the Belgian Federation of the Financial Sector (Febelfin), which has so far been seen by more than one-and-a-half million people.
In it, members of the public are invited to a very special mind-reading conducted by a charismatic grey-haired mystic called “Dave”. As the ham actor gets into his stride, more and more compelling information about the lives of his clients is spilled onto the table:
“I see a school in Antwerp”... “A house for sale”... “Your best friend’s name is Julie”... “Interesting love life – I see, three? Four people?”
But Dave leaves the best until last: “I see a negative [bank] balance”... “Last month, you spent €200 on alcohol”... “€300 on clothes”.
And then he reads out their bank account numbers, before the secret of his mind-reading power is revealed: a room full of computers operated by balaclava-clad hackers who (supposedly) had been feeding the information to the phony mind-reader in real time.
The video was intended to warn people against making available excessive amounts of what ought to be private information about themselves online, and the ease with which such data can be used to break into email addresses, commerce sites and, ultimately, bank accounts.
But Febelfin might just be wasting its time. Many people remain blasé about publishing the intimate details of their life online and, across the world, online privacy is under attack – from commercial organisations that want to know all there is to know about their customers, to governments that want to know everything that their citizens might be getting up to, online or offline.
Do be evil
Ironically, perhaps, it is YouTube owner Google – motto: “Don’t be evil” – that has drawn most criticism for repeated infringements of privacy. This summer, Google was fined a record $22.5m (£14m) by the US Federal Trade Commission for hacking its way around poorly implemented privacy settings in Apple’s Safari web browser.
Jonathan Mayer, a graduate student in Computer Science and Law at Stanford University, was one of the researchers that uncovered Google’s violation of US privacy laws. Mayer has specialised in researching “third-party web tracking”.
“When I say third-party, I mean websites that a user is not interacting with, such as an ad network or a social network,” says Mayer.
This might be done via a combination of cookies, which can be used to make a user’s browser uniquely identifiable, and the intelligence embedded within an advert or even just some of the buttons that enable a user to “like” an article or to publicise it over a social network such as Twitter.
With adverts served by an advertising network and such social networking buttons present at almost every website, intelligence-gathering companies – whether advertising networks or social networking companies – can start to put together complete profiles of users. Indeed, both Google and Facebook are also among the web’s biggest advertising companies.
“One of our projects involved trying to understand which companies were placing cookies in Apple Safari. So, we bought advertising of our own and included code in the ads that we bought that measured what cookies seemed to be in place in end-users’ browsers,” says Mayer.
The advertising appeared only for users of Safari running on Apple’s iOS mobile operating system and looked at which advertising companies had tracking cookies in place.
By default, Safari has its privacy option switched on, which restricts the setting of third-party cookies based on domain names. If, for example, someone were to visit the Computing.co.uk website, a cookie from Computing would be permitted, but one from an advertiser would be blocked.
However, when Apple updated Safari, it made a number of architectural amendments on the legitimate grounds of usability that enabled third-party web trackers, including Google, to get round its settings.