Have you ever wondered how ads on websites you visit, social platforms you use depict your interests? We often overlook the creepiness it holds. While you surf on the internet regarding the products you wish to buy or the services you seek to avail, you are tracked all through the time. This tracked data is then fed to ad-tech companies, to. So whenever you visit a webpage, you see specific ads based on the interests that the ad-tech company has perceived. One such tracking utility- Oracle’s BlueKai has exposed billions of tracking data of users around the globe, making the biggest security lapse of 2020.
The free access to the World Wide Web creates the need to advertise websites. To accrue a handsome amount of revenue, websites deploy cookies and another tracking tech to fetch apt data about a user. Websites use this tracking data for advertising site pages to generate revenue. Nearly every website you visit, social platforms you use are tracking you and are having every detail regarding your browsing, subscriptions, email addresses and other pieces of sensitive information too. They are watching as you traverse the internet. Though it seems to be an invasion, it is this tracking data which kept the internet largely free. The thing is netizens have little choice, but to accept the conditions to keep the internet free, and keep being tracked—the little trade-off for free internet.
Many users are oblivious to this tracking data, and few know the potential predicaments it holds. And recently, Oracle’s BlueKai overlooked the security of the tracking data, leading to a spill of billions of tracking data.
Oracle’s BlueKai Lapse
BlueKai- a startup acquired by Oracle back in 2014 for $400million. This was added to Oracle’s marketing cloud to enable marketers to target users more precisely by using new tracking tactics. BlueKai uses cookies and another proprietary tech to track users. Moreover, BlueKai not only targets Oracle users but also other users on the internet. This happens by watching which websites one visits, and the email he opens. Bluekai has abled to infer about us and has amassed data about our political views, education, income, sexual preferences and what not! This enables ad-tech to target specific advertisements. So when you click they make money.
BlueKai tracks 1.2% of all web traffic and tracks some of the world’s biggest websites: Amazon, ESPN, Forbes, Glassdoor, Healthline, Levi’s, MSN.com, Rotten Tomatoes, and The New York Times. And for time this tracking data was spilling out of an unsecured server, housing billions of tracking data. The server was not encrypted with a password. This data included email addresses of tracked users, names and other identifiable information. It also included sensitive web browsing activity, about the users’ subscriptions and purchases. The size of the exposed data makes it the largest security lapse of 2020.
Oracle’ investigation stated that two of the companies availing the BlueKai did not properly configure their services. According to Anurag Sen, the security researcher who found the exposed database, some logs were of August 2019.
Is Tracking Harmful?
Oracle with the help of BlueKai has nearly perfected the art of tracking people across the internet.
BlueKai uses covert and highly advanced tactics by embedding invisible pixel-sized images which get triggered when you visit that webpage. These images then collect information about the hardware, the operating system, browser and also about the internet provider. This data is called web browser’s “user-agent” designed for “ideal identity resolution”. This data initially may not seem “sensitive” but when employed together can develop a unique “fingerprint” of a person’s device. It also manages the web browsing activity of the person by tieing mobile activity with desktop activity.
Oracle states that marketers cannot access names, and email addresses of users as the data is masked and sanitised. BlueKai collects data but never shares with the marketers. This data is collected with the intent to target users with enticing ads. But if exposed, can lead to identity theft. The instances of information the spilled data reviewed by Techcrunch are:
A German man used a prepaid debit card to place a €10 bet on esports betting site on April 19.
A person living in Istanbul ordered $899 worth of furniture from an online hardware store. The data also has the buyer’s name, email address and the web address for the order.
One person unsubscribed from an email newsletter run by an electronics consumer, sent to his iCloud address. The record showed that the person may have been interested in a specific model of car dash-cam. Based on his “user-agent” his iPhone was out of date and needed a software update.
Safety Measures
We often provide contact details to websites while registering, and forget about the dangers. Avoid providing needless information on websites.
Use TOR web browser which stands for browsing “without tracking, surveillance, or censorship”.
Though there are not many users can do about being tracked (to keep the internet largely free), following cyber ethics and keeping themselves updated regarding the cyber crimes can counter any potential threat.
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.