Tweet
Tweet

Slide 1

Slide 1 text

Scary JavaScript (and other Tech) That Tracks You Online Luke Crouch, Mozilla @groovecoder

Slide 2

Slide 2 text

Luke Crouch • Web Developer at Mozilla • Not an expert in privacy tech (yet?) • Working on privacy & security experiments, prototypes, and studies for Firefox • Has 10 seconds per slide

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Data and Goliath Bruce Schneier

Slide 6

Slide 6 text

Data that’s a by-product of online activity Browsing History Cookies Fingerprints

Slide 7

Slide 7 text

Browser History

Slide 8

Slide 8 text

Browser History Vulnerabilities

Slide 9

Slide 9 text

CSS History Sniffing

Slide 10

Slide 10 text

CSS History Sniffing getComputedStyle

Slide 11

Slide 11 text

CSS History Sniffing 2010

Slide 12

Slide 12 text

requestAnimationFrame History Sniffing

Slide 13

Slide 13 text

https://developer.mozilla.org/en-US/docs/Web/API/window/ requestAnimationFrame requestAnimationFrame History Sniffing

Slide 14

Slide 14 text

requestAnimationFrame History Sniffing

Slide 15

Slide 15 text

requestAnimationFrame History Sniffing

Slide 16

Slide 16 text

Resource Access Sniffing

Slide 17

Slide 17 text

https://robinlinus.github.io/socialmedia-leak/

Slide 18

Slide 18 text

Resource Access Social Media Leak

Slide 19

Slide 19 text

Cache Timing History Sniffing

Slide 20

Slide 20 text

Network timing noise

Slide 21

Slide 21 text

More reliable timing attacks https://tom.vg/2016/08/browser-based-timing-attacks/

Slide 22

Slide 22 text

Video Parsing Timing Attack

Slide 23

Slide 23 text

Video Parsing Timing Attack

Slide 24

Slide 24 text

HSTS History Sniffing yan/@bcrypt https://diracdeltas.github.io/blog/sniffly/

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Set CSP on server

Slide 30

Slide 30 text

Time CSP violations on client

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Cookies

Slide 33

Slide 33 text

developer.mozilla.org/login

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

http://clearcode.cc/2015/12/cookie-syncing/

Slide 37

Slide 37 text

http://clearcode.cc/2015/12/cookie-syncing/

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

Clear your cookies

Slide 42

Slide 42 text

Cookie Re-spawning

Slide 43

Slide 43 text

Re-spawning/“Supercookies”

Slide 44

Slide 44 text

Using Flash

Slide 45

Slide 45 text

Also Silverlight Isolated Storage

Slide 46

Slide 46 text

HTML localStorage

Slide 47

Slide 47 text

ETag

Slide 48

Slide 48 text

Get/Set/Re-spawn on client

Slide 49

Slide 49 text

Check ETag on Server

Slide 50

Slide 50 text

Cookie Re-spawning is “Illegal” Or, at least, companies have been sued for it

Slide 51

Slide 51 text

Cookie Syncing

Slide 52

Slide 52 text

http://clearcode.cc/2015/12/cookie-syncing/

Slide 53

Slide 53 text

http://clearcode.cc/2015/12/cookie-syncing/

Slide 54

Slide 54 text

https://freedom-to-tinker.com/blog/englehardt/the-hidden- perils-of-cookie-syncing/

Slide 55

Slide 55 text

http://clearcode.cc/2015/12/cookie-syncing/

Slide 56

Slide 56 text

Cookie Syncing defeats No-respawn

Slide 57

Slide 57 text

https://freedom-to-tinker.com/blog/englehardt/the-hidden- perils-of-cookie-syncing/

Slide 58

Slide 58 text

Cookie Syncing = Giant Cookie Databases

Slide 59

Slide 59 text

Without cookies

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

Passive Fingerprints Don’t require code execution

Slide 63

Slide 63 text

User-Agent, IP, Accept-Language, etc.

