How Anonymous is Anonymous?
With the Internet of Things, companies and researchers are finding innovative ways to collect and process data about our habits, thoughts, desires, usage and even what we search for on the internet. Take the very recent case of a professional footballer who had some relevant search history presented during his court case…
What’s that got to do with anything?
I was contacted by a friend to help with their son’s Higher Education Survey that was designed to collect some personal data to be used for analysis and help with their homework project.
The Education department had provided their internal survey engine for the student to use, all he had to do was supply the engine questions and it will take care of the rest. All he has to do is publicise the survey, hope it goes viral and wait for the answers to come rolling in. At this point the job of analysing the data received can begin and he completes the assignment with a gold star.
I’d alerted the friend that the survey wasn’t anonymous, however I was informed that all information is anonymous and had undergone all the basic rigour, approvals and compliance to be undertaken for protecting the data in this way…
So what’s the problem?
With any discipline, there are multiple levels of understanding of subject matter, and sometimes the “Wisdom of Crowds Mentality” takes over logical and researched thought. After all, if Alan and Amanda and their mates say it’s ok, it must be ok right? How can that many people get it so wrong?
Wrong… Hence why I’ve created the blog to highlight the dangers of sharing personal information over the internet, and hopefully make you think about the art of the possible to the right motivated group of professionals.
I’d taken a look at the survey, there was some basic information on the student, and straight into the questions and thought “hmmm…. This is going to need some thought”… I closed my browser, and returned a while later, clicked on the link that was shared on social media networks and instead of the cover page, I was returned to point I had last reached in the set of questions.
The old spidey senses were tingling …
If you have a top level web address (URL), i.e. mybrilliantsurvey.com/surveyname and that page is created by some backend Code, then in order to remember your last position the site needs to store a file called a “Cookie” on your computer or smart device.
If you live in the EU and need to store data on a user’s device from a webpage, you must obtain explicit consent in accordance to the EU Cookie Directive which came into effect in the UK from 26th May 2011.
In a nut shell, All websites serving pages in the European Union have to comply with the Law by clearly stating their intent to store information on your computer and you are given the choice to accept or decide to navigate away from the web page itself.
Failure to comply with the law may result in a Fine or worst case Imprisonment.
In reality, the organisation or owner responsible for the web pages will get a warning if reported in the first instance to the ICO.
In fairness, the student is a consumer of IT and by no means an IT Subject Matter Expert and in creating the survey he may or may not have been aware of the directive or need to meet compliance. The Education Facility and staff are responsible for ensuring their IT systems are compliant and that students are fully informed when using their applications/software. In this example, they are putting the student at risk of being in line for being non-compliant as they are clearly named on the form.
Clearing Cache’s, removing cookies and using different browsers, I was able to confirm that the website does not warn me about the use of cookies prior to continuing on it’s information quest, and therefore is clearly in breach of the EU Cookie Law.
So what?
It’s just a cookie isn’t it?
What harm can that do?
It’s no big deal I hear you cry…
Well…
Although this survey site didn’t have any requirement for creating an account and signing in, it does stores a session cookie.
The cookie contains a string…
XSRF-TOKEN XSRF_8Aab00bMA7NfegN xxxxxxxx
Which can easily be discovered be enabling Developer mode on your web browser.
I’ve deliberately masked out the URL and IP Address to ensure some privacy.
This is interesting… by manipulating the XSRF-TOKEN you are able to see any current, incomplete or abandoned session data another user has started. You can even modify that data…
Modifying cookies in this manner is one of many basic Penetration Tests Security Consultants undertake on websites, and is commonly referred to as Cross Site Scripting or XSS for short. This enables you to hi-jack session data from another user without requiring to authenticate yourself against the target platform.
Armed with this information and some other pieces, it was possible to perform reverse lookups that would lead to the identity of the user who entered the initial data. An explanation of how, would probably not be the wisest thing to do here…
When all is said and done, who would be interested in a school survey site? What is the risk to data?
You can argue a case for either way, saying it’s of no interest.
But… with today’s technological Millenials who are more interested in living every aspect of their lives on-line will find little room for privacy, and make social profiling much easier for todays tech savvy fraudster. The new generation are more accepting of IT and will happily provide data for themselves, their friends and family without thinking through the consequences of security or safety first, and at the same time need education around acceptable internet usage and it’s associated laws designed to protect our data.
When you are next approached to complete a survey on-line ask yourself the following :-
- Am I happy that the information I provide may become public.
- Am I happy that the information provided may be traceable back to me?
- How will the researcher store and manage my data?
- It is likely the data will be downloaded to their laptop or server.
- It is even more likely that data will be unencrypted.
- How will researcher destroy the data after it’s served its purpose?
- The data collated is still covered by the 1998 Data Protection Act (amended in 1999)
- It is likely the data will be downloaded to their laptop or server.
- How would you feel if your data was breached or compromised and made available on the open market?
- Both now.
- In 10 years time?
Makes you think doesn’t it?
The Eight Guiding Principles of the UK Data Protection Act
The Data Protection Act controls how your personal information is used by organisations, businesses or the government.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
And there is stronger legal protection for more sensitive information, such as:
- Ethnic Background
- Political Opinions
- Religious Beliefs
- Health
- Sexual Health
- Criminal Records
Useful References
Cookie Law:
https://www.cookielaw.org/the-cookie-law/
https://www.cookielaw.org/faq/
ICO – Information Commissioners Office
https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
The Data Protection Act
https://www.gov.uk/data-protection/the-data-protection-act
Cross-Site Request Forgery
https://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
www.muckypaws.com 