Scary JavaScript (and other Tech) that Tracks You Online

Ec25d046746de3be33779256f6957d8f?s=47 luke crouch
November 04, 2016

Scary JavaScript (and other Tech) that Tracks You Online

There are over 5,000 online trackers that use cookies, fingerprinting, and probablistic device matching to follow you across the web. Some methods are actively used for fraud, malware, and intrusive user tracking. Some are commonly used for legit purposes. We'll talk about how sites are able to follow users, tracking methods both fair and foul, and how Mozilla protects users from tracking.

Ec25d046746de3be33779256f6957d8f?s=128

luke crouch

November 04, 2016
Tweet

Transcript

  1. 2.

    Luke Crouch • Web Developer at Mozilla • Not an

    expert in privacy tech (yet?) • Working on privacy & security experiments, prototypes, and studies for Firefox • Has 10 seconds per slide
  2. 3.
  3. 4.
  4. 25.
  5. 26.
  6. 27.
  7. 28.
  8. 31.
  9. 32.
  10. 34.
  11. 35.
  12. 38.
  13. 39.
  14. 40.
  15. 47.
  16. 60.
  17. 61.
  18. 65.
  19. 67.
  20. 75.
  21. 76.
  22. 79.
  23. 81.
  24. 83.
  25. 89.

    Probabilistic “Tethering” IP address: 23.64.176.179 (early mornings, evenings, weekends) IP

    address: 164.62.9.0 (9am-6pm weekdays) IP address: 164.62.9.0 (9am-6pm weekdays) Cellular network 23.64.176.179 (early mornings, evenings, weekends)
  26. 90.

    Probabilistic “Tethering” Work?? Cell?? Home?? 80% 80% IP address: 164.62.9.0

    (9am-6pm weekdays) IP address: 164.62.9.0 (9am-6pm weekdays) Cellular network 23.64.176.179 (early mornings, evenings, weekends) IP address: 23.64.176.179 (early mornings, evenings, weekends)
  27. 91.

    Probabilistic Matching Work? Cell? Home? Location: 38.883914, -77.020997 Weekday location:

    38.883914, -77.020997 Evening location: 38.897634, -77.036544 Location: 38.897634, -77.036544 95% 95%
  28. 92.

    Probabilistic Matching Work Cell Home Technology news UVa sports Capitol

    Hill Arsenal football Technology news UVa sports Capitol Hill Arsenal football Technology news UVa sports Capitol Hill Arsenal football 98% 98% cookie=4qasr4sdf1 Android Advertising Id=0436732361 cookie=f52dh64dhq
  29. 95.
  30. 96.

    First-Party Deterministic Matching Login: JustinBrookman Login: JustinBrookman Login: JustinBrookman Third-party

    sites/ apps that embed first-party Third-party sites/ apps that embed first-party Third-party sites/ apps that embed first-party
  31. 97.

    –Mark Zuckerberg “Over 1 billion people use Facebook on their

    phones every month and more than 80% of the top apps on iOS and Android now use Facebook logins.”
  32. 98.

    “One industry source that spoke with AdExchanger estimated Google’s logged-in

    cross-device user count as somewhere between 600 million and 1.2 billion, a conclusion based on the numerical intersection between Android users, iOS users, the Google login rate of iOS users and the number of logged-in desktop users for Google products.”
  33. 102.
  34. 103.

    Purchase item at a shopping site as justin@domain.com Click on

    email from shopping site Open email from shopping site Android Advertising Id=0436732361 cookie=4qasr4sdf1 cookie=a035fs35fm Email for First Party Cross-Device Tracking
  35. 105.

    Machine Learning Model 1. Acquire device activity data set
 


    IP addresses, WiFi networks, GPS coordinates, websites browsed, ads displayed, device type, operating system, browser cookies, mobile device IDs, time of day, etc. 2. Acquire “truth set” of deterministic matching data
 
 “training set” and “test set” 3. Train ML models on the training set, evaluating accuracy, precision, and recall against the test set 4. Point ML model at entire device activity data set
  36. 109.
  37. 110.
  38. 111.
  39. 112.
  40. 113.
  41. 114.
  42. 115.
  43. 118.

    Other device privacy vulnerabilities • Visual/IR beaconing for cross-device matching?

    • Recognizing speech from gyroscope signals
 (crypto.stanford.edu/gyrophone) • Recognizing gait patterns with accelerometers
 (vtt.fi/inf/julkaisut/muut/2005/ICASSP05.pdf)
  44. 119.

    Purchase item at a shopping site as justin@domain.com Click on

    email from shopping site Open email from shopping site Advertising Network md5=b16f55bbe0ff554fb40003f8e5f96b99 Hashed Email for Third-Party Tracking
  45. 122.
  46. 123.
  47. 124.
  48. 125.
  49. 138.

    –Steven Englehardt, Princeton WebTAP “in our measurements we found only

    two trackers (doubleclick.net and googleanalytics.com) that are present on 40% or more of websites. But if we assumed a moderate amount of back-end data sharing (defined in Section 5.3 of our paper), the number of trackers that can observe 40% of users’ browsing history would jump to 161”
  50. 140.
  51. 156.
  52. 159.
  53. 161.

    Privacy Paradox • consumers are concerned about ways marketers access

    and use their data • people still release data about themselves that suggest much less concern The Tradeoff Fallacy Joseph Turow, Michael Hennessy, University of Pennsylvania Nora Draper, University of New Hampshire
  54. 162.

    “Notice and Choice” People are expected to negotiate for privacy

    protection by reading privacy policies and selecting services consistent with their preferences. Alan Westin’s Privacy Homo Economics Chris Hoofnagle & Jennifer Urban, UC Berkeley
  55. 163.
  56. 164.

    The Tradeoff Fallacy Joseph Turow, Michael Hennessy, University of Pennsylvania

    Nora Draper, University of New Hampshire 2015 Survey
  57. 166.
  58. 167.
  59. 168.
  60. 169.
  61. 170.
  62. 171.
  63. 172.
  64. 173.
  65. 178.
  66. 179.
  67. 180.
  68. 181.
  69. 182.
  70. 183.
  71. 184.
  72. 185.
  73. 186.
  74. 187.
  75. 190.
  76. 192.
  77. 196.

    strawberrynet.com Please be advised that in surveys we have completed,

    a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.
  78. 199.
  79. 201.