Presented by: Ben Williams

advertisement
Presented by: Ben Williams
Outline:
 What is privacy?
 Value of private information
 Industry and Government response
 Advertising
 Search results
 Real world impacts
 Personal safety
 Browser versus mobile.
 How to protect your privacy.
What is Privacy?
 Merriam-Webster Dictionary defines privacy as
“freedom from unauthorized intrusion”
 Online privacy is protecting your information online,
whether you chose to willingly share that information
or not.
 “If you aren't doing anything wrong, what do you have
to hide?” versus “If I'm not doing anything wrong, then
you have no cause to watch me.”
 Computer security researcher Bruce Schneier in 2006
had the following to say on privacy: “For if we are
observed in all matters, we are constantly under threat
of correction, judgment, criticism, even plagiarism of
our own uniqueness. We become children, fettered
under watchful eyes, constantly fearful that -- either
now or in the uncertain future -- patterns we leave
behind will be brought back to implicate us, by
whatever authority has now become focused upon our
once-private and innocent acts. We lose our
individuality, because everything we do is observable
and recordable.”
Value of Private Information
 Toysmart.com
 Disney-owned company specializing in online toy sales
 Collected customer information such as: names, addresses,
buying preferences, family profiles such as names, ages,
birthdates, toy preferences of children, etc. (first recorded
violation of COPPA)
 Since September 1999, the posted privacy policy stated
personal information would never be shared with third
parties, backed by TRUSTe
 May 22, 2000 filed for bankruptcy protection, consulting
company brought in to sell assets
 FTC intervened, in the end Toysmart received $50,000 from
Disney subsidiary Buena Vista Internet Group for destroying
their customer database
Industry & Government Response
 Privacy Preferences Project (P3P) was created 10 years ago
and implemented in Internet Explorer
 White House Feb. 2012: Consumer Privacy Bill of
Rights
 Do Not Track agreement - Google, Yahoo, Microsoft,
AOL are on board
 FTC enforced
Advertising
 Facebook
 Facebook generated $4.27 billion in revenue last year.
 What is their product?
 Facebook says: “Our privacy policy is clear: we’re permitted to
help our advertising customers measure the effectiveness of
their ads, so advertisers receive anonymised, aggregated data
about ad performance – for example, clickthrough rates
within specific demographic groups – so they can optimise
campaigns. If the advertiser chooses to run the advert, we
serve the advert to people who meet the criteria the advertiser
selected, but we don’t tell the advertiser who any of those
people are.”
 Facebook protects your personal data. If they gave it
away it would erode their ability to target ads so
exclusively.
 In 2010 researchers at Stanford University described a
method of breaching user privacy through
microtargeted advertising on Facebook. Though
Facebook changed their advertising system to make this
more difficult, it is still possible today.
 RapLeaf profiles users by name
Search Results
 Many online search providers tailor search results based on user
information.
 Results are filtered based on your search history, preferences, search
results selected, ads viewed, etc. (“Filter bubble”
http://www.thefilterbubble.com/ted-talk)
 “Search Leakage” – HTTP referrer header includes search term
 Google
 Circumvention of Safari privacy features (and subsequent classaction lawsuit) for tracking via Google-owned DoubleClick
 New privacy policy to allow sharing data between Google-owned
services.
 Returning personalized results and ads isn’t that bad compared
to viruses, botnets, etc. But it’s a slippery slope.
Real World Impacts
 Private information publicly disclosed
 Netflix prize contest in 2006 – handed out anonymized
data on over 480,000 customers. U. Texas researchers
correlated that data with publicly available IMDB ratings
to determine identities. A second prize contest was
initially planned to include ages, genders, and ZIP codes
– a lawsuit made the company reconsider.
 iPhone & Android tracking – location information
available on devices or relayed to app developers/carriers
in some cases (iOS 4, CarrierIQ, etc.)
 Metadata from files posted online (exiftool, irfanview)
 PDF documents and Office files can contain author,
editor, creation/modify/print date & time, creation
software, etc.
 Images can contain creation date & time, camera model,
lens used, focal length, shutter speed, other camera
settings, GPS position
 In 2007 a new fleet of helicopters arrived at a base in
Iraq and soldiers took photos and uploaded images to
the internet. The enemy was able to determine the
exact location of the helicopters from the image
metadata and conduct a mortar attack, destroying
four helicopters.
 Life insurance company Aviva has begun using
“predictive modeling” based on consumer-marketing
data as a replacement for a checkup and lab analysis
for predicting people’s longevity.
 Deloitte Consulting LLP is promoting this use of
consumer data in the insurance industry.
 Deloitte’s models assume many diseases relate to
lifestyle factors such as exercise habits and diet.
 Cheaper ($5 vs $125), perceived as less intrusive.
 American International Group (AIG) and Prudential
Financial Inc. are exploring similar technologies.
Personal Safety
 Physical tracking – Path Intelligence’s Footpath
 How do modern thieves know you are on vacation?
 Should deployed soldiers have concerns with their
families posting photos online?
 What if foreign governments requested information
from advertising companies during the Arab Spring?
 Consumers view privacy as a worthwhile, just not
worth very much. A study of online consumers found
they were reluctant to spend more than $0.65 more to
buy a product from a site with better privacy policies.
Browser Versus Mobile
 Browser – tracking typically occurs with cookies, flash
cookies, supercookies, and “zombie” cookies
 Mobile – built-in GPS, microphone, contacts and
account info stored on the phone
 Apps often have access to information they should not,
and limited or no notification to the user when GPS,
camera, or microphone are activated by an app.
 Consumers often do not thoroughly review apps to see
what they are requesting access to.
 Lost devices - many devices still do not support full disk
encryption.
How To Protect Your Privacy
 Disable GPS tagging of images for mobile devices and




