A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

index.html 14KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159
  1. <!doctype html><!-- This is a valid HTML5 document. -->
  2. <!-- Screen readers, SEO, extensions and so on. -->
  3. <html lang="fr">
  4. <!-- Has to be within the first 1024 bytes, hence before the <title>
  5. See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
  6. <meta charset="utf-8">
  7. <!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
  8. <!-- The viewport meta is quite crowded and we are responsible for that.
  9. See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
  10. <meta name="viewport" content="width=device-width,initial-scale=1">
  11. <!-- Required to make a valid HTML5 document. -->
  12. <title>Researchers Find 'Anonymized' Data Is Even Less Anonymous Than We Thought (archive) — David Larlet</title>
  13. <meta name="description" content="Publication mise en cache pour en conserver une trace.">
  14. <!-- That good ol' feed, subscribe :). -->
  15. <link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
  16. <!-- Generated from https://realfavicongenerator.net/ such a mess. -->
  17. <link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
  18. <link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
  19. <link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
  20. <link rel="manifest" href="/static/david/icons2/site.webmanifest">
  21. <link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
  22. <link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
  23. <meta name="msapplication-TileColor" content="#f0f0ea">
  24. <meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
  25. <meta name="theme-color" content="#f0f0ea">
  26. <!-- Documented, feel free to shoot an email. -->
  27. <link rel="stylesheet" href="/static/david/css/style_2020-06-19.css">
  28. <!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
  29. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  30. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  31. <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
  32. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  33. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  34. <link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
  35. <script type="text/javascript">
  36. function toggleTheme(themeName) {
  37. document.documentElement.classList.toggle(
  38. 'forced-dark',
  39. themeName === 'dark'
  40. )
  41. document.documentElement.classList.toggle(
  42. 'forced-light',
  43. themeName === 'light'
  44. )
  45. }
  46. const selectedTheme = localStorage.getItem('theme')
  47. if (selectedTheme !== 'undefined') {
  48. toggleTheme(selectedTheme)
  49. }
  50. </script>
  51. <meta name="robots" content="noindex, nofollow">
  52. <meta content="origin-when-cross-origin" name="referrer">
  53. <!-- Canonical URL for SEO purposes -->
  54. <link rel="canonical" href="https://www.vice.com/en_us/article/dygy8k/researchers-find-anonymized-data-is-even-less-anonymous-than-we-thought">
  55. <body class="remarkdown h1-underline h2-underline h3-underline hr-center ul-star pre-tick">
  56. <article>
  57. <header>
  58. <h1>Researchers Find 'Anonymized' Data Is Even Less Anonymous Than We Thought</h1>
  59. </header>
  60. <nav>
  61. <p class="center">
  62. <a href="/david/" title="Aller à l’accueil" tabindex="1">🏠</a>
  63. </p>
  64. </nav>
  65. <hr>
  66. <h2><a href="https://www.vice.com/en_us/article/dygy8k/researchers-find-anonymized-data-is-even-less-anonymous-than-we-thought">Source originale du contenu</a></h2>
  67. <main>
  68. <p>Last fall, AdBlock Plus creator Wladimir Palant revealed that Avast was using its popular antivirus software to <a href="https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/" target="_blank">collect and sell user data</a>. While the effort was eventually <a href="https://www.vice.com/en_us/article/wxejbb/avast-antivirus-is-shutting-down-jumpshot-data-collection-arm-effective-immediately" target="_blank">shuttered</a>, Avast CEO Ondrej Vlcek first downplayed the scandal, assuring the public the collected data had been “anonymized”—or stripped of any obvious identifiers like names or phone numbers. <br/> <br/> “We absolutely do not allow any advertisers or any third party...to get any access through Avast or any data that would allow the third party to target that specific individual,” <a href="https://www.forbes.com/sites/thomasbrewster/2019/12/09/are-you-one-of-avasts-400-million-users-this-is-why-it-collects-and-sells-your-web-habits/" target="_blank">Vlcek said</a>. <br/> <br/> But analysis from students at Harvard University shows that anonymization isn’t the magic bullet companies like to pretend it is.