RealTime IT News

Denial-of-Insight Lurks For Search Engines, Users

Sometime in the near future, malicious programmers will use software that totally skews search results. They will hide legitimate results from users, or make it seem like a user is searching for something that he isn't.

Gartner analyst Whit Andrews said he is convinced, in the wake of the AOL user search data leak and the Justice Department's search engine subpoenas, that it is only a matter of time before someone develops something that can cause real headaches for users and search engine providers.

This will be something more than meta search engines, such as Ixquick.com and Clusty.com, which promise privacy because they don't save user data or track users.

This software will render a denial-of-insight (DOI) attack. Think of its as denial-of-service (DOS) attack tailored for search engines: Slammer or Nimda on search steroids. Such software may dwarf the Big-Brother-is-watching paranoia caused by AOL's search data gaffe.

Are you scared yet?

Search Doesn't Lie. People Do

Raw search data doesn't lie. Like a truth serum, it gets injected into a search engine site and (hopefully) returns information to help whoever made the query.

"You will never get a better pipeline that runs straight into your users' foreheads," Andrews said. "Users do not lie when they are receiving value based on the information that they provide to you."

Books, DVDs, furniture, loan applications. People enter queries tailored for their interests, hoping to get useful results.

But suppose the user wanted to obfuscate truths or misrepresent himself to throw a search engine off of his trail?

"We've been going under the assumption that search users are all real," Andrews said. "If you wanted to damage that data, you could be an unreal individual that provided a perspective on yourself, which was not true."

For example, a user might build a false history of himself to obscure their real intentions, something that throws out a bunch of chaff.

A user might to do a search at Google , Yahoo or Microsoft's MSN , and use a piece of software that throws out ghost queries, destroying those search purveyors' ability to understand him better. A denial-of-insight attack is born.

Andrews said this raises all kinds of issues for enterprises beyond the search providers. If users start extending this to Amazon, they will take away the e-commerce giant's ability to see what you search on, and prevent it from providing ou with accurate recommendations.

Users might also use such methods to shroud their search trails to prevent people or law enforcement agencies from tracking them for a crime.

Such tools are possible. Just ask some folks at New York University.

Track Me if You Can!

Helen Nissenbaum, an associate professor with the Department of Culture and Communication at NYU, and graduate student Daniel Howe, have created TrackMeNot.

TrackMeNot is a lightweight extension for Mozilla Firefox browser that protects Web searchers from surveillance and data-profiling by search engines.

Unlike anonymizers that hide IP addresses, this software enables searches to "get lost in a cloud of false leads," so that Google, AOL, MSN and Yahoo can't pigeon-hole people based on their searches, Nissenbaum said in a recent interview.

"If they're going to profile me, then I'm adding a bunch of noise to my searches so that they can't tell which of them are real and not real," Nissenbaum said. "The idea is that Google or whoever, shouldn't know who's using it. If they don't know who is using it, all the info can be corrupted."

But Nissenbaum and Howe aren't hiding from any authorities, and they're not trying to throw people off of their trails for thrills.

They're simply alarmed at the possibility that another search site could spill users' search data with the potential for more serious consequences, and that every search engine this side of Google might willingly cough up query histories to the DOJ as they did earlier this year.

"We are disturbed by the idea that search inquiries are systematically monitored and stored by corporations like AOL, Yahoo!, Google, etc. and may even be available to third parties," the duo said on the TrackMeNot page.

Regardless of whether they were created for defense or offense, Andrews said such tools like TrackMeNot could thwart search results for the engines that choose to collect them.

You'd think search engine providers would hate this tool for its tendencies to hide information. Officially, there is no indication they fear the tool; but they don't think TrackMeNot is the answer either.

"Google takes the privacy of our users very seriously and we work hard to maintain user trust," said Google spokeswoman Victoria Grand. "TrackMeNot is an imperfect approach to the issue. Users who are concerned about their privacy can always clear their cookies."

A spokesman for one of the other large search providers told internetnews.com under condition of anonymity that TrackMeNot only hides information about users' who manually enter search terms into an engine.

The tool doesn't cloud information gathered through click-throughs of sites and their sponsored links, which the spokesman said are far more useful tools in gleaning search data.

Page 2: Gibberish mobs and the future of search.