Slide 64

Slide 64 text

HTTP Header Injection

Slide 65

Slide 65 text

No content

Slide 66

Slide 66 text

turn.com Re-spawn http://webpolicy.org/2015/01/14/turn-verizon-zombie-cookie/

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

Active Fingerprints JavaScript code executes on your device

Slide 69

Slide 69 text

Plugin Enumeration

Slide 70

Slide 70 text

Okay but … … enumeration is still possible via sniffing, like …

Slide 71

Slide 71 text

Font Enumeration http://www.lalit.org/lab/javascript-css-font-detect/

Slide 72

Slide 72 text

Measure default fonts

Slide 73

Slide 73 text

Measure dictionary of fonts

Slide 74

Slide 74 text

Canvas Fingerprint

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

WebGL Fingerprinting http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf

Slide 78

Slide 78 text

AudioContext

Slide 79

Slide 79 text

No content

Slide 80

Slide 80 text

https://webtransparency.cs.princeton.edu/webcensus/#audio-fp

Slide 81

Slide 81 text

WebRTC

Slide 82

Slide 82 text

WebRTC Local Addressing

Slide 83

Slide 83 text

No content

Slide 84

Slide 84 text

WebVR “eyeprinting”

Slide 85

Slide 85 text

Device Fingerprints ~= Cookies

Slide 86

Slide 86 text

Cross-Device Matching

Slide 87

Slide 87 text

Probabilistic “Householding” FTC Cross-Device Tracking Workshop https://www.ftc.gov/news-events/audio-video/video/cross-device-tracking-part-1

Slide 88

Slide 88 text

Probabilistic “Tethering” cookie=4qasr4sdf1 cookie=f52dh64dhq Android Advertising Id=0436732361

Slide 89

Slide 89 text

Probabilistic “Tethering” IP address: 23.64.176.179 (early mornings, evenings, weekends) IP address: 164.62.9.0 (9am-6pm weekdays) IP address: 164.62.9.0 (9am-6pm weekdays) Cellular network 23.64.176.179 (early mornings, evenings, weekends)

Slide 90

Slide 90 text

Probabilistic “Tethering” Work?? Cell?? Home?? 80% 80% IP address: 164.62.9.0 (9am-6pm weekdays) IP address: 164.62.9.0 (9am-6pm weekdays) Cellular network 23.64.176.179 (early mornings, evenings, weekends) IP address: 23.64.176.179 (early mornings, evenings, weekends)

Slide 91

Slide 91 text

Probabilistic Matching Work? Cell? Home? Location: 38.883914, -77.020997 Weekday location: 38.883914, -77.020997 Evening location: 38.897634, -77.036544 Location: 38.897634, -77.036544 95% 95%

Slide 92

Slide 92 text

Probabilistic Matching Work Cell Home Technology news UVa sports Capitol Hill Arsenal football Technology news UVa sports Capitol Hill Arsenal football Technology news UVa sports Capitol Hill Arsenal football 98% 98% cookie=4qasr4sdf1 Android Advertising Id=0436732361 cookie=f52dh64dhq

Slide 93

Slide 93 text

Device Graph id=4qasr4sdf1 Android Advertising Id=0436732361 id=f52dh64dhq

Slide 94

Slide 94 text

First-Party Deterministic You are signed in to their service

Slide 95

Slide 95 text

No content

Slide 96

Slide 96 text

First-Party Deterministic Matching Login: JustinBrookman Login: JustinBrookman Login: JustinBrookman Third-party sites/ apps that embed first-party Third-party sites/ apps that embed first-party Third-party sites/ apps that embed first-party

Slide 97

Slide 97 text

–Mark Zuckerberg “Over 1 billion people use Facebook on their phones every month and more than 80% of the top apps on iOS and Android now use Facebook logins.”

Slide 98

Slide 98 text

“One industry source that spoke with AdExchanger estimated Google’s logged-in cross-device user count as somewhere between 600 million and 1.2 billion, a conclusion based on the numerical intersection between Android users, iOS users, the Google login rate of iOS users and the number of logged-in desktop users for Google products.”

Slide 99

Slide 99 text

•Email Address,
 Personally-Identifiable Information (PII) •Email Address,
 PII,
 “Google Advertising ID” •Email Address,
 PII •Email Address,
 PII,
 iOS IDFA

Slide 100

Slide 100 text

Note: Trusted Parties

Slide 101

Slide 101 text

First-Party Deterministic You click their links

Slide 102

Slide 102 text

Email for First Party Cross-Device Tracking Purchase item at a shopping site as justin@domain.com

Slide 103

Slide 103 text

Purchase item at a shopping site as justin@domain.com Click on email from shopping site Open email from shopping site Android Advertising Id=0436732361 cookie=4qasr4sdf1 cookie=a035fs35fm Email for First Party Cross-Device Tracking

