Transcript Online Privacy - What You Need to Know

Surveillance: Government and Private
Governmental
Location
tracking*
In The Matter of …
The Release Of
Historical Cell-Site
Information
Typically
Illegal purpose
Viruses
Worms
Trojans
Spyware
Rootkits
Typically
legal purpose
Cookies
Web bugs
Fingerprinting
Mobile device apps
U. S. v. Jones
*http://www.nytimes.com/2012/04/01/us/police-tracking-of-cellphones-raisesprivacy-fears.html?_r=1
The Malware Onslaught

2010: 20 million distinct new strains of malware in 2010,





About 63,000 a day.
2011: Daily average increased to 73,190 for the first
quarter.
Worldwide infection rates range from r25% to 60% of
computers.
Mobile devices are the new target.
Our defenses are overwhelmed.
What? Why? Respond?

Our questions



What do our watchers do?
Why do they do it?
How can we—should we—respond?
Cookies

A cookie is a small bit of text the site you visit
leaves in your computer.
 UserID A9A3BECE0563982D www.goto.com/

Like putting band on wild bird to identify it in
future.
How First Party Cookies Work
Browser
cnn.com
Do I have a
cnn.com cookie?
No
Server gets no
cookie
information so it
sends a cookie
Yes
Send
information
How Third Party Cookies Work
Browser
cnn.com
Do I have a
DoubleClick cookie?
No
DoubleClick gets
no cookie
information so it
sends a cookie
Yes
Send
information
Banner Ad
from a
DoubleClick
affliate
DoubleClick
server
Flash Cookies




Flash cookies are installed by sites running Abode Flash.
They are not normally blocked by browser “no cookie”
settings
They are harder to remove than ordinary cookies.
They serve the same functions.
Web Bugs

Sample web bug


img src=http://ad.doubleclick.net/ad/. . .
The browser reacts much like it does to a
cookie.
How Web Bugs Work
Browser
Send
information
Your IP address
cnn.com
Cookie
DoubleClick
web bug
The URL of “bugged”
web page
The time the bug was
viewed
Your browser type
Cookie information
DoubleClick
server
Browser Fingerprinting


Your browser sends information to web servers
to uniquely identify you.
When you visit a web site, the browser sends
 The user-agent string
 The http accept information
 With Javascript
 Screen resolution
 All plug-ins
 Time zone
 With Flash
 System fonts
Enough of this . . .
Uniquely
identifies the
computer
Fingerprinting Companies

“With BlueCava, you can persistently identify devices
again and again (and again!), despite cookie erosion,
system upgrades, or changes in settings.”


http://www.bluecava.com/what-we-do/
“Cookie-driven intelligence . . . is becoming obsolete.
Consumer protection legislation, private browsing
options and the proliferation of cookie-resistant mobile
devices are all ushering this era to an end. . . Enter
AdTruth™, whose patented device recognition
technology delivers increased audience visibility without
compromising privacy or performance.”

http://www.adtruth.com/
Fingerprinting Companies

Advestigo


41st Parameter


http://www.advestigo.com/french/produits-ampservices/produits/advestigate-/introduction-/id-menu83.html
http://www.the41.com/marketing.asp
Akamai

http://www.akamai.com/html/solutions/ads_predictive_seg
ments.html
Pay-With-Data Exchanges



When you visit Audacity's website (presumably to
download the free audio recording software from
Audacity), you agree that Audacity may collect your
information and use it to send you advertising.
Billions of such pay-with-data exchanges occur daily.
They feed information to a complex advertising
ecosystem that constructs individual profiles for
behavioral advertising.
Here Comes Everybody


Use of tracking cookies is very widespread.
Right Media Exchange


MediaMath


62 billion a year; and
Pubmatic


13 billion daily;
TARGUSinfo


9 billion advertising purchases daily;
100,000 per second.
Google’s AdSense

1.5 million websites and advertisers.
Growth of Behavioral Advertising
Defenses

Technological



Block
Delete
Legal


Notice and Choice
Do Not Track
Blocking Third Party Cookies

You can set your browser to block third party
cookies.


How you do it depends on the browser. Firefox gives
the most options and best protection.
It is easy for (what is really) a third party cookie
to be set as a first party cookie.

25% of the cookies permitted are still tracking
cookies.
 German Gomez, Julian Yalaju, Mario Garcia, Chris Hoofnagle,
Cookie Blocking and Privacy: First Parties Remain a Risk

Flash cookies not typically blocked.
Deleting Cookies

There are many programs.




Malware Bytes, Super Anti-Spyware
They vary in what they regard as deletable.
They vary in what they detect.
They do not detect all that they try to detect.
Fingerprinting

It is difficult to stop fingerprinting.

Not without significant changes to how browsers currently
work.
 For discussion, see https://panopticlick.eff.org/.

You can use Tor.
 https://www.torproject.org/about/overview.html.en


But performance suffers, and
Tor’s anonymity can be exploited for malicious means.
Tor
Notice and Choice


Assume informed consent requires awareness of the
specific ways in which the information will be used.
Then “notice”




does not
cannot
and should not
yield informed consent.
A “Do Not Track” Button?

What if you could click a button and it would send a
request to every website you visited that it should not
track you for advertising purposes?


The button activates an HTTP header transmitted to each
webpage.
Would websites comply?
It Is Not A War


We want more control over our information, but
without giving up
The advantages of the information processing
secures:






Increased relevance
Increased efficiency
Improved security
Personalization.
We are willing trade.
Not a war but a negotiation.
What We Do Not Want



We do not want—should not want—to put an
end to behavioral advertising.
There are too many pluses. We want—should
want—is a better tradeoff of pluses and
minuses.
A tradeoff over which we have an appropriate
control, not one unilaterally imposed by
businesses.
What We Get: Trapped In
Submission





Most acquiesce to advertisers’ information processing
demands.
So: advertisers can ignore the few who will not use a
website unless it conforms to their privacy preferences.
So our choices are: (a) use the site and submit to
behavioral advertising, and (b) not use the site
Most choose “use and submit.”
So: