MIT: Your private browsing leaks tons of data, but we might have the answer

New privacy boosting framework called 'Veil' unveiled by MIT researchers

By now, everyone should know that 'private browsing' modes on web browsers are anything but private.

Indeed, the researchers at the Massachusetts Institute of Technology (MIT) Computer Science and Artificial Intelligence Laboratory claim that such modes still leak data like DNS cache, file system info and "on-disk reflections of RAM such as the swap file".

In other words, private browsing modes don't prevent Google and other online snoops from adding your private browsing activities to their great, big database of all of your web browsing history.

But in a new research paper, Veil: Private Browsing Semantics Without Browser-side Assistance, the researchers suggest a solution to the privacy problem that they call Veil.

It acts as a framework that puts the duties of privacy into the hands of a website rather than leaving a browser's privacy tech to try and do all the heavy lifting.

In a nutshell, users can simply navigate to the Veil website and enter the URL of the site they want to visit in from there. What looks like a simple web page is, in fact, taking care of all manner of encryption and data masking processes in the background.

Veil creates a URL loaded with encryption that can't be linked to the website's original URL once HTML and CSS files are passed through a compiler. From there the compiler sends web page objects to the service's "blinding servers".

From there, web page data is sent to the user with mutated content in HTML, CSS and JavaScript. That content ends up on the user's browser where the original content of the web page is then restored to look like it should do normally to the user, only at a code level is has data in it to make every webpage served up through Veil look unique.

At no time has the user typed the URL for the website they are visiting in the browser so it can't hoover up their data. And data from the web page is kept in-memory for the time it's being browsed with Veil using some coding wizardry to prevent the system from caching the webpage, therefore keeping it out of the data collection of browsers.

For added levels of privacy, users can request that Veil only sends them a dumb graphic of the web page they are requesting to prevent any executable code from popping up in their browser and thus removing the change of any data leakage.

When a user clicks on part of what is essentially an image of a web page, Veil records the clicking coordinates and pipes it to the blinding server, which in turn contacts the web page's server, meaning all web page rendering takes place server side rather than on a client machine.

So for people after an extra dose of privacy, Veil looks like a pretty decent service. But there are some shortcomings because life ain't that peachy chaps.

Website operators will need to have the extra infrastructure to handle the back and forth between Veil. And Veil-compatible versions of web pages will be needed.

For websites priding themselves on high levels of privacy, this shouldn't be too much of an issue. But for those who don't give a hoot, adding in extra infrastructure will be a headache for web administrators that they'd likely want to do without.

Then there's the question of who operates and maintains the blinding servers; will it be a group of privacy advocates, a for-profit firm, or the collective responsibility of websites wanting to get involved in Veil?