cameras.
Use built-in utilities to remove metadata from MS Office
and PDF files
TRUSTe
Carefully choose your search engine (Startpage/Ixquick,
DuckDuckGo, other privacy focused search engines)
Use do-not-track options in browsers




Firefox has a “Do Not Track” option in preferences (+mobile)
Chrome utilizes a third party extension: “Keep My Opt-Outs”
Safari included “Do Not Track” option starting w/Lion
IE included a more difficult to use solution in IE 9
Privacy apps/plugins/add-ons
 HTTPS Everywhere (FF/Chrome)
 NoScript(FF)/ScriptNo(Chrome)/NotScripts(Opera)
 Ghostery (IE/FF/Chrome/Safari)
 Disconnect (FF/Chrome/Safari)
 BetterPrivacy (FF)
 Beef Taco (FF)
 AdBlock(Chrome/Safari)/AdBlock Plus(FF/Chrome)
 Abine (FF)
 Tor (Windows/Mac/Linux/Mobile)
References:
 http://theory.stanford.edu/~korolova/Privacy_violations_using_microtargeted
_ads.pdf
 http://www.wired.com/epicenter/2011/11/mall-pull-plug-cell-tracking/
 http://arstechnica.com/tech-policy/news/2012/02/can-do-not-track-tame-thewebs-cookie-monsters.ars
 http://www.technolog.msnbc.msn.com/technology/technolog/us-armysoldiers-check-ins-can-kill-405150
 http://www.pcpro.co.uk/features/373735/how-social-networks-sold-yourprivacy
 https://threatpost.com/en_us/blogs/value-data-privacy-consumers-about-65cents-031412
 http://www.wired.com/threatlevel/2009/12/netflix-privacy-lawsuit/
 https://www.infoworld.com/t/internet-privacy/zombie-cookies-wont-diemicrosoft-admits-use-and-html5-looms-new-vector-170511
 http://www.whitehouse.gov/sites/default/files/emailfiles/privacy_white_paper.pdf
 http://online.wsj.com/article/SB100014240527487046486045756207509980729
86.html
Download