Presented by: Ben Williams Outline: What is privacy? Value of private information Industry and Government response Advertising Search results Real world impacts Personal safety Browser versus mobile. How to protect your privacy. What is Privacy? Merriam-Webster Dictionary defines privacy as “freedom from unauthorized intrusion” Online privacy is protecting your information online, whether you chose to willingly share that information or not. “If you aren't doing anything wrong, what do you have to hide?” versus “If I'm not doing anything wrong, then you have no cause to watch me.” Computer security researcher Bruce Schneier in 2006 had the following to say on privacy: “For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.” Value of Private Information Toysmart.com Disney-owned company specializing in online toy sales Collected customer information such as: names, addresses, buying preferences, family profiles such as names, ages, birthdates, toy preferences of children, etc. (first recorded violation of COPPA) Since September 1999, the posted privacy policy stated personal information would never be shared with third parties, backed by TRUSTe May 22, 2000 filed for bankruptcy protection, consulting company brought in to sell assets FTC intervened, in the end Toysmart received $50,000 from Disney subsidiary Buena Vista Internet Group for destroying their customer database Industry & Government Response Privacy Preferences Project (P3P) was created 10 years ago and implemented in Internet Explorer White House Feb. 2012: Consumer Privacy Bill of Rights Do Not Track agreement - Google, Yahoo, Microsoft, AOL are on board FTC enforced Advertising Facebook Facebook generated $4.27 billion in revenue last year. What is their product? Facebook says: “Our privacy policy is clear: we’re permitted to help our advertising customers measure the effectiveness of their ads, so advertisers receive anonymised, aggregated data about ad performance – for example, clickthrough rates within specific demographic groups – so they can optimise campaigns. If the advertiser chooses to run the advert, we serve the advert to people who meet the criteria the advertiser selected, but we don’t tell the advertiser who any of those people are.” Facebook protects your personal data. If they gave it away it would erode their ability to target ads so exclusively. In 2010 researchers at Stanford University described a method of breaching user privacy through microtargeted advertising on Facebook. Though Facebook changed their advertising system to make this more difficult, it is still possible today. RapLeaf profiles users by name Search Results Many online search providers tailor search results based on user information. Results are filtered based on your search history, preferences, search results selected, ads viewed, etc. (“Filter bubble” http://www.thefilterbubble.com/ted-talk) “Search Leakage” – HTTP referrer header includes search term Google Circumvention of Safari privacy features (and subsequent classaction lawsuit) for tracking via Google-owned DoubleClick New privacy policy to allow sharing data between Google-owned services. Returning personalized results and ads isn’t that bad compared to viruses, botnets, etc. But it’s a slippery slope. Real World Impacts Private information publicly disclosed Netflix prize contest in 2006 – handed out anonymized data on over 480,000 customers. U. Texas researchers correlated that data with publicly available IMDB ratings to determine identities. A second prize contest was initially planned to include ages, genders, and ZIP codes – a lawsuit made the company reconsider. iPhone & Android tracking – location information available on devices or relayed to app developers/carriers in some cases (iOS 4, CarrierIQ, etc.) Metadata from files posted online (exiftool, irfanview) PDF documents and Office files can contain author, editor, creation/modify/print date & time, creation software, etc. Images can contain creation date & time, camera model, lens used, focal length, shutter speed, other camera settings, GPS position In 2007 a new fleet of helicopters arrived at a base in Iraq and soldiers took photos and uploaded images to the internet. The enemy was able to determine the exact location of the helicopters from the image metadata and conduct a mortar attack, destroying four helicopters. Life insurance company Aviva has begun using “predictive modeling” based on consumer-marketing data as a replacement for a checkup and lab analysis for predicting people’s longevity. Deloitte Consulting LLP is promoting this use of consumer data in the insurance industry. Deloitte’s models assume many diseases relate to lifestyle factors such as exercise habits and diet. Cheaper ($5 vs $125), perceived as less intrusive. American International Group (AIG) and Prudential Financial Inc. are exploring similar technologies. Personal Safety Physical tracking – Path Intelligence’s Footpath How do modern thieves know you are on vacation? Should deployed soldiers have concerns with their families posting photos online? What if foreign governments requested information from advertising companies during the Arab Spring? Consumers view privacy as a worthwhile, just not worth very much. A study of online consumers found they were reluctant to spend more than $0.65 more to buy a product from a site with better privacy policies. Browser Versus Mobile Browser – tracking typically occurs with cookies, flash cookies, supercookies, and “zombie” cookies Mobile – built-in GPS, microphone, contacts and account info stored on the phone Apps often have access to information they should not, and limited or no notification to the user when GPS, camera, or microphone are activated by an app. Consumers often do not thoroughly review apps to see what they are requesting access to. Lost devices - many devices still do not support full disk encryption. How To Protect Your Privacy Disable GPS tagging of images for mobile devices and cameras. Use built-in utilities to remove metadata from MS Office and PDF files TRUSTe Carefully choose your search engine (Startpage/Ixquick, DuckDuckGo, other privacy focused search engines) Use do-not-track options in browsers Firefox has a “Do Not Track” option in preferences (+mobile) Chrome utilizes a third party extension: “Keep My Opt-Outs” Safari included “Do Not Track” option starting w/Lion IE included a more difficult to use solution in IE 9 Privacy apps/plugins/add-ons HTTPS Everywhere (FF/Chrome) NoScript(FF)/ScriptNo(Chrome)/NotScripts(Opera) Ghostery (IE/FF/Chrome/Safari) Disconnect (FF/Chrome/Safari) BetterPrivacy (FF) Beef Taco (FF) AdBlock(Chrome/Safari)/AdBlock Plus(FF/Chrome) Abine (FF) Tor (Windows/Mac/Linux/Mobile) References: http://theory.stanford.edu/~korolova/Privacy_violations_using_microtargeted _ads.pdf http://www.wired.com/epicenter/2011/11/mall-pull-plug-cell-tracking/ http://arstechnica.com/tech-policy/news/2012/02/can-do-not-track-tame-thewebs-cookie-monsters.ars http://www.technolog.msnbc.msn.com/technology/technolog/us-armysoldiers-check-ins-can-kill-405150 http://www.pcpro.co.uk/features/373735/how-social-networks-sold-yourprivacy https://threatpost.com/en_us/blogs/value-data-privacy-consumers-about-65cents-031412 http://www.wired.com/threatlevel/2009/12/netflix-privacy-lawsuit/ https://www.infoworld.com/t/internet-privacy/zombie-cookies-wont-diemicrosoft-admits-use-and-html5-looms-new-vector-170511 http://www.whitehouse.gov/sites/default/files/emailfiles/privacy_white_paper.pdf http://online.wsj.com/article/SB100014240527487046486045756207509980729 86.html