In the Dark on Privacy – Use Lightbeam

If your a Firefox user there is a new add-on available called Lightbeam.  Lightbeam is useful for understanding how personal data is shared on the Internet like web browsing habits, sites you frequent, etc.  Lightbeam works by recording sites you visit and also recording any included third party sites that may be required by the sites you visit.

Lightbeam does not reveal how companies leverage your personal data for their business uses or if they even store your personal data.  A good general rule of thumb, if someone has the capability to snoop your personal data assume they are.  This way you will not be unpleasantly surprised at the next big privacy headline in the media.

“A good general rule of thumb, if someone has the capability to snoop your personal data assume they are.  This way you will not be unpleasantly surprised at the next big privacy headline in the media.”

To get a better look at Lightbeam, double-click my thumbnail picture (top) to view an enlarged photo.  You will notice in my browsing history, I visited 37 sites which referenced 149 third party sites.   Third party sites are sites included by the site you visited and most likely, many without your knowledge.  Some might argue without consent as well but most of us click through those 60+ page licensee agreements anyway (don’t we).

The Lightbeam user interface allows you to move nodes around, toggle controls on/off, etc.  In looking over my results, some common third parties emerge like Google Adsense and DoubleClick.  Many sites use Google advertising on their pages so nothing too surprising here, we see ads everyday.  However, you may have not considered the implications of third party content on the many pages you visit.

photo: Paros Proxy, HTTP Request

To best illustrate what’s happening between the web browser and server, on the left is a screen fragment from a tool called Paros Proxy.  Paros sits between your web browser and sites on the Internet you wish to view.  When you request site content, Paros intercepts the HTTP request, displays it, and forwards the request on to the server.  Paros facilitates request introspection or even modifies requests en route if you wish.  For our purposes, we are interested in viewing HTTP requests.  In this example, I visited the usatoday.com web site but many sites access Google services.   To begin, usatoday.com requests a third party Google syndication link, first red circle.  In the second link, also circled in red, the web browser specifies a Referer.  The referer is part of the HTTP protocol and sent to the site to specify which page the browser was on before the link was clicked.  Said a simpler way, the web site your navigating to knows the web site you came from.  Often it’s another page on the same web site like switching between tabs on a news site but it could be from an entirely different web site like one of your browser bookmarks.

The concern is that when site content is loaded, the third party site is notified of the site you browsed previously.  In this case, since Google content is ubiquitous so it means Google knows which sites you browsed even if you didn’t get their via their search engine or web browser.  There are many more ways to leak information than the referer so it’s only part of the problem and referer does have legitimate uses.  Cookies and URL rewriting are also combined to make your browsing experience personal or tied directly to you as an individual.

What is or should be private is evolving and everyone has an opinion.  Internet service providers desire more access to end-user personal information.  Individuals are continually surprised to see how their private information is shared between companies.  Whatever your views, Lightbeam provides provides transparency about personal data shared between third parties in a way many can understand.  Lightbeam is released at a time when the public concerns about privacy and transparency are at an all time high.  It will be interesting to see if the tool gains traction with the public.

–Milton

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/