The German Public TV station “Norddeutscher Rundfunk” reports that they were offered data that includes the surfing habits of three million German citizens. It seems this data was, at least partly, collected by the “Web of trust” (WOT) browser extensions. This is as bad as it sounds. The TV station was able to use this data to identify the browsing habits of individual persons – including high-ranking German and EU politicians.
The data trail extends up to persons around chancellor Merkel. Information “about travel and meetings, preparing internal meetings, dealing with interest groups, or even private matters such as wealth and health.” was retrieved from the data. As the TV station comments, this impedes political work and can make politicians susceptible blackmail. And obviously, if this data gets out in the wild, many more people could get embarrassed.
Upon request, WOT informed the journalists that its data protection guidelines indicate that certain data are collected and shared with third parties. WOT, however, would make great efforts to anonymize the data. The data is then sold by WOT to third parties. The TV station received the data from such a 3rd party.
Reporters from the NDR have been able to personally identify more than 50 users, for example via e-mail addresses in which the name is located, logins, or other components of the called URLs.
One non-political example is a manager living in the German city of Hamburg. The WOT data set included, among other things, a series of links to an online storage service, in which he has filed documents for a house construction. Anyone who knows these addresses may obtain bank statements, architectural drawings, payroll statements with references to the employer’s bonus system, a copy of the ID card, and detailed extracts from the documents on a bank loan.
The name and address of the manager and his wife are just as visible as telephone numbers and e-mail addresses. Criminals could use this documentation to hijack the identify of the man or blackmail him with the details of his surfing behavior.
To purchase the data, the reporters founded a dummy company, which is supposedly active in the “big data” business. Several companies were ready to sell web browsing records - and a company finally offered the now evaluated data set as a free sample.
The WOT data collection and sale is illegal, at the very least within the European Union. The EU data protection laws require that a user knows exactly what she/he is consenting to. And that is not the case here. But this incident proves again the famous quote: ‘If you are not paying for it, you’re not the customer; you’re the product being sold’.