Revealing Secrets with a Click
Many businesses don’t realize that actions on the Internet are often far from anonymous.
Individuals are growing conscious of the privacy risks that come with surfing the Web, but it turns out that businesses often overexpose themselves too. The problem often arises when workers visit websites for job-related reasons.
Say, for example, that a company is working on a new smart phone. Its engineers research other products and check out how competitors are marketing them. What they may not realize is that their visits show up in the log files of the competitors’ websites, and some simple sleuthing can reveal who was visiting and what that visitor might have been up to. In particular, Web surfers reveal themselves through their IP addresses—unique identifiers that are tied to particular computers. IP addresses can be used to infer location. Often, it’s also possible to discern who owns the address, particularly when that entity is a corporation.
“By watching the competitor’s Web activity, you can time their development cycle,” says Lance Cottrell, chief scientist and founder of Anonymizer, a company that helps businesses and individuals conceal private information when searching the Web. “The Internet just kind of feels anonymous, but it’s really exactly the opposite. Every single thing you do on the Internet is tracked.”
Jules Polonetsky, director of a think tank called the Future of Privacy Forum, agrees. “Treat it like you would if you were showing up at their plants,” he says. Polonetsky jokes that if T-Mobile employees working on a new smart phone kept going into Sprint retail stores wearing uniforms and homing in on a particular device, no one would be at all surprised if Sprint made some intelligent guesses about T-Mobile’s plans. Yet this is what companies do virtually when they research competitors carelessly and allow their IP addresses to show up in the competitors’ logs. While “the risk isn’t huge for most folks,” Polonetsky says, businesses with special privacy concerns should be careful.
Cottrell has built a business out of those special situations. Although he can’t reveal the identities of Anonymizer’s clients, he cites stories of working with industries ranging from airlines to pharmaceuticals to security.
At its core, Anonymizer helps customers conceal their identities by serving as a middleman, receiving their traffic and giving it a new IP address selected from the vast block it controls. In practice, however, it’s much more complicated. As with most things in security, Cottrell says, “there’s definitely an arms race here.”
There are free tools online to help people surf the Web anonymously. Tor, for example, hides identity by channeling traffic through several proxies before it arrives at its destination. Tor, however, also has well-known performance issues. What’s more, Cottrell says that while Tor is a worthwhile project, it doesn’t match the needs of many business customers.
Cottrell says businesses typically seek one of three types of anonymity: they need to look like “nobody,” they need to look like “everybody,” or they need to look like “somebody.” Each need arises in a different situation.
The engineers doing research for a new product, for example, might want to look like nobody. As much as possible, they want their visits to competitors’ websites to look completely unremarkable. In that circumstance, Anonymizer helps them conceal the patterns in their activity, partly by making surfers from the company appear to be different users each time.
On the other hand, take the case of an airline that wants to research competitors’ prices. Cottrell says companies often block competitors from their sites or even feed them false information. In this situation, Anonymizer’s clients want to look like “everybody”—in other words, their inquiries should appear to come from the normal crowd of visitors. In a few months Anonymizer will release a new product specifically designed for this situation. Its algorithms simulate human activity on a website so that a company can make tens of thousands of inquiries without creating suspicion.
Finally, businesses sometimes need to maintain a persistent pseudonymous identity. For example, workers at a security company might want to visit a hacker forum for clues to the newest exploits. In that case, they want to be able to establish a reputation and a username—they just don’t want to reveal that they’re surfing from computers owned by, say an antivirus maker. In this case, Anonymizer can provide a consistent alternative IP address.
When the company opened for business in 1995, Cottrell says, it didn’t take nearly this much effort to conceal client identities—many websites were barely looking at who visited them. As websites have begun trying harder to personalize visitors’ experiences, however, they’ve also scrutinized visitors more closely. This has added urgency to his business. Cottrell says, “The same tools that are useful for customization are useful for tracking people.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today