Sometime in the near future, malicious programmers will use software that
totally skews search results. They will hide legitimate results from users,
or make it seem like a user is searching for something that he isn’t.
Gartner analyst Whit Andrews said he is convinced, in the wake of the AOL
user search data leak and the
Justice Department’s search engine subpoenas, that it is only a matter of time
before someone develops something that can cause real headaches for users
and search engine providers.
This will be something more than meta search engines, such as Ixquick.com and Clusty.com, which promise privacy because
they don’t save user data or track users.
This software will render a denial-of-insight (DOI) attack. Think of its as
denial-of-service (DOS) attack tailored for search engines: Slammer or Nimda
on search steroids. Such software may dwarf the Big-Brother-is-watching
paranoia caused by AOL’s search data gaffe.
Are you scared yet?
Search Doesn’t Lie. People Do
Raw search data doesn’t lie. Like a truth serum, it gets injected into a
search engine site and (hopefully) returns information to help whoever made
the query.
“You will never get a better pipeline that runs straight into your users’
foreheads,” Andrews said. “Users do not lie when they are receiving value
based on the information that they provide to you.”
Books, DVDs, furniture, loan applications. People enter queries tailored for
their interests, hoping to get useful results.
But suppose the user wanted to obfuscate truths or misrepresent himself to
throw a search engine off of his trail?
“We’ve been going under the assumption that search users are all real,”
Andrews said. “If you wanted to damage that data, you could be an unreal
individual that provided a perspective on yourself, which was not true.”
For example, a user might build a false history of himself to obscure their
real intentions, something that throws out a bunch of chaff.
Page 2: Gibberish mobs and the future of search. (Page 2 of 2)
A user might to do a search at Google , Yahoo
or Microsoft’s MSN
, and use a piece of software that throws out ghost
queries, destroying those search purveyors’ ability to understand him
better. A denial-of-insight attack is born.
Andrews said this raises all kinds of issues for enterprises beyond the
search providers. If users start extending this to Amazon, they will take
away the e-commerce giant’s ability to see what you search on, and prevent it from providing ou with accurate recommendations.
Users might also use such methods to shroud their search trails to prevent
people or law enforcement agencies from tracking them for a crime.
Such tools are possible. Just ask some folks at New York University.
Track Me if You Can!
Helen Nissenbaum, an associate professor with the Department of Culture and
Communication at NYU, and graduate student Daniel Howe, have created TrackMeNot.
TrackMeNot is a lightweight extension for Mozilla Firefox browser that
protects Web searchers from surveillance and data-profiling by search
engines.
Unlike anonymizers that hide IP addresses, this software enables searches to
“get lost in a cloud of false leads,” so that Google, AOL, MSN and Yahoo
can’t pigeon-hole people based on their searches, Nissenbaum said in a
recent interview.
“If they’re going to profile me, then I’m adding a bunch of noise to my
searches so that they can’t tell which of them are real and not real,”
Nissenbaum said. “The idea is that Google or whoever, shouldn’t know who’s
using it. If they don’t know who is using it, all the info can be
corrupted.”
But Nissenbaum and Howe aren’t hiding from any authorities, and they’re not
trying to throw people off of their trails for thrills.
They’re simply alarmed at the possibility that another search site could
spill users’ search data with the potential for more serious consequences,
and that every search engine this side of Google might willingly cough up
query histories to the DOJ as they did earlier this year.
“We are disturbed by the idea that search inquiries are systematically
monitored and stored by corporations like AOL, Yahoo!, Google, etc. and may
even be available to third parties,” the duo said on the TrackMeNot page.
Regardless of whether they were created for defense or offense, Andrews said
such tools like TrackMeNot could thwart search results for the engines that
choose to collect them.
You’d think search engine providers would hate this tool for its tendencies
to hide information. Officially, there is no indication they fear the tool;
but they don’t think TrackMeNot is the answer either.
“Google takes the privacy of our users very seriously and we work hard to
maintain user trust,” said Google spokeswoman Victoria Grand. “TrackMeNot is
an imperfect approach to the issue. Users who are concerned about their
privacy can always clear their cookies.”
A spokesman for one of the other large search providers told
internetnews.com under condition of anonymity that TrackMeNot only
hides information about users’ who manually enter search terms into an
engine.
The tool doesn’t cloud information gathered through click-throughs of sites
and their sponsored links, which the spokesman said are far more useful
tools in gleaning search data.
Gibberish Mobs
But there are other, more sinister DOI attacks on the horizon, said Andrews.
Using a falsely created identity the way so many pranksters did with Hotmail
accounts years ago, a perpetrator could enter someone else’s name to make it
seem like the user is looking up potentially embarrassing or incriminating searches.
Or a user could walk into a corporate office, sit down at a user’s desktop
while he or she isn’t there, log on to the human resource department’s
intranet and research a bunch of mental health information. This could raise
some red flags for the company.
Andrews also said “gibberish mobs” will pop up. In these attacks, perps will
vandalize and pollute data to harm companies that scan search logs to get an
accurate reading on individual interests.
“Someone can build a script that does meaningless searches to throw off
search results and breaks a company’s ability to understand what’s in their
system,” Andrews said.
“Or they might run searches to have a hacking impact and bring down the
search engine” similar to the way a DOS attack cripples computers.
Searching For The Truth
What does the future hold for search?
Andrews said we can expect to see poisonous search scripts and tools to hit
the Web underworld and be taken up by script kiddies, similar to the way so
many Slammer, Nimda and MyDoom viruses slithered their way on to the
Internet.
“We now assume people lie when they author content for the Web. Why
shouldn’t we assume people will lie when they conduct inquiries on the Web,”
Andrews argued, predicting there will be an impact at Yahoo, AOL, Google,
MSN and even Amazon.
Moreover, he said enterprises that use proprietary search tools have a
greater problem because they might not have the same degree of search
resources to dedicate to a search-based DOI attack.
Nissenbaum sees Andrews’ point, and wonders if companies could be in
collusion with search engines about putting relevant data lower on the
results list, making it more difficult for users to find.
“How do I know that the company isn’t somehow messing up the results that
I’m getting or paying off the search companies to put the result that I
really need down at the bottom of the list?” she wondered.
“Unless we become much better educated and unless we insist on much greater
transparency from search companies, we’re not going to be able to discern
properly what we’re getting back. I think that this is going to be a
problem.”
As for TrackMeNot, Nissenbaum said she and Howe are improving its ability to
confuse those who read search engines, changing up feed lists to throw more
garbage into the mix.
And if TrackeMeNot can be improved, certainly other users with the technical
know-how can create tools to cause search mischief.
Andrews thinks search-based attacks are inevitable.
“As the value of searches and search logs increases, and as enterprises
exploit these capabilities and turn the insight in an automated fashion back
to users, vandalism and sabotage of this data will increase,” Andrews said.