Slide 104

Slide 104 text

Third-Party Probabilistic Device Matching

Slide 105

Slide 105 text

Machine Learning Model 1. Acquire device activity data set
 
 IP addresses, WiFi networks, GPS coordinates, websites browsed, ads displayed, device type, operating system, browser cookies, mobile device IDs, time of day, etc. 2. Acquire “truth set” of deterministic matching data
 
 “training set” and “test set” 3. Train ML models on the training set, evaluating accuracy, precision, and recall against the test set 4. Point ML model at entire device activity data set

Slide 106

Slide 106 text

https://www.google.com/policies/privacy/#nosharing, Sep 5 2016

Slide 107

Slide 107 text

Untrusted Third-Party Deterministic

Slide 108

Slide 108 text

PII Leaking https://www3.cs.stonybrook.edu/~phillipa/papers/ contactus_pets2016.pdf

Slide 109

Slide 109 text

No content

Slide 110

Slide 110 text

No content

Slide 111

Slide 111 text

No content

Slide 112

Slide 112 text

No content

Slide 113

Slide 113 text

No content

Slide 114

Slide 114 text

No content

Slide 115

Slide 115 text

No content

Slide 116

Slide 116 text

Audio Beaconing for Cross-Device Matching

Slide 117

Slide 117 text

ec25d046746de3be33779256f6957d8f

Slide 118

Slide 118 text

Other device privacy vulnerabilities • Visual/IR beaconing for cross-device matching? • Recognizing speech from gyroscope signals
 (crypto.stanford.edu/gyrophone) • Recognizing gait patterns with accelerometers
 (vtt.fi/inf/julkaisut/muut/2005/ICASSP05.pdf)

Slide 119

Slide 119 text

Purchase item at a shopping site as justin@domain.com Click on email from shopping site Open email from shopping site Advertising Network md5=b16f55bbe0ff554fb40003f8e5f96b99 Hashed Email for Third-Party Tracking

Slide 120

Slide 120 text

Does Hashing Make Data Anonymous? https://www.ftc.gov/news-events/blogs/techftc/2012/04/does-hashing-make-data-anonymous

Slide 121

Slide 121 text

Hash Functions https://blog.varonis.com/the-definitive-guide-to-cryptographic-hash-functions-part-1/

Slide 122

Slide 122 text

No content

Slide 123

Slide 123 text

No content

Slide 124

Slide 124 text

No content

Slide 125

Slide 125 text

No content

Slide 126

Slide 126 text

How much tracking is going on?

Slide 127

Slide 127 text

Web Privacy Census Dec 12, 2015 http://techscience.org/a/2015121502/

Slide 128

Slide 128 text

Web Privacy Census Dec 12, 2015 http://techscience.org/a/2015121502/

Slide 129

Slide 129 text

Web Privacy Census Dec 12, 2015 http://techscience.org/a/2015121502/

Slide 130

Slide 130 text

https://webtransparency.cs.princeton.edu/webcensus/

Slide 131

Slide 131 text

https://webtransparency.cs.princeton.edu/webcensus/

Slide 132

Slide 132 text

https://webtransparency.cs.princeton.edu/webcensus/

Slide 133

Slide 133 text

Canvas Fingerprinting https://webtransparency.cs.princeton.edu/webcensus/

Slide 134

Slide 134 text

Audio Fingerprinting https://webtransparency.cs.princeton.edu/webcensus/

Slide 135

Slide 135 text

WebRTC Local Addressing https://webtransparency.cs.princeton.edu/webcensus/

Slide 136

Slide 136 text

Re-spawning https://securehomes.esat.kuleuven.be/~gacar/persistent/

Slide 137

Slide 137 text

Cookie Syncing https://securehomes.esat.kuleuven.be/~gacar/persistent/

Slide 138

Slide 138 text

–Steven Englehardt, Princeton WebTAP “in our measurements we found only two trackers (doubleclick.net and googleanalytics.com) that are present on 40% or more of websites. But if we assumed a moderate amount of back-end data sharing (defined in Section 5.3 of our paper), the number of trackers that can observe 40% of users’ browsing history would jump to 161”

Slide 139

Slide 139 text

What are the good implications?

Slide 140

Slide 140 text

Analytics

Slide 141

Slide 141 text

Personalized Services

Slide 142

Slide 142 text

Relevant Advertising

Slide 143

Slide 143 text

Advertising Attribution

Slide 144

Slide 144 text

Prevent Fraud

Slide 145

Slide 145 text

Prevent Criminal Activity

Slide 146

Slide 146 text

National Security

Slide 147

Slide 147 text

What are the bad implications?