<br/> <br/> Dasha Metropolitansky and Kian Attari, two students at the <a href="https://www.seas.harvard.edu/" target="_blank">Harvard John A. Paulson School of Engineering and Applied Sciences</a>, recently built a tool that combs through vast troves of consumer datasets exposed from breaches for a class paper they’ve yet to publish.</p>
  69. <p><p>“The program takes in a list of personally identifiable information, such as a list of emails or usernames, and searches across the leaks for all the credential data it can find for each person,” <a href="https://www.seas.harvard.edu/news/2020/01/imperiled-information" target="_blank">Attari said in a press release</a>.<br/> <br/> They told Motherboard their tool analyzed <a href="https://docs.google.com/spreadsheets/d/1A7y6Y5cgObJvoq3sIK-6K9PJ-XAaZ8QR99cD_Og-0RY/edit#gid=1989660935" target="_blank">thousands of datasets</a> from data scandals ranging from the <a href="https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information" target="_blank">2015 hack of Experian</a>, to the hacks and breaches that have plagued services from <a href="https://www.vice.com/en_us/article/vbqyvx/myheritage-hacked-data-breach-92-million" target="_blank">MyHeritage</a> to <a href="https://www.vice.com/en_us/article/78k849/hacker-breaches-porn-network-advertises-user-data-on-dark-web" target="_blank">porn websites</a>. Despite many of these datasets containing “anonymized” data, the students say that identifying actual users wasn’t all that difficult. </p> <p>“An individual leak is like a puzzle piece,” Harvard researcher Dasha Metropolitansky told Motherboard. “On its own, it isn’t particularly powerful, but when multiple leaks are brought together, they form a surprisingly clear picture of our identities. People may move on from these leaks, but hackers have long memories.”</p><p> For example, while one company might only store usernames, passwords, email addresses, and other basic account information, another company may have stored information on your browsing or location data. Independently they may not identify you, but collectively they reveal numerous intimate details even your closest friends and family may not know. </p> <p>“We showed that an ‘anonymized’ dataset from one place can easily be linked to a non-anonymized dataset from somewhere else via a column that appears in both datasets,” Metropolitansky said. “So we shouldn’t assume that our personal information is safe just because a company claims to limit how much they collect and store.”</p> <p>The students told Motherboard they were “astonished” by the sheer volume of total data now available online and on the dark web. Metropolitansky and Attari said that even with privacy scandals now a weekly occurrence, the public is dramatically underestimating the impact on privacy and security these leaks, hacks, and breaches have in total. <br/> <br/> Previous studies have shown that even within independent individual anonymized datasets, identifying users isn’t all that difficult. </p> <p>In one <a href="https://www.nature.com/articles/s41467-019-10933-3" target="_blank">2019 UK study</a>, researchers were able to develop a machine learning model capable of correctly identifying 99.98 percent of Americans in any anonymized dataset using just 15 characteristics. A different <a href="http://news.mit.edu/2018/privacy-risks-mobility-data-1207" target="_blank">MIT study</a> of anonymized credit card data found that users could be identified 90 percent of the time using just four relatively vague points of information.