Entries Tagged "tracking"

Page 7 of 17

State of Online Tracking

Really interesting research: “Online tracking: A 1-million-site measurement and analysis,” by Steven Englehardt and Arvind Narayanan:

Abstract: We present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and the exchange of tracking data between different sites (“cookie syncing”). Our findings include multiple sophisticated fingerprinting techniques never before measured in the wild.

This measurement is made possible by our web privacy measurement tool, OpenWPM, which uses an automated version of a full-fledged consumer browser. It supports parallelism for speed and scale, automatic recovery from failures of the underlying browser, and comprehensive browser instrumentation. OpenWPM is open-source1 and has already been used as the basis of seven published studies on web privacy and security.

Summary in this blog post.

Posted on May 23, 2016 at 5:33 AMView Comments

Company Tracks Iowa Caucusgoers by their Cell Phones

It’s not just governments. Companies like Dstillery are doing this too:

“We watched each of the caucus locations for each party and we collected mobile device ID’s,” Dstillery CEO Tom Phillips said. “It’s a combination of data from the phone and data from other digital devices.”

Dstillery found some interesting things about voters. For one, people who loved to grill or work on their lawns overwhelmingly voted for Trump in Iowa, according to Phillips. There was some pretty unexpected characteristics that came up too.

“NASCAR was the one outlier, for Trump and Clinton,” Phillips said. “In Clinton’s counties, NASCAR way over-indexed.”

Kashmir Hill wondered how:

What really happened is that Dstillery gets information from people’s phones via ad networks. When you open an app or look at a browser page, there’s a very fast auction that happens where different advertisers bid to get to show you an ad. Their bid is based on how valuable they think you are, and to decide that, your phone sends them information about you, including, in many cases, an identifying code (that they’ve built a profile around) and your location information, down to your latitude and longitude.

Yes, for the vast majority of people, ad networks are doing far more information collection about them than the NSA­—but they don’t explicitly link it to their names.

So on the night of the Iowa caucus, Dstillery flagged all the auctions that took place on phones in latitudes and longitudes near caucus locations. It wound up spotting 16,000 devices on caucus night, as those people had granted location privileges to the apps or devices that served them ads. It captured those mobile ID’s and then looked up the characteristics associated with those IDs in order to make observations about the kind of people that went to Republican caucus locations (young parents) versus Democrat caucus locations. It drilled down farther (e.g., ‘people who like NASCAR voted for Trump and Clinton’) by looking at which candidate won at a particular caucus location.

Okay, so it didn’t collect names. But how much harder could that have been?

Posted on March 2, 2016 at 6:34 AMView Comments

Tracking Anonymous Web Users

This research shows how to track e-commerce users better across multiple sessions, even when they do not provide unique identifiers such as user IDs or cookies.

Abstract: Targeting individual consumers has become a hallmark of direct and digital marketing, particularly as it has become easier to identify customers as they interact repeatedly with a company. However, across a wide variety of contexts and tracking technologies, companies find that customers can not be consistently identified which leads to a substantial fraction of anonymous visits in any CRM database. We develop a Bayesian imputation approach that allows us to probabilistically assign anonymous sessions to users, while ac- counting for a customer’s demographic information, frequency of interaction with the firm, and activities the customer engages in. Our approach simultaneously estimates a hierarchical model of customer behavior while probabilistically imputing which customers made the anonymous visits. We present both synthetic and real data studies that demonstrate our approach makes more accurate inference about individual customers’ preferences and responsiveness to marketing, relative to common approaches to anonymous visits: nearest- neighbor matching or ignoring the anonymous visits. We show how companies who use the proposed method will be better able to target individual customers, as well as infer how many of the anonymous visits are made by new customers.

Posted on February 5, 2016 at 6:56 AMView Comments

El Chapo's Opsec

I’ve already written about Sean Penn’s opsec while communicating with El Chapo. Here’s the technique of mirroring, explained:

El chapo then switched to a complex system of using BBM (Blackberry’s Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days at a public place with Wi-Fi) this intermediary (or “mirror”) would then transcribe the text to an I-Pad and then send that over a Wi-Fi network (not cellular networks which were monitored constantly by law enforcement). This WiFi text was then sent to another cut-out who would finally transcribe the message into a Blackberry BBM text and transmit it to Guzman. Although Guzman continued to use his Blackberry, it was almost impossible to analyze the traffic because it now only communicated with one other device. This “mirror” system is difficult to crack because the intermediaries or proxies, can constantly change their location by moving to new WiFi spots.

