Interesting research on web tracking: “Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies:
Abstract: Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser.
In this paper, we evaluate the effectiveness of these defense mechanisms by leveraging a framework that automatically evaluates the enforcement of the policies imposed to third-party requests. By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identify several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were evaluated. We find that even built-in protection mechanisms can be circumvented by multiple novel techniques we discover. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.
The researchers discovered many new tracking techniques that work despite all existing anonymous browsing tools. These have not yet been seen in the wild, but that will change soon.
Three news articles. BoingBoing post.
Posted on August 17, 2018 at 5:26 AM •
Websites are sending information prematurely:
This is important because it goes against what people expect:
In yesterday’s report on Acurian Health, University of Washington law professor Ryan Calo told Gizmodo that giving users a “send” or “submit” button, but then sending the entered information regardless of whether the button is pressed or not, clearly violates a user’s expectation of what will happen. Calo said it could violate a federal law against unfair and deceptive practices, as well as laws against deceptive trade practices in California and Massachusetts. A complaint on those grounds, Calo said, “would not be laughed out of court.”
This kind of thing is going to happen more and more, in all sorts of areas of our lives. The Internet of Things is the Internet of sensors, and the Internet of surveillance. We’ve long passed the point where ordinary people have any technical understanding of the different ways networked computers violate their privacy. Government needs to step in and regulate businesses down to reasonable practices. Which means government needs to prioritize security over their own surveillance needs.
Posted on June 29, 2017 at 6:51 AM •
There’s a lot out there:
The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores….
Posted on January 25, 2016 at 6:25 AM •
I don’t care about the case, but look at this:
“Among the details police have released is that Harris and his wife, Leanna, told them they conducted Internet searches on how hot a car needed to be to kill a child. Stoddard testified Thursday that Ross Harris had visited a Reddit page called “child-free” and read four articles. He also did an Internet search on how to survive in prison, Stoddard said.
“Also, five days before Cooper died, Ross Harris twice viewed a sort of homemade public service announcement in which a veterinarian demonstrates on video the dangers of leaving someone or something inside a hot car.”
Stoddard is a police detective. It seems that they know about his web browsing because they seized and searched his computer:
…investigators confiscated Harris’ work computer at Home Depot following his arrest and discovered an Internet search about how long it would take for an animal to die in a hot car.
Stoddard also testified that Harris was “sexting” — is this a word we use in court now? — with several women on the day of his son’s death, and sent explicit pictures to one of them. I assume he knows that by looking at Harris’s message history.
A bunch of this would not be admissible in trial, but this was a probable-cause hearing, and the rules are different for those. CNN writes: “a prosecutor insisted that the testimony helped portray the defendant’s state of mind and spoke to the negligence angle and helped establish motive.”
This case aside, is there anyone reading this whose e-mails, text messages, and web searches couldn’t be cherry-picked to portray any state of mind a prosecutor might want to portray? (Qu’on me donne six lignes écrites de la main du plus honnête homme, j’y trouverai de quoi le faire pendre. — Cardinal Richelieu.)
Posted on July 4, 2014 at 6:24 AM •
ICANN has a draft study that looks at abuse of the Whois database.
This study, conducted by the National Physical Laboratory (NPL) in the United Kingdom, analyzes gTLD domain names to measure whether the percentage of privacy/proxy use among domains engaged in illegal or harmful Internet activities is significantly greater than among domain names used for lawful Internet activities. Furthermore, this study compares these privacy/proxy percentages to other methods used to obscure identity notably, Whois phone numbers that are invalid.
Richard Clayton, the primary author of the report, has a blog post:
However, it’s more interesting to ask whether this percentage is somewhat higher than the usage of privacy or proxy services for entirely lawful and harmless Internet activities? This turned out NOT to be the case for example banks use privacy and proxy services almost as often as the registrants of domains used in the hosting of child sexual abuse images; and the registrants of domains used to host (legal) adult pornography use privacy and proxy services more often than most (but not all) of the different types of malicious activity that we studied.
Richard has been telling me about this work for a while. It’s nice to see it finally published.
Posted on October 1, 2013 at 9:09 AM •
Interesting report from the From the Pew Internet and American Life Project:
Teens are sharing more information about themselves on their social media profiles than they did when we last surveyed in 2006:
- 91% post a photo of themselves, up from 79% in 2006.
- 71% post their school name, up from 49%.
- 71% post the city or town where they live, up from 61%.