<br/> <br/> Another <a href="http://www.autosec.org/pubs/fingerprint.pdf" target="_blank">German study</a> looking at anonymized user vehicle data found that that 15 minutes’ worth of data from brake pedal use could let them identify the right driver, out of 15 options, roughly 90 percent of the time. Another <a href="https://www.cs.princeton.edu/~arvindn/publications/browsing-history-deanonymization.pdf" target="_blank">2017 Stanford and Princeton study</a> showed that deanonymizing user social networking data was also relatively simple. <br/> <br/> Individually these data breaches are problematic—cumulatively they’re a bit of a nightmare. <br/> <br/> Metropolitansky and Attari also found that despite repeated warnings, the public still isn’t using unique passwords or password managers. Of the 96,000 passwords contained in one of the program’s output datasets—just 26,000 were unique.<br/> <br/> The problem is compounded by the fact that the United States still doesn’t have even a basic privacy law for the internet era, thanks in part to relentless lobbying from a <a href="https://www.eff.org/deeplinks/2017/10/how-silicon-valleys-dirty-tricks-helped-stall-broadband-privacy-california" target="_blank">cross-industry coalition of corporations</a> eager to keep this profitable status quo intact. As a result, penalties for data breaches and lax security are often <a href="https://www.vice.com/en_us/article/d3agv7/the-equifax-settlement-is-a-cruel-joke" target="_blank">too pathetic</a> to drive meaningful change. <br/> <br/> Harvard’s researchers told Motherboard there’s several restrictions a meaningful U.S. privacy law could implement to potentially mitigate the harm, including restricting data access to unauthorized employees, maininting better records on data collection and retention, and decentralizing data storage (not keeping corporate and consumer data on the same server). <br/> <br/> Until then, we’re left relying on the promises of corporations who’ve repeatedly proven their privacy promises aren’t worth all that much.</p></p>
  70. </main>
  71. </article>
  72. <hr>
  73. <footer>
  74. <p>
  75. <a href="/david/" title="Aller à l’accueil">🏠</a> •
  76. <a href="/david/log/" title="Accès au flux RSS">🤖</a> •
  77. <a href="http://larlet.com" title="Go to my English profile" data-instant>🇨🇦</a> •
  78. <a href="mailto:david%40larlet.fr" title="Envoyer un courriel">📮</a> •
  79. <abbr title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340">🧚</abbr>
  80. </p>
  81. <template id="theme-selector">
  82. <form>
  83. <fieldset>
  84. <legend>Thème</legend>
  85. <label>
  86. <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
  87. </label>
  88. <label>
  89. <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
  90. </label>
  91. <label>
  92. <input type="radio" value="light" name="chosen-color-scheme"> Clair
  93. </label>
  94. </fieldset>
  95. </form>
  96. </template>
  97. </footer>
  98. <script type="text/javascript">
  99. function loadThemeForm(templateName) {
  100. const themeSelectorTemplate = document.querySelector(templateName)
  101. const form = themeSelectorTemplate.content.firstElementChild
  102. themeSelectorTemplate.replaceWith(form)
  103. form.addEventListener('change', (e) => {
  104. const chosenColorScheme = e.target.value
  105. localStorage.setItem('theme', chosenColorScheme)
  106. toggleTheme(chosenColorScheme)
  107. })
  108. const selectedTheme = localStorage.getItem('theme')
  109. if (selectedTheme && selectedTheme !== 'undefined') {
  110. form.querySelector(`[value="${selectedTheme}"]`).checked = true
  111. }
  112. }
  113. const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
  114. window.addEventListener('load', () => {
  115. let hasDarkRules = false
  116. for (const styleSheet of Array.from(document.styleSheets)) {
  117. let mediaRules = []
  118. for (const cssRule of styleSheet.cssRules) {
  119. if (cssRule.type !== CSSRule.MEDIA_RULE) {
  120. continue
  121. }
  122. // WARNING: Safari does not have/supports `conditionText`.
  123. if (cssRule.conditionText) {
  124. if (cssRule.conditionText !== prefersColorSchemeDark) {
  125. continue
  126. }
  127. } else {
  128. if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
  129. continue
  130. }
  131. }
  132. mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
  133. }
  134. // WARNING: do not try to insert a Rule to a styleSheet you are
  135. // currently iterating on, otherwise the browser will be stuck
  136. // in a infinite loop…
  137. for (const mediaRule of mediaRules) {
  138. styleSheet.insertRule(mediaRule.cssText)
  139. hasDarkRules = true
  140. }
  141. }
  142. if (hasDarkRules) {
  143. loadThemeForm('#theme-selector')
  144. }
  145. })
  146. </script>
  147. </body>
  148. </html>