This article claims he was caught because of a large food order:

After construction was complete, the safehouse was quiet. Until 7 January 2016, when a car arrives carrying unknown passengers. Security forces suspected that this was Guzman. There was one final indicator that someone important enough to require an entourage was inside. A white van went off, at midnight, to fetch enough tacos to feed a large group of people. The police raided the house 4 hours later.

Here’s more detail about El Chapo’s opsec at the time of his previous capture.

EDITED TO ADD (2/11): More on his opsec.

Posted on January 21, 2016 at 6:19 AMView Comments

Sean Penn's Opsec

This article talks about the opsec used by Sean Penn surrounding his meeting with El Chapo.

Security experts say there aren’t enough public details to fully analyze Penn’s operational security (opsec). But they described the paragraph above as “incomprehensible” and “gibberish.” Let’s try to break it down:

  • Penn describes using “TracPhones,” by which he likely means TracFones, which are cheap phones that take calling cards so they’re not linked to a credit card or account. They’re often called burners, but you don’t actually throw it in the trash after a call; instead you might swap out the SIM card or use different calling cards for different people. Hollywood loves these! Katie Holmes reportedly used one to plan her divorce from Tom Cruise. They’re a reasonable security measure, but it still creates phone records that live with, and can be requested from, cell phone carriers.
  • Penn says he “mirror[ed] through Blackphones,” which are relatively expensive phones sold by Silent Circle that offer a more secure operating system than a typical off-the-shelf phone. It runs Internet through a VPN (to shield the user’s IP address and encrypt their Web traffic) and end-to-end encrypts calls and messages sent to other Blackphones. Unlike with the TracFone, Penn would have a credit card tied to the account on this phone. It’s unclear what Penn means when he says he “mirrored” through the phone; the phrase “mirrored” typically means to duplicate something. As he wrote it, it sounds like he duplicated messages on the secure Blackphone that were being sent some other, potentially less secure, way, which would be dumb, if true. “I’m not sure what he means.” said Silent Circle CEO Mike Janke via email. “It’s a strange term and most likely he doesn’t know what he is saying.”
  • Penn says he used “anonymous” email addresses and that he and his companions accessed messages left as drafts in a shared email account. That likely means the emails were stored unencrypted, a bad security practice. If he were sharing the account with a person using an IP address that was the target of an investigation, i.e. any IP address associated with El Chapo’s crew, then all messages shared this way would be monitored. For the record, that did not work out very well for former CIA director David Petraeus, who used draft messages to communicate with his mistress and got busted when her IP address was targeted in an online harassment investigation.
  • Elsewhere in the article, Penn says Guzman corresponded with Mexican actress Kate del Castillo via BBMs (Blackberry messages). Those only have unique end-to-end encryption if a user has opted for BBM Protected. Law enforcement has been able to intercept BBMs in the past. And Mexican officials have told the media that they were monitoring del Castillo for months, following a meeting she had last summer with El Chapo’s lawyers, before she had reached out to Penn. Law enforcement even reportedly got photos of Penn’s arrival at the airport in Mexico.
  • In the most impressive operational, if not personal, security on display, Sean Penn says that when he traveled to Mexico, he left all of his electronics in Los Angeles, knowing that El Chapo’s crew would force him to leave them behind.

There has been lots of speculation about whether this was enough, or whether Mexican officials tracked El Chapo down because of his meeting with Penn.

Posted on January 14, 2016 at 6:32 AMView Comments

Tracking Someone Using LifeLock

Someone opened a LifeLock account in his ex-wife’s name, and used the service to track her bank accounts, credit cards, and other financial activities.

The article is mostly about how appalling LifeLock was about this, but I’m more interested in the surveillance possibilities. Certainly the FBI can use LifeLock to surveil people with a warrant. The FBI/NSA can also collect the financial data of every LifeLock customer with a National Security Letter. But it’s interesting how easy it was for an individual to open an account for another individual.

Posted on December 1, 2015 at 5:41 AMView Comments

Ads Surreptitiously Using Sound to Communicate Across Devices

This is creepy and disturbing:

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Related: a Chrome extension that broadcasts URLs over audio.

EDITED TO ADD (12/14): More here.

Posted on November 18, 2015 at 6:59 AMView Comments

The Advertising Value of Intrusive Tracking

Here’s an interesting research paper that tries to calculate the differential value of privacy-invasive advertising practices.

The researchers used data from a mobile ad network and was able to see how different personalized advertising practices affected customer purchasing behavior. The details are interesting, but basically, most personal information had little value. Overall, the ability to target advertising produces a 29% greater return on an advertising budget, mostly by knowing the right time to show someone a particular ad.

The paper was presented at WEIS 2015.

Posted on August 24, 2015 at 5:50 AMView Comments

1 5 6 7 8 9 17

Sidebar photo of Bruce Schneier by Joe MacInnis.