Extra Lecture: Privacy On The Web (History Stealing, Fingerprinting, DNT, Etc.)
Extra Lecture: Privacy On The Web (History Stealing, Fingerprinting, DNT, Etc.)
Extra Lecture: Privacy On The Web (History Stealing, Fingerprinting, DNT, Etc.)
“If you are not paying for it, you're not the customer;
you're the product being sold” – Andrew Lewis, 2002
Advertising on the Web
• By and large, advertising provides the money for web services
and apps
• 90% of Google’s $6 Billion in revenue came from ads in 2014
How is this information collected, shared, and used for targeted advertising?
Tracking
Cookies, Flash Cookies, E-tags, Evercookies, Supercookies!
DNT
Fingerprinting
IP Address Tracking
Cookie: _gads=saf9vDFDsP0w3
Set-Cookie: _gads=saf9vDFDsP0w3
Cookie: _gads=saf9vDFDsP0w3
<script src=“http://
www.googletagservices.com/tag/js/
gpt.js?id=gmaps”>
maps.google.com
Social Widgets
<iframe src=“http://
www.facebook.com/
button.html”>
yelp.com
Cookie: presence=saf9vDFDsP0w3
Set-Cookie: presence=saf9vDFDsP0w3
Cookie: presence=saf9vDFDsP0w3 facebook.com
<iframe src=“http://
www.facebook.com/
button.html”>
maps.google.com
The Targeted Advertising EcosystemTarget 18-25
year old males
Ad Exchanges &
Consumers Publishers Ad Networks Companies
Ad Auctions
f5 g… Ads
2
=A
ok ie
Co 0 3 Rubicon
Cookie=A2f5g… $ 0.0
Cook
coke_ad.gif ie = A
2f5g
…
AdNexus $0.0
01
Rocketfuel
$$$
Rubicon
• Users did not respond well when they found out about tracking
• Many started clearing their cookies to avoid tracking
• Ad networks fought back using Evercookies
• HTTP, HTML, and plugins provide many ways to store state on clients
• Evercookies are placed in all available storage locations
• If the cookie is deleted, it can be regenerated from the ‘backups’ in
other locations
Evercookies
HTTP features HTML features
• Cookies • window.name
• E-tags – values set by the server that • HTML5 localstorage
are supposed to be used for page • HTML5 indexeddb
caching • HTML5 web database
• Cached HTTP authentication credentials • Web history (more on this
later)
Plugins
• Flash Local Shared Objects (LSOs)
• Silverlight Isolated Storage
• Java PersistenceService
Mitigations Against Tracking Cookies
• Opting-out
• In an effort to stave off regulation, many online ad
networks have voluntarily joined the AdChoices program
• AdChoices allows you to opt-out of some targeted
advertising
• Ironically, the opt-out is stored as a cookie in your browser
• Incognito/Private browsing mode
• Starts a fresh browser instance with no cookies
• All cookies are erased when the instance closes
• Warning: plugins may still persist evercookie information
• Extensions
• Adblock, Ghostery, Disconnect, PrivacyBadger, NoScript,
uMatrix
Do Not Track
• Proposed in 2009 by Christopher Soghoian, Sid Stamm, and Dan Kaminsky
• HTTP header that informs third-parties you do not wish to be tracked
• Supported by most modern browsers (but typically off by default)
• The original aim was get buy in from regulators and advertisers
• Instead, the whole effort became controversial and politicized
• Today, no laws or regulations mandate compliance with DNT
• Digital Advertising Alliance does not require its members to honor DNT
• Issues
• Microsoft attempted to set DNT: 1 by default in IE 10
• Advertisers revolted and refused to support the initiative
• What is the expected behavior of Do Not Track?
• Can a third-party retain data for other purposes like analytics, debugging, or security audits?
• Can an advertiser store data but simply not use it to target ads?
Beyond Tracking Cookies
GET / HTTP/1.1
Host: www.google.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/hmtl
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/42.0.2311.68 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: _session=aAB4m3rf8weG224
More Sources of Uniqueness
N = 4638
Canvas Fingerprinting
• Basic approaches
• Clear your history, or configure your browser to not store history
• Disable styling of visited links
• Disable Javascript
• Fixes implemented by Mozilla in 2010
• CSS may only alter specific properties of :visited links
versus :unvisited
• Foreground and background color, outline, border, SVG stroke, and fill color
• None of these properties impact the size or layout of surrounding elements
• Javascript may no longer read certain style properties of links
• All links appear to have unvisited colors
• Changes to the rendering engine to make all links render in equal time
Final Thoughts
1. Evercookies: http://samy.pl/evercookie/
2. Panopticlick (browser fingerprinting): https://panopticlick.eff.org/
3. Canvas fingerprinting examples: https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html
4. History stealing example: http://www.dicabrio.com/javascript/steal-history.php
5. Plugging the CSS history leak: https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/