Fullscreen HTML5Med Res (??MB)HTML4

Net Work Alan Winstanley This month, Net Work looks at the history of ‘cookies’ and the trail of digital data you leave in your wake when you surf the Internet, plus some of the options you have to boost privacy and security. T he first ever web browser was NCSA Mosaic, which was a product of the University of Illinois’ National Center for Supercomputing Applications. It was designed as a simple graphical means of rendering and sharing information over a network. Mosaic was developed by a very bright student (Marc Andreessen) and fellow programmer Eric Bina, who reportedly worked flat out on this university project to earn some pocket money. Released for free public download in 1993, the early version of Mosaic gained 1,000 users in a few weeks, but as the Internet started to mushroom, there were a million users of Mosaic worldwide by the following year. According to a 2006 biography by Simone Payment (see Marc Andreessen and Jim Clark: The Founders of Netscape from the Internet Career Biographies series), NCSA hogged the limelight for their new ‘Mosaic web browser’, while Andreessen earned no recognition for its success. Andreessen would eventually join forces with Jim Clark, a wealthy and highly successful businessman who had decided to cut his ties with Silicon Graphics Inc (SGI), the graphics workstation manufacturer that he had founded. The result was an all-new, reworked version of NCSA Mosaic initially produced by Mosaic Communications Corporation, their new company formed in 1994. Their browser was initially named Mozilla after their dinosaur-like mascot (a portmanteau of Mosaic and the mythical monster Godzilla). Website cookie opt-ins control the type of cookies dropped onto your system. 12 Mosaic changed their name to Netscape and Mozilla’s successor, Netscape Navigator 1.0, was launched late in 1994 at a time when Internet users had little to choose from in web browsers. Over time, Netscape tried to monetise Navigator, but it eventually folded into today’s Firefox web browser, which is downloadable for free from Mozilla.org The curse of cookies Those early foundations have left us with something that many users remain deeply suspicious of: cookies. In a paper published by France’s Inria (see later), a young and highly talented Netscape developer named Lou Montulli, one of the first half dozen that formed the new Netscape team with Andreessen, is credited with an idea in 1994 that would enable websites to ‘remember’ their visitors, something that was a thorny problem for the emerging web industry at the time. As web surfers will doubtless agree, cookies are both a blessing and a curse. These encrypted, innocuous-looking little text files are dropped onto a user’s system to enable a website to recognise and interact with that user. They can be genuinely useful at times: a cookie helps a website to remember the contents of your shopping cart so you don’t have to re-enter your choices again, for example. Cookies are also needed sometimes to make a website work properly, but they are also used to follow your journey across the web. By tracking which websites you visit, cookies can shape the adverts that appear when you visit other websites such as Facebook, eBay or media portals. Add-on browser extensions such as Ghostery show the true extent of trackers that larger websites might typically utilise. I discussed Ghostery in a 2013 column, and the problem of trackers has not gone away. Advertising clicks are the corpuscles of the online ad industry and, as you would expect, the software and analytics that monitor the delivery and performance of ads, their click-though rates, cpm (cost per mille, or cost per thousand clicks) and cookie metrics have all been refined to a granular degree over the years. The use of cookie controls means that users are supposed to consent to receiving them when browsing. Website cookie opt-ins can be distracting, annoying and intrusive, and many everyday users simply click ‘accept’ and dismiss the opt-in without a second thought. If you ‘reject’ cookies, you may block personalised ads but you may still see generic adverts instead. The rise of Cookieless Monsters Some disreputable sites may harness cookies for more malicious purposes, possibly leading to the installation of spyware or malware scripts hosted by infected websites. Cookies can be deleted from popular web browsers via the usual settings menu, something that one third of us do within a month, industry sources say. Using ‘Privacy’ mode when surfing will block cookies and hide one’s browsing history (but not much else). Software that helps clean up cookies includes CCleaner, now owned by Avast, from www.ccleaner.com or consider PrivaZer from https://privazer. com/en (not tested by the author). ‘Personalities’ or ‘containers’ can also be used when surfing to ring-fence your browsing session, which prevents a website from sniffing out other cookies stored on your system. Extensions or plugins designed for your browser can also help with cookie management. Each web user is seen as a marketing opportunity, and every online marketer somehow wants to identify our system and by implication, profile the person using it. Our IP address, our browsing history, our location, date of birth, things we’ve bought, things we’ve seen but haven’t bought yet, our interests – this personal usage data enables vendors to join the dots and target our profile with relevant advertising. Even though cookies don’t identify users individually and contain no personal data as such, the fact that savvy web users can defeat them so easily has created a problem for online marketers: how can a user’s web-browsing session be linked to a device if it doesn’t contain any cookies? One way is through Practical Electronics | April | 2020 Panopticlick by EFF will reveal any browser fingerprinting vulnerabilities in