Identifying you. What the websites are doing to track you and why clearing cookies isn't as effective as you think. 

Scoping today’s topic • Cookies, what and why. • Behavioral targeting • Breakout session • Putting it together • Potential social issues 

HTTP (Hypertext Transfer Protocol) • HTTP functions as a request-response protocol in the client-server computing model. • The client (your browser) submits request message to the server (the website). • The server (the website) returns a response back to the client (your browser) 

HTTP Request GET /index.html HTTP/1.1 Host: www.example.com 

HTTP Response HTTP/1.1 302 Location: http://www.iana.org/domains/example/ 

HTTP Request GET /index.html HTTP/1.1 Host: www.example.com 

HTTP Response HTTP/1.1 200 OK Date: Mon, 23 May 2005 22:38:34 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Set-Cookie: PREF=ID=3e4d9c9dc19424b5:FF=0:TM=1383263824:LM=1383263824:S=V3g7yDuIBQ3IRG0I; expires=Sat, 31-Oct-2015 23:57:04 GMT; path=/; domain=.example.com Content-Type: text/html; charset=UTF-8 Content-Length: 131 Connection: close ! An Example Page Hello World, this is a very simple HTML document. 

HTTP Request GET /index2.html HTTP/1.1 Host: www.example.com Referer: http://example.com/index.html User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36 Cookie: PREF=ID=3e4d9c9dc19424b5:FF=0:TM=1383263824:LM=1383263824:S=V3g7yDuIBQ3 IRG0I; 

HTTP Response HTTP/1.1 200 OK Date: Mon, 23 May 2005 22:38:34 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Content-Type: text/html; charset=UTF-8 Content-Length: 131 Connection: close ! An Example Page Hello World, this is a very simple HTML document. 

Companies use cookies to match you with the 15-seconds ago you. 

Companies use cookies to match you with the 15-days ago you. 

Companies use cookies over multiple domain names to match you with the 15-days ago you. 

Companies use cookies over multiple domain names to match you with the 15-days ago you. 
 Companies can get your referring web page and more. 

Advertising 

In advertising • Cookies lets us optimize ads for returning visitors. • Let the same user see the same ad < 5 times. • Knowing the referral page hints the type of user. 

In advertising ! • Examples of targeted advertisement practices • Demographic targeting — who they are • Behavioral targeting — how they act • Geographic targeting — where they reside • Look-alike targeting — what they like 

Unfortunately, cookies don’t stay forever. 

Can we track users with cookies? 

No content

Breakout session Think of some ways to grab more data through the browser 

Things to think 1. What’s the technology good for? 2. How can it be exploited? 3. Can we modify the current technology to make it safer? If so, how? 

Other ideas? 

http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device- fingerprinting/ “Close to 1.5% of the Internet's top websites track users without their knowledge or consent, even when visitors have enabled their browser's Do Not Track option” 

Piecing the data together 

No content

Companies using fingerprinting 

– Alexis Madrigal,The Atlantic “If a company can follow your behavior in the digital environment -- an environment that potentially includes your mobile phone and television set -- its claim that you are "anonymous" is meaningless. That is particularly true when firms intermittently add off-line information such as shopping patterns and the value of your house to their online data and then simply strip the name and address to make it "anonymous." It matters little if your name is John Smith, Yesh Mispar, or 3211466. The persistence of information about you will lead firms to act based on what they know, share, and care about you, whether you know it is happening or not.” 

No content

Interesting links • https://labs.isecpartners.com/breadcrumbs/breadcrumbs.html • http://browserspy.dk/plugins.php • http://flippingtypical.com/ • http://www.pinlady.net/PluginDetect/All/ • http://panopticlick.eff.org/ • http://samy.pl/evercookie/ • http://samy.pl/csshack/ • http://lucb1e.com/rp/cookielesscookies/ • http://qz.com/125470/google-can-track-you-without-cookies/ • http://computer.howstuffworks.com/internet/basics/question82.htm • http://motherboard.vice.com/blog/device-fingerprinting-can-track-you-without-cookies-your-knowledge-or-consent • http://www.kaushik.net/avinash/web-analytics-visitor-tracking-cookies/ 

Thanks!