- 53% post their email address, up from 29%.
- 20% post their cell phone number, up from 2%.
60% of teen Facebook users set their Facebook profiles to private (friends only), and most report high levels of confidence in their ability to manage their settings.
danah boyd points out something interesting in the data:
My favorite finding of Pew’s is that 58% of teens cloak their messages either through inside jokes or other obscure references, with more older teens (62%) engaging in this practice than younger teens (46%)….
While adults are often anxious about shared data that might be used by government agencies, advertisers, or evil older men, teens are much more attentive to those who hold immediate power over them — parents, teachers, college admissions officers, army recruiters, etc. To adults, services like Facebook that may seem “private” because you can use privacy tools, but they don’t feel that way to youth who feel like their privacy is invaded on a daily basis. (This, btw, is part of why teens feel like Twitter is more intimate than Facebook. And why you see data like Pew’s that show that teens on Facebook have, on average 300 friends while, on Twitter, they have 79 friends.) Most teens aren’t worried about strangers; they’re worried about getting in trouble.
Over the last few years, I’ve watched as teens have given up on controlling access to content. It’s too hard, too frustrating, and technology simply can’t fix the power issues. Instead, what they’ve been doing is focusing on controlling access to meaning. A comment might look like it means one thing, when in fact it means something quite different. By cloaking their accessible content, teens reclaim power over those who they know who are surveilling them. This practice is still only really emerging en masse, so I was delighted that Pew could put numbers to it. I should note that, as Instagram grows, I’m seeing more and more of this. A picture of a donut may not be about a donut. While adults worry about how teens’ demographic data might be used, teens are becoming much more savvy at finding ways to encode their content and achieve privacy in public.
Posted on May 24, 2013 at 8:40 AM •
Ghostery is a Firefox plug-in that tracks who is tracking your browsing habits in cyberspace. Here’s a TED talk by Gary Kovacs, the CEO of Mozilla Corp., on it.
I use AdBlock Plus, and dump my cookies whenever I close Firefox. Should I switch to Ghostery? What do other people do for web privacy?
Posted on June 6, 2012 at 9:36 AM •
Google releases statistics:
Google received more than 15,600 requests in the January-June period, 10 percent more than the final six months of last year. The requests in the latest period spanned more than 25,400 individual accounts worldwide – a tiny fraction of Google’s more than billion users.
The highest volume of government demands for user data came from the U.S. (5,950 requests, a 29 percent increase from the previous six-month stretch); India (1,739 requests, up 2 percent); France (1,300 requests, up 27 percent); Britain (1,273 requests, up 10 percent); and Germany (1,060 requests, up 38 percent).
The company usually complies with at least a portion of most government demands. Google has said that it often has little choice because it must obey laws in the countries where it operates. The alternative is to leave, as it did last year when it shifted its search engine to Hong Kong so it wouldn’t have to follow mainland China’s censorship requirements.
In the U.S., Google gave federal, state and other agencies what they wanted 93 percent of the time. The nearly 6,000 requests affected more than 11,000 user accounts during the January-June period.
In India, Google honored 70 percent of the 1,739 requests, which targeted more than 2,400 users, the second highest totals.
Google, which is based in Mountain View, Calif., rejected the most government demands for user information in Argentina, where 68 percent of the requests were denied. Less than 50 percent of the government requests for user data were complied with in Canada, Chile, France, Hong Kong, Mexico, the Netherlands, Russia, Turkey and South Korea.
I’m sure they have an office full of attorneys versed in the laws of various countries.
Posted on October 26, 2011 at 5:54 AM •
Patent application number 2011/023240:
Communicating Information in a Social Network System about Activities from Another Domain
Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile identifying a connection to one or more other users of the social networking system and including information about the user. The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the thirdparty website. The method additionally includes logging the actions taken on the third-party website in the social networking system, each logged action including information about the action. The method further includes correlating the logged actions with one or more advertisements presented to the one or more users on the third-party website as well as correlating the logged actions with a user of the social networking system.
Facebook denies that this is a patent for that. Although Facebook does seem to track users even when they are not logged in, as well as people who aren’t even Facebook users.
EDITED TO ADD (10/24): Facebook claims that, while they do collect information on non-users, they don’t use it for profiling. This feels like hair-splitting to me; I get emails from Facebook with lists of friends who are already on the site.
EDITED TO ADD (10/24): It’s a patent application, not a patent.
Posted on October 24, 2011 at 6:42 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.