your system. the use of non-consensual browser fingerprinting¸ which has given rise to the term ‘cookieless monsters’. When visiting a web page, a wide range of seemingly benign data is exchanged between your browser and the website. Much of it is already collected by web server logs for use in statistics, such as the visitor’s IP address and country of origin, the web browser type (called the ‘user agent’), screen settings and the client’s operating system. It’s how websites know to render the mobile or desktop version of a page. Website operators know that such data is not always reliable as it can be spoofed. However, this ordinary-looking data (and more besides) that travels to and fro during your web-surfing session can be amalgamated to form a ‘browser fingerprint’ identifying your system at that moment in time. How browsers leave fingerprints Parameters that can be checked this way include the user agent, the screen resolution and colour depth, any browser extensions, add-ons or plugins installed, any fonts installed (derived from the use of Flash), the system language, WebGL (Javascripted web graphics) and other esoteric settings. Cybersecurity developers Seon (https://seon.io) claims up to 500 fingerprint parameters can be extracted and ‘hashed’ this way. These factors undoubtedly change over time (weeks/months) but if the marketers (or fraudsters) hit lucky, the fingerprint will be unique to your device at that moment in time. In a paper published by Inria, the French Institute for Research in Computer Science and Automation, the techniques for browser fingerprinting were explored and they analysed nearly 10,000 fingerprints collected from about 2,000 browser sessions. Even though the browser fingerprint was likely to change over time, they discovered that they could track browsers for over 54 Practical Electronics | April | 2020 days, and 26% could be tracked after 100 days, all without using cookies, says the Inria paper (see https://hal.inria. fr/hal-01652021/ document). ‘Browser fingerprinting is both difficult to detect and extremely difficult to thwart,’ say the digital privacy activists at Electronic Brilliant.org offers a fascinating and thought-provoking analysis Frontier Foundation on Youtube of the Starlink network. (EFF). One way to test your browser for tracker vulnerabilities dollars into launching a constellation is at the Panopticlick website (https:// of cheap satellites offering broadband panopticlick.eff.org/), a ten-year-old access? The website Brilliant.org, which research project run by the EFF. It recog- offers online courses supporting STEM nised that my own system was unique and engineering topics, offered a comamong the 215,000 users tested in the pelling insight into the technology as well as a thought-provoking critique last six weeks. To safeguard privacy, one way of help- of the business model behind Staring defeat trackers is to enable the Do link. They also explain the trade-off Not Track (DNT) option in your web between latency and area of coverage, browser privacy settings, but most web- highlighting some major commercial sites fail to observe DNT anyway, says benefits that satellites flying in lowearth orbit may offer. A matrix of 12,000 the EFF. The ultra-anonymous TOR browser from www.torproject.org/ could Starlink satellites will circle the globe be used, but it will be far too slow for and inter-communicate using lasers, everyday users. Mainstream web brows- they think; you can see more in Brilers such as Google’s Chrome have lacked liant’s must-watch YouTube video at: fingerprint protection, but the latest https://youtu.be/giQ8xEWjnBs In a move that has infuriated the US version (72.0) of the Firefox Quantum browser is a step in the right direction; administration, Britain has opted to it helps defeat fingerprinting by block- allow Huawei to play a very limited ing third-party requests to companies role in building the UK’s 5G network. that are known to participate in this The British government is confident form of system snooping. Mozilla has that any supposed risks can be manpartnered with Disconnect.me which aged and mitigated by the country’s offers free and paid-for anti-tracking security services. The US embargo on tools for mobile and desktop browsers. Huawei and Britain’s involvement with An optional Disconnect add-on shows the UK’s Huawei Cyber Security Evalgraphically any blocked trackers but I uation Centre (HCSEC) was discussed found it blocked some Ebay functions in Net Work, August 2019. Facebook will pay $550m to settle a as well. In addition, my browser has blocked more than 10,000 trackers a class-action privacy lawsuit in the US month thanks to Firefox’s Enhanced covering its ‘tagging’ feature that used facial recognition to identify those Tracking Protection. Firefox has developed into a fast and appearing in photos, in breach of bipowerful web browser that is worth a ometric privacy laws in the state of look and the new browser fingerprint Illinois. Facebook’s tagging function is countermeasures are likely to be wel- now an opt-in feature. Meantime, Loncomed. It’s perhaps ironic that the first don’s Metropolitan Police is activating a mainstream browser to actively help network of overt live facial recognition defeat ‘cookieless monsters’ is derived (LFR) cameras in busy areas, linking indirectly from Netscape, which creat- to a database of wanted persons in an effort to apprehend villains or maybe ed cookies in the first place. locate missing persons. What could Other news possibly go wrong? SpaceX launched its fourth crop of StarThat’s all from Net Work this month link satellites at the end of January in its – see you next month! quest to offer low-cost Internet access around the globe. So far, so good, unless The author can be reached at: you’re an astronomer. What could be alan<at>epemag.net the real reason for pumping billions of 13