$$News and Reports$$
Mar. 07, 2017

A new study conducted by researchers from the Department of Communication Systems Engineering at BGU demonstrates that despite YouTube’s attempts to safeguard the anonymity of its users, hackers and intelligence agencies can still discover which videos you watched.  

While many believe encryption makes their internet activities invisible, a lot can be discovered without ever having to break the encryption itself such as your operating system, internet browser, application protocol and user habits. While their study is true for many video platforms, the researchers turned to the YouTube platform as the largest social video platform in the world. They quickly determined that the title of the video the user had just watched was easily discoverable despite the encryption. 

The research was carried out by Ran Dubin, an expert in communication systems and cyber security who consults to the Israeli district court on class action suits in these fields. Dubin is also a doctoral student in the Department of Communication Systems Engineering whose research focuses on the optimization of adaptive video channels. His research advisor is Prof. Ofer Hadar, chairman of the Department, in conjunction with Ariel University’s Dr. Amit Dvir and Dr. Ofir Pele.  

“We built a simple but strong machine learning algorithm that can determine which specific video you watched from a predetermined set of videos with a high degree of accuracy. The algorithm was based on an in-depth study of how video services work, how the video content is encoded and how the video player requests information in order to play it,” explains Dubin. 

Dubin did not want to identify a specific video from the infinite videos on YouTube. Instead, they wanted to see if they could identify if someone had watched a specific video from a set of suspicious videos, for example, terror-related. They succeeded in determining which video had been viewed. 

While such a tool could be useful in the hands of counter-terror specialists, the researchers also warn that regular users’ privacy is not as secure as perhaps they had thought, despite the encryption. Moreover, according to Dubin, it is unlikely that Google, YouTube’s parent company, will patch the gaps as to do so would require a traffic obfuscation mechanism for every user’s every video request, which would be prohibitively expensive. Therefore, users must use this platform and other internet video platforms circumspectly, Dubin warns. 

Another potential civilian application of this gap is to track ads and count how many ads users are exposed to on a given platform, information which is valuable to internet marketing companies. 

One positive aspect, which is still being researched, is the possibility to assess video quality without breaking the encryption. “Internet service providers want to ensure they are providing high quality streaming, however, encryption has made determining such information much more challenging,” says Dubin.