De-Anonymizing Web Browsing Data with Social Networks | Su, Shukla, Goel, Narayanan

Jessica Su, Ansh Shukla, Sharad Goel, Arvind Narayanan; De-Anonymizing Web Browsing Data with Social Networks; draft; In Some Venue Surely (they will publish this somewhere, it is so very nicely formatted); 2017-05; 9 pages.


Can online trackers and network adversaries de-anonymize web browsing data readily available to them? We show—theoretically, via simulation, and through experiments on real user data—that de-identified web browsing histories can be linked to social media profiles using only publicly available data. Our approach is based on a simple observation: each person has a distinctive social network, and thus the set of links appearing in one’s feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity. We formalize this intuition by specifying a model of web browsing behavior and then deriving the maximum likelihood estimate of a user’s social profile. We evaluate this strategy on simulated browsing histories, and show that given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50% of the time. To gauge the real-world effectiveness of this approach, we recruited nearly 400 people to donate their web browsing histories, and we were able to correctly identify more than 70% of them. We further show that several online trackers are embedded on sufficiently many websites to carry out this attack with high accuracy. Our theoretical contribution applies to any type of transactional data and is robust to noisy observations, generalizing a wide range of previous de-anonymization attacks. Finally, since our attack attempts to find the correct Twitter profile out of over 300 million candidates, it is—to our knowledge—the largest-scale demonstrated de-anonymization to date.


  • Ad Networks Can Personally Identify Web Users; Wendy Davis; In MediaPost; 2017-01-20.
    <quote> The authors tested their theory by recruiting 400 people who allowed their Web browsing histories to be tracked, and then comparing the sites they visited to sites mentioned in Twitter accounts they followed. The researchers say they were able to use that method to identify more than 70% of the volunteers.</quote>

Do-Not-Track and the Economics of Online Advertising | Budak, Goel, Rao, Zervas

Ceren Budak (Microsoft), Sharad Goel (Stanford), Justin M. Rao (Microsoft), Georgios Zervas (Boston); Do-Not-Track and the Economics of Online Advertising; Research Paper No. 2505643; School of Management, Boston University; 2014-10-06 → 2015-03-13; 40 pages.


Retailers regularly target users with online ads based on their web browsing activity, benefiting both the retailers, who can better reach potential customers, and content providers, who can increase ad revenue by displaying more effective ads. The effectiveness of such ads relies on third-party brokers that maintain detailed user information, prompting privacy legislation such as “do-not-track” that would limit or ban the practice. We gauge the economic costs of such privacy policies by analyzing the anonymized web browsing histories of 14 million individuals. We find that 3% of retail sessions are currently initiated by ads capable of incorporating third-party information. Turning to content providers, we find that one-third of traffic is supported by third-party capable advertising, and the rate is particularly high (91%) for online news sites. Finally, we show that for many of the most popular content providers, modest subscription fees of $1-$3 per month charged to loyal site users would be sufficient to replace ad revenue. We conclude that do-not-track legislation would impact, but not fundamentally fracture, the Internet economy.


  • <quote>browsing patterns reveal that ad revenue can generally be replaced by a small fraction of loyal visitors paying a modest subscription fee, on the order of $1–$2 per month.</quote>, page 31.
  • <quote>the economic benefits, though ostensibly amounting to billions of dollars, are substantially smaller than generally acknowledged.</quote>, page 35.


  • The Party Model
    • zero party → nonstandard defined as <quote>instances in which data on a user’s past actions are not directly involved in prompting the shopping session. Direct navigation falls into this category, as does clicking on an organic website link, or a link displayed on a coupon site.</quote>
    • first party → the publisher
    • third party → someone else.
  • Open loop theorizing on why CTR is low for 3rd-party ads, pages 31-33.
  • Latent Dirichlet Allocation (LDA)
    • topic modeling
  • Category “third-party capable advertising”