Identifying you

Transcript

1. Identifying you. What the websites are doing to track you

   and why clearing cookies isn't as effective as you think.

2. Scoping today’s topic • Cookies, what and why. • Behavioral

   targeting • Breakout session • Putting it together • Potential social issues

3. HTTP (Hypertext Transfer Protocol) • HTTP functions as a request-response

   protocol in the client-server computing model. • The client (your browser) submits request message to the server (the website). • The server (the website) returns a response back to the client (your browser)

4. HTTP Request GET /index.html HTTP/1.1 Host: www.example.com

5. HTTP Response HTTP/1.1 302 Location: http://www.iana.org/domains/example/

6. HTTP Request GET /index.html HTTP/1.1 Host: www.example.com

7. HTTP Response HTTP/1.1 200 OK Date: Mon, 23 May 2005

   22:38:34 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Set-Cookie: PREF=ID=3e4d9c9dc19424b5:FF=0:TM=1383263824:LM=1383263824:S=V3g7yDuIBQ3IRG0I; expires=Sat, 31-Oct-2015 23:57:04 GMT; path=/; domain=.example.com Content-Type: text/html; charset=UTF-8 Content-Length: 131 Connection: close ! <html> <head> <title>An Example Page</title> </head> <body> Hello World, this is a very simple HTML document. </body> </html>

8. HTTP Request GET /index2.html HTTP/1.1 Host: www.example.com Referer: http://example.com/index.html User-agent:

   Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36 Cookie: PREF=ID=3e4d9c9dc19424b5:FF=0:TM=1383263824:LM=1383263824:S=V3g7yDuIBQ3 IRG0I;

9. HTTP Response HTTP/1.1 200 OK Date: Mon, 23 May 2005

   22:38:34 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Content-Type: text/html; charset=UTF-8 Content-Length: 131 Connection: close ! <html> <head> <title>An Example Page</title> </head> <body> Hello World, this is a very simple HTML document. </body> </html>

10. Companies use cookies to match you with the 15-seconds ago

    you.

11. Companies use cookies to match you with the 15-days ago

    you.

12. Companies use cookies over multiple domain names to match you

    with the 15-days ago you.

13. Companies use cookies over multiple domain names to match you

    with the 15-days ago you. 
 Companies can get your referring web page and more.

14. Advertising

15. In advertising • Cookies lets us optimize ads for returning

    visitors. • Let the same user see the same ad < 5 times. • Knowing the referral page hints the type of user.

16. In advertising ! • Examples of targeted advertisement practices •

    Demographic targeting — who they are • Behavioral targeting — how they act • Geographic targeting — where they reside • Look-alike targeting — what they like

17. Unfortunately, cookies don’t stay forever.

18. Can we track users with cookies?

19. None

20. Breakout session Think of some ways to grab more data

    through the browser

21. Things to think 1. What’s the technology good for? 2.

    How can it be exploited? 3. Can we modify the current technology to make it safer? If so, how?

22. Other ideas?

23. http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device- fingerprinting/ “Close to 1.5% of the Internet's top websites

    track users without their knowledge or consent, even when visitors have enabled their browser's Do Not Track option”

24. Piecing the data together

25. None

26. Companies using fingerprinting

27. – Alexis Madrigal,The Atlantic “If a company can follow your

    behavior in the digital environment -- an environment that potentially includes your mobile phone and television set -- its claim that you are "anonymous" is meaningless. That is particularly true when firms intermittently add off-line information such as shopping patterns and the value of your house to their online data and then simply strip the name and address to make it "anonymous." It matters little if your name is John Smith, Yesh Mispar, or 3211466. The persistence of information about you will lead firms to act based on what they know, share, and care about you, whether you know it is happening or not.”
28. None

29. Interesting links • https://labs.isecpartners.com/breadcrumbs/breadcrumbs.html • http://browserspy.dk/plugins.php • http://flippingtypical.com/ • http://www.pinlady.net/PluginDetect/All/

    • http://panopticlick.eff.org/ • http://samy.pl/evercookie/ • http://samy.pl/csshack/ • http://lucb1e.com/rp/cookielesscookies/ • http://qz.com/125470/google-can-track-you-without-cookies/ • http://computer.howstuffworks.com/internet/basics/question82.htm • http://motherboard.vice.com/blog/device-fingerprinting-can-track-you-without-cookies-your-knowledge-or-consent • http://www.kaushik.net/avinash/web-analytics-visitor-tracking-cookies/

30. Thanks!