Researchers show private web browsing history is not so private

Many of you will have seen the TV advert highlighting the privacy mode in Internet Explorer 8, which allows a husband to “browse for a present for his wife” without leaving any evidence on the family computer. Well, before you peruse those lingerie sites, be warned: researchers at Carnegie Mellon University have found ways to detect which sites were visited with the mode enabled.

Collin Jackson, assistant research professor at the university, says many websites encrypt their data for security reasons by automatically establishing a secure key with the user’s computer. Even if private browsing is enabled, details relating to the key remain stored on the computer’s hard drive, allowing a hacker to establish that a particular site has been visited. A hacker could guess what sites you have been to based on traces left behind, says Jackson.
These attacks on privacy “do not require a great deal of technical sophistication and could easily be built into forensics tools”, he adds.

Although the work clearly shows that there are weaknesses in browsers’ private-browsing implementations, says Rik Ferguson – a UK-based security researcher at Trend Micro – any attacker with the knowledge to exploit the weaknesses would probably look to other attacks first, which may yield more detailed information.

“If someone is capable of tracking your browsing habits in this way, they are probably also tech-savvy enough to know about commercial spyware, which could much more effectively track your computer use,” says Ferguson.

The lesson? If you want to visit websites in secret, use someone else’s computer.