Image: Kilito Chan/GettyImages
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Advertisement
Advertisement
It’s unclear exactly how fingerprinting every PDF downloaded could actually prevent ransomware. Jonny Saunders, a neuroscience PhD candidate at University of Oregon, who discovered the practice, said he believes Elsevier is trying to surveil its users and prevent people from sharing research without paying the company. “The subtext there is pretty loud to me,” Saunders told Motherboard in an online chat. “Those breaches/ransoms are really a pretext for saying ‘universities need to lock down accounts so people can't skim PDFs.’” “When you have stuff that you don't want other people to give away for free, you want some way of finding out who is giving it away, right?” they added.
Moreover, Saunders said, Elsevier’s claim that there is no metadata or personal data captured is disingenuous, given that the company itself admits it uses this system to identify whose accounts have been breached. “Saying that the unique identifiers *themselves* don't contain PII is a semantic dodge: the way identifiers like these work is to be able to match them later with other identifying information stored at the time of download like browser fingerprint, institutional credentials, etc,” Saunders said. “Justifying them as a tool to protect against ransomware is a straightforward admission that these codes are intended to identify the downloader: how would they help if not by identifying the compromised account or system?”The company’s spokesperson did not respond to Saunders' allegations.Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.Do you know of any other companies or organizations doing this type of tracking? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com