A Passive Attack on the Privacy of Web Users Using Standard Log Information

  • Thomas Demuth
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2482)


Several active attacks on user privacy in the World Wide Web using cookies or active elements (Java, Javascript, ActiveX) are known. One goal is to identify a user in consecutive Internet session to track and to profile him (such a profile can be extended by personal information if available).

In this paper, a passive attack is presented that uses information of a different network layer in the first place. It is exposed how expressive the data of the HyperText Transfer Protocol (HTTP) can be with respect to identify computers (and therefore their users). An algorithm to reidentify computers using dynamically assigned IP addresses with a certain degree of assurance is introduced. Thereafter simple countermeasures are demonstrated.

The motivation for this attack is to show the capability of passive privacy attacks using Web server log files and to propagate the use of anonymising techniques for Web users.


privacy anonymity user tracking and profiling World Wide Web server logs 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Fielding, R., Gettys, J., et al, J.M.: Hypertext transfer protocol-http/1.1 (1999)Google Scholar
  2. 2.
    Gold, J., Ethier, D.: One perspective on collecting data on the web. CMC-Computer-Mediated Communication Magazine 9 (1997)Google Scholar
  3. 3.
    Shen, A.: Request for participation and comment from the electronic privacy information center (epic). (1999)Google Scholar
  4. 4.
    McGregor, G.: The ppp internet protocol control protocol (ipcp) (1992)Google Scholar
  5. 5.
    Salton, G.: Automatic Text Processing: The Transformation, Analysis, and Retrieval of Information by Computer. Addison-Wesley (1989)Google Scholar
  6. 6.
    Salton, G.: Automatic Information Organization and Retrieval. McGraw-Hill (1968)Google Scholar
  7. 7.
    Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. In Rivest, R., ed.: Communication of the ACM. Volume 2. (1981) 84–88Google Scholar
  8. 8.
    Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity-a proposal for terminology. International Workshop on Design Issues in Anonymity and Unobservability LNCS 2009 (2000) 1–9Google Scholar
  9. 9.
    Berthold, O., Pfitzmann, A., Standtke, R.: The disadvantages of free mix routes and how to overcome them. International Workshop on Design Issues in Anonymity and Unobservability LNCS 2009 (2000) 30–45Google Scholar
  10. 10.
  11. 11.
  12. 12.
    Demuth, T., Rieke, A.: On securing the anonymity of content providers in the world wide web. Proceedings of SPIE 3657 (1999) 494–502Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Thomas Demuth
    • 1
  1. 1.Department of Communication SystemsUniversity of HagenGermany

Personalised recommendations