We assume privacy when Alice sends an end-to-end encrypted email to Bob. While the content of the message is hidden, the fact that the message happens is not.

We assume the same privacy when Charles visits a website. We are comforted by the lock icon in the address bar and think no one knows what we are viewing. It is time to think again.

Keep in mind that often the content is hidden by encryption, but the metadata, the data about what happened when and by who is typically available.

While often simple methods are discussed, let’s look at what can be done on a grand scale.

Start by going to Twitter.com. You will typically see the normal sign in page.

On most desktop browsers, pushing F12 will bring up developer tools which show you what is happening behind the scenes.

There should be a “Sources” tab that shows from where the data for the page was acquired.

You should see “accounts.google.com” and “appleid.cdn-apple.com” listed.

Why are they there?

On the Twitter sign in page there are buttons to allow you to use a Google or Apple account. While unnecessary, it seems rational that some of the data for that page comes from Google and Apple. While this could already be cached on your computer, so it does not have to be fetched repeatedly, it is done at least once, and in doing so your access to that site can be observed.

What encryption is providing you is that the data for the request is hidden from observers, but not the IP addresses as that is required to know where to send the data from and to, and the length of the requests and responses.

Once you get in depth on a website you will probably have a lot of images, other media, or data from other sites. It might be all encrypted so the observer does not know what is sent, but the IPs and lengths remain.

Often images are from a separate server or IP address, so access to that IP can be observed, even when the raw data is not seen. However, images being large can be somewhat distinguished by size. The QUIC protocol may hide that somewhat as multiple images may be fetched at once. What you are providing to the observer is an educated guess at what is being communicated.

While the technique is usable for any site, such as a store, news site, organization, or other social media, consider you simply want to look at a tweet, signed in or not, and you assume no one knows but you and obviously twitter. Is there a way for an observer to, with reasonable certainty, know what you looked at and when?

If an overlord could see all of your traffic, the IPs and amount of data sent to each, a rough guess to an exact match of what you did can be determined?

How?

If the overlord accumulates common public data, such as images, tweets, news articles, and documents, it could make a possible match with some or all of your traffic. With a large body of information about public sites, and your visits, the accuracy of the matches can be greatly improved.

Who would have an infrastructure to accumulate that kind of data in such a large volume to make this a realistic concern for the public?

You would need to be able to essentially make a copy of all traffic on the Internet. Could that be done? If it can, who would have the resources to do it? If it is done, you would need to do it over a long period of time to make it valuable.

The first tap on the Internet was revealed in 2006 with Room 641A in San Francisco, and dozens more exist. The data is fed to the massive Utah Data Center, and perhaps NSA headquarters, the Donut, or other places.

But you can trust you government, right? If not, be careful what you say or view.

It doesn’t have to be this way. You can be private.

This is the goal of ShofarNexus. Be a part and share ShofarNexus.com