The growing popularity of Google and other online service portals, has moved a number of user services to central aggregated locations where users can check their RSS feeds and email. Although this configuration changes the network fingerprint that is emitted by services it does not reduce the amount of information that is leaked. For example, the Google homepage includes links to personalized RSS feeds including the user's email address in plain text, which often points to a user's real identity, e.g., john.doe@gmail.com. This information can be readily used to create very accurate user profiles since a tracker can intercept these unencrypted HTTP transfers.
Another serious vector of information leak is (to no surprise) the use of cookies. Cookies are used extensively as a mechanism for servers to identify users and track their access. The threat of Cookies to user privacy has received considerable attention in the literature [23]. In the context of tracknets, the exchange of Cookie information can be used to extract personalized user information based on both the contents of the Cookies and their transmission fingerprint. For example, Google, a company synonymous with Internet search uses cookies that expire in 2036. The cookie uses a 16-digit identifier to track user preferences and, inevitably, track user behavior. Given the popularity of the search engine, it is not unreasonable to assume that a large percentage of the user population will emit this identifier during its lifetime, adding another mechanism for user tracking.
The Dynamic Host Configuration Protocol (DHCP) is a ubiquitous protocol used for automating network configuration. Unfortunately, there is no privacy protection for DHCP messages, so an eavesdropper who can monitor the link between the DHCP server and requesting client can discover the information contained in this option. For example, the following snippet illustrates the kind of information that can be derived from a DHCP request. Information on the types of services and more importantly hostname information is made readily available to eavesdroppers.
Client IP: 10.50.16.205 Client Ethernet Address: 00:17:f2:40:61:65 Vendor-rfc1048: DHCP:REQUEST PR:SM+DG+NS+DN+NI+NITAG+SLP-DA+SLP-SCOPE+LDAP+T252 MSZ:1500 CID:[ether]00:17:f2:40:61:65 LT:7776000 HN:"alamak"
We collect and correlate the information derived from DHCP headers. In particular, we are interested in user-identifying information such as the user's hostname. This information might appear innocuous but is often linked to personal information such as the user's name or company information. Again, in this case we associate DHCP-derived information with the base station's ESSID.