Slide 148

Slide 148 text

Over-Personalized Services

Slide 149

Slide 149 text

Creepy Advertising https://blogs.harvard.edu/doc/2014/12/12/is-perfectly- personalized-advertising-perfectly-creepy/

Slide 150

Slide 150 text

Targeting options for Facebook advertisers https://www.washingtonpost.com/news/the-intersect/wp/2016/08/19/98- personal-data-points-that-facebook-uses-to-target-ads-to-you/

Slide 151

Slide 151 text

Commit Fraud

Slide 152

Slide 152 text

Enable Criminal Activity

Slide 153

Slide 153 text

Enable Criminal Activity

Slide 154

Slide 154 text

Enable Criminal Activity

Slide 155

Slide 155 text

National Insecurity from Mass Surveillance

Slide 156

Slide 156 text

No content

Slide 157

Slide 157 text

False Positive Paradox https://www.crosswise.com/cross-device-learning-center/ device-map-accuracy-precision-and-recall/

Slide 158

Slide 158 text

www.wired.com/2016/08/shadow-brokers-mess-happens-nsa-hoards-zero-days/

Slide 159

Slide 159 text

No content

Slide 160

Slide 160 text

(Why?) Aren’t we doing anything?

Slide 161

Slide 161 text

Privacy Paradox • consumers are concerned about ways marketers access and use their data • people still release data about themselves that suggest much less concern The Tradeoff Fallacy Joseph Turow, Michael Hennessy, University of Pennsylvania Nora Draper, University of New Hampshire

Slide 162

Slide 162 text

“Notice and Choice” People are expected to negotiate for privacy protection by reading privacy policies and selecting services consistent with their preferences. Alan Westin’s Privacy Homo Economics Chris Hoofnagle & Jennifer Urban, UC Berkeley

Slide 163

Slide 163 text

No content

Slide 164

Slide 164 text

The Tradeoff Fallacy Joseph Turow, Michael Hennessy, University of Pennsylvania Nora Draper, University of New Hampshire 2015 Survey

Slide 165

Slide 165 text

What are the options?

Slide 166

Slide 166 text

As a user

Slide 167

Slide 167 text

No content

Slide 168

Slide 168 text

No content

Slide 169

Slide 169 text

No content

Slide 170

Slide 170 text

No content

Slide 171

Slide 171 text

No content

Slide 172

Slide 172 text

No content

Slide 173

Slide 173 text

No content

Slide 174

Slide 174 text

Encrypt your drive Windows BitLocker™ Mac FileVault™ LinuxGPL

Slide 175

Slide 175 text

Check your data-breach status

Slide 176

Slide 176 text

Use temporary email addresses

Slide 177

Slide 177 text

As a power user

Slide 178

Slide 178 text

No content

Slide 179

Slide 179 text

No content

Slide 180

Slide 180 text

No content

Slide 181

Slide 181 text

No content

Slide 182

Slide 182 text

No content

Slide 183

Slide 183 text

No content

Slide 184

Slide 184 text

No content

Slide 185

Slide 185 text

No content

Slide 186

Slide 186 text

No content

Slide 187

Slide 187 text

No content

Slide 188

Slide 188 text

As a developer

Slide 189

Slide 189 text

HTTPS all the things

Slide 190

Slide 190 text

No content

Slide 191

Slide 191 text

Secure cookies http://blog.teamtreehouse.com/how-to-create-totally- secure-cookies

Slide 192

Slide 192 text

No content

Slide 193

Slide 193 text

Prevent Account enumeration https://www.troyhunt.com/website-enumeration-insanity- how-our-personal-data-is-leaked/

Slide 194

Slide 194 text

AshleyMadison.com

Slide 195

Slide 195 text

Don’t leak PII https://www.troyhunt.com/website-enumeration-insanity- how-our-personal-data-is-leaked/

Slide 196

Slide 196 text

strawberrynet.com Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.

Slide 197

Slide 197 text

As an advocate

Slide 198

Slide 198 text

reddit.com/r/privacy Note: use tracking protection on reddit.com

Slide 199

Slide 199 text

No content

Slide 200

Slide 200 text

Deepen Your Understanding http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&

Slide 201

Slide 201 text

No content