Obfuscation: A User's Guide for Privacy and Protest

Posted on by Ben Rothke

Certain things in life just don't mix. When it comes to personal privacy, using Amazon and Facebook simultaneously is perhaps an example of a potentially dangerous privacy mix. With each site tracking your every search and click, it doesn’t take long until these merchants have a detailed dossier on your on-line habits. That's in addition to profiting of your personal buying habits. This is what is known in part as big data.

For many people, they may find such an approach appealing given the sometimes insightful suggestions these sites may offer. For others, it could be a matter of life and death.

In Obfuscation: A User's Guide for Privacy and Protest (MIT Press ISBN 978-0262529860), authors Finn Brunton and Helen Nissenbaum have written a short and invaluable guide on how to avoid having your personal data manipulated by our current pervasive digital-surveillance society. This includes the social media channels, governments and more. It's not only totalitarian regimes where abuse of power occurs. Some U.S. agencies have used metadata for unauthorized (and sometimes illegal) purposes.


Obfuscation, as used in the book, is a privacy control which is the deliberate use of ambiguous, confusing, or misleading data meant to interfere with surveillance and data collection projects.

Some have suggested that users simply opt-out where data collection is done. But this is getting more and more difficult to achieve. In countries like China and the like, opting out is simply not an option.

The subtitle of “A User's Guide for Privacy and Protest” is what Brunton and Nissenbaum use to start a revolution in the large and ever-growing data-mining and surveillance business. They attempt to do this via obfuscation to buy time and hide in a crowd of signals.

It's not just advertising and other snooping obfuscation tries to halt, metadata is something that may need to be obfuscated also. This is needed as former CIA and NSA director Michael Hayden admitted that metadata is used as the basis for killing people.

The authors note that even for sites like WikiLeaks that use encryption, it still doesn’t always allow for anonymity. For example, if an adversary would perform traffic monitoring on a site, even though they may not be able to read the data, they could monitor what is being submitted to the system. Adversaries could also draw inferences as to what was transmitted based on the data sizes and other metadata.

To obviate that, WikiLeaks developed an obfuscation script to produce false signals. In the case of WikiLeaks, they were not trying to stop data mining or ad blocking, rather they simply sought to conceal the movements of some of its users.

Rather than just focusing on the technical issues, the authors also write of the ethics of obfuscation. They candidly admit that it's nearly impossible to avoid charges of dishonesty when the aim of obfuscation is to mislead and misdirect.

Some of the tools detailed include TrackMeNot, a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. For example, a seemingly innocuous search for “what is the most decadent cheesecake I can buy” in 2016, could be used to deny insurance in 2021, showing that the person had bad diet habits in previous years.

Another tools is AdNauseam, which works in the background and clicks on every ad on a web page. This registers as a visit on the ad networks databases. As the data gathered shows an omnivorous click-stream, user profiling, targeting and surveillance becomes futile.

Tools like these are good now, and can also provide a hedge against the future, as we have no idea what will be done with our data in the future.

The authors attempt to create a fine line between oppressive surveillance and required surveillance. They admit that most of the free Internet is funded by ads. Take away those ads, and services like Google, Gmail and the like will cease to exist.

The book offers no easy answers as privacy is a complex and even contradictory concept. What is does is offer some ways to minimize the effects of a surveillance society and data gathering Internet.

For those looking to opt-out without going off the grid, Obfuscation: A User's Guide for Privacy and Protest is a good place to start.


Ben Rothke

Senior Information Security Manager, Tapad


cyber warfare & cyber weapons data security privacy

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs