Chinese 'Sogou Explorer' browser sends URLs to parts unknown

A Chinese-language cloud-based browser seems to be snooping on its users, according to research conducted by the Asia Pacific Network Information Centre's (APNIC's) Geoff Huston, George Michaelson and Byron Ellacot.

Speaking to the APNIC 38 conference yesterday, Huston outlined the results of research conducted by APNIC on the dataset the organisation uses to gauge the adoption of IPv6 and DNSsec.

The research uses Google ads served as embedded GIFs, and the ad can only be retrieved by the user over a v6 connection. Each ad gets a unique URL which also gets reflected back to APNIC – and that's where things got interesting.

Huston told the conference his own interest in privacy, and particularly in the way big data is “sniffing the fumes of your digital exhaust pipe”, led him to look over the URLs that were passed back to the APNIC analysis, and something interesting emerged.

“When I hand out an ad to you, I should see that URL come back to me once, from you. No-one else will ever get that URL,” he explained.

That wasn't the case, however: looking over the data, Huston said, it was clear that “the URL is leaking. One in 400 users seemed to have attracted some kind of digital stalker.

“Someone is looking over their shoulder,” he continued, a situation he described as “bullshit”.

Some of the URL reflections come from local caches (identified by timing, since they generated “hits” 15, 30 or 60 minutes after the original fetch, when the cache refreshed), and some come from companies either operating filtering services (Websense and Covenant Eyes) or experimenting with content serving (RIM).

However, Huston said, it was the large number of “stalker” IP addresses from China that stood out – and the speed of their response.

“This Chinese stalker stalks most folk within two seconds,” he said, leading to the conclusion that it's “something in your browser, or something close to your browser.”

Further pruning of the data identified the browser involved: a cloudy creature called Sogou Explorer.

This has two characteristics that make it popular among the Chinese diaspora, he explained: it accepts Chinese language inputs, and it uses a cloud service to identify malicious Websites and software.

Sogou Explorer, he says, “leaks like a sieve”, and while he declined to speculate on why the browser is leaking URLs, he said it's an important illustration of a wider issue about user privacy.

“One in 400 people has a stalker. That's bad … We've created a world in which realistically we've made privacy a historical concept.”

“Who needs metadata when you've got stalkers?”

Huston's presentation, including a detailed description of the methodology used to collect the data, can be found here. ®