There's a very confused thread in the Lounge about the Ashley Madison data wherein a number of self-proclaimed experts are disagreeing about how banks (etc) can identify "you" online.
Rather than polluting that thread, I thought I would start a new thread here.
There are several correct facts in the aforementioned thread: for example, a website is likely to store a "cookie" on your computer linking your machine to various information you have provided (e.g. a session login), which identifies you.
There was some mention of "risk-based signatures" - and it is true that banks and major retailers are starting to use additional information from your computer to help identify when "something" changes - when something appears to be amiss, and it might not actually be "you" logging in. To see the extent to which this can be done, even without passwords, check out this link: https://panopticlick.eff.org/ It'll indicate how unique your particular browser set up is among the millions of users who have voluntarily checked so far. (EFF is the Electronic Frontier Foundation, who generally defend online privacy rights.)
But for the most part, that data is used to verify your login, rather than to replace it. And it is also true that some companies use cookies, sometimes with some of the information from that link, to track you as you move around the web - it is a big business to try to market more effectively to people. Or did you think companies like Netflix were just going by whatever their interns watched last night?
As for IP addresses - your ISP will assign you an IP address for some time, and will be able to tell law enforcement who had a given IP address at a particular time should the need arise. But rebooting your router will "probably" renew the same IP address, rather than changing to a new one (although that used to be more common in the past). And just like leaving fingerprints at a crime scene, law enforcement have many tools they can apply to determine which computer in a house was used to visit a website, and often determine who from the household was at the computer at the time. Could you disagree in court? Sure, but good luck with that - "beyond a reasonable doubt" often doesn't mean what you think it means.
Rather than polluting that thread, I thought I would start a new thread here.
There are several correct facts in the aforementioned thread: for example, a website is likely to store a "cookie" on your computer linking your machine to various information you have provided (e.g. a session login), which identifies you.
There was some mention of "risk-based signatures" - and it is true that banks and major retailers are starting to use additional information from your computer to help identify when "something" changes - when something appears to be amiss, and it might not actually be "you" logging in. To see the extent to which this can be done, even without passwords, check out this link: https://panopticlick.eff.org/ It'll indicate how unique your particular browser set up is among the millions of users who have voluntarily checked so far. (EFF is the Electronic Frontier Foundation, who generally defend online privacy rights.)
But for the most part, that data is used to verify your login, rather than to replace it. And it is also true that some companies use cookies, sometimes with some of the information from that link, to track you as you move around the web - it is a big business to try to market more effectively to people. Or did you think companies like Netflix were just going by whatever their interns watched last night?
As for IP addresses - your ISP will assign you an IP address for some time, and will be able to tell law enforcement who had a given IP address at a particular time should the need arise. But rebooting your router will "probably" renew the same IP address, rather than changing to a new one (although that used to be more common in the past). And just like leaving fingerprints at a crime scene, law enforcement have many tools they can apply to determine which computer in a house was used to visit a website, and often determine who from the household was at the computer at the time. Could you disagree in court? Sure, but good luck with that - "beyond a reasonable doubt" often doesn't mean what you think it means.
