1 / 23

Better web privacy through automation

Achieving optimal web privacy can be complex due to high-level goals clashing with low-level configuration languages. This article explores the challenges, such as browser cookie management and tracking issues, proposing solutions like browser forking for informed decision-making. It advocates for user-centric policies with easy error recovery mechanisms to balance functionality and privacy effectively.

Download Presentation

Better web privacy through automation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Better web privacy through automation Umesh Shankar Berkeley EECS

  2. Configuration everywhere • Home wireless access • Operating System • Web Browser

  3. Correct configuration is difficult • We have high-level goals… • “Allow my computers onto my network and no others” • …but low-level configuration languages • “Did I get the settings right?” • Not always obvious how to express goals in policy terms or to see if they are met

  4. Insecurity ensues • When policies are too difficult to configure, people disable or bypass them • Browser, firewall, OS policy are set to defaults • We lose the benefit of configurability: policy reflecting our specific needs • Functionality wins over security by default Must retain security subject to users’ patience

  5. Browser cookie recap Client Server GET /index.html index.html CartID=1234 … Cookies CartID=1234 GET /cart.jsp cart.jsp “Your cart #1234 contains…"

  6. Cookie types • Four classes based on context and lifetime: (First party, Third party)  (Session, Persistent) • First = cookies from same site as in URL bar • Third = cookies from other sites (e.g., ads) • Session cookie = lasts until browser is closed • Persistent cookie = lasts until expiration date • All cookies only sent to originating site

  7. Cookies and privacy BUY ME!!! BUY ME!!! Content…~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~ Content…~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~ whitehouse.gov whitehouse.com • Problem: The same third party cookie can appear on multiple sites => you can be tracked • If anyone knows who you are, everyone does Tracking cookie Tracking cookie Advertiser Database about you

  8. The sad state of the art • Two unpalatable options: • Global policy for all sites • Constant barrage of dialogs • Sufficiently annoying that people accept defaults • Functionality trumps privacy concerns • Individually tailored policies eliminated

  9. Existing approaches • Browser bars • Expose site cookies to the user • Collect user choices for collaborative filtering • Violates user privacy (could be fixed) • P3P interface • A good start • P3P still unreliable

  10. A new way of thinking Observations: • People don’t care about cookies, they care about privacy and functionality • People are equipped to make high-level decisions • Mistakes happen: error recovery should be easy Solutions: • Automated optimization: browser forking • Easy, high-level choices: side-by-side comparison • Recovery mechanism: backtrack + replay

  11. The ideal policy • Allow the set of cookies that maximizes the net benefit to the user • Net benefit = Benefit – Cost = Functionality – Privacy Loss • Having an objective function allows us to start to measure policy quality • With a default-deny policy, each user-initiated change represents a unit of error

  12. Challenges • Benefit is not revealed until after cookie is taken • Cost only revealed through hidden P3P policy Making informed decisions is difficult

  13. Determining benefit Observation: If a cookie has no benefit, we can reject it outright Idea: Fork the browser • One fork takes the cookie, one doesn’t • Maintain fork for a few pages • If no difference in the output, assume reject • Encode the decision into the policy

  14. Forking the browser (cookies not needed) VISIBLE Amazon.com (cookies off) Home page Item page Cart View book Add to cart . . . DENY policy assumed because no difference HIDDEN, FORKED Amazon.com (cookies on) Home page Item page Cart View book Add to cart

  15. Forking the browser (cookies needed) VISIBLE VerizonWireless.com (cookies off) Home page Enter ZIP Error page View plans ‘94720’ Switch to other window? HIDDEN, FORKED VerizonWireless.com (cookies on) Home page Enter ZIP List of plans View plans ‘94720’

  16. User choice • Last line of defense • Idea: Expose cost and benefit to the user • Show side-by-side output from forking technique, highlighting differences (=benefit) • Show relevant P3P information (=cost) • User can simply decide if with-cookie is better than without-cookie

  17. Semantic comparison of web pages • Necessary for forking and side-by-side highlighting • Difficult problem on its own • Sources of error: • Advertisements • Natural nondeterminism (click trackers, news feeds) • For now, coarse comparison (viz., page title)

  18. Dealing with errors • Errors are inevitable • Prediction algorithm won’t always guess right • Humans make mistakes or change their minds Recovery should be easy and automated

  19. “This site requires cookies” The nightmare page Important Note: This section of the site requires the use of cookies. Cookies allow us to keep track of who you are and your placement choices… Once you have changed your browser to accept cookies, please go back to the placement area home page and begin making your choices… • Select "Preferences" from the Edit menu. • Click on the "Advanced" selector. • Click the "Cookies" option. • Scroll down to the "Cookies" section. • To enable: • Select "Enable all cookies." • Click "OK."

  20. “Fix Me” Cookies Off (due to prior policy) Home page Item page Item page Empty cart View Item Add item Show cart Click “Fix Me” Home page Item page Cart page View Item (Automatic) Add item (Automatic) Session Cookies On(automatic) Replay stops because page is different

  21. Notes on Backtracking + replaying • How far to go back? • Typically start of site • Which cookies to enable? • Perform an expanding search, start with FP session • When to stop? • When there is a difference from the history • If no difference, expand cookie search & retry • Don’t replay through POSTs (non-idempotent)

  22. Why replaying is OK • No formal proof possible: server can take arbitrary actions in response to a request • In practice, server state is the problem • Without state, most sites are repeatable • Lack of state (cookies) is why we are replaying! • Empirically, most problems show up early, so not much to replay

  23. Engineering challenges • Web is dynamic and nondeterministic • We handle most Javascript • Heuristics are good in practice at matching elements • Browsing is nonlinear (e.g., tabs, back button) • Still working on multiple tabs • Back button is emulated • Firefox is an immature platform

More Related