1 / 17

What are E-mail and the Web “like”?

What are E-mail and the Web “like”?. Postal mail Cable TV Library Telephone Newspaper Video game They’re found in an office They’re found in a room at home. Overarching Goal. Help align user privacy expectations with reality The obvious tactics:

robbin
Download Presentation

What are E-mail and the Web “like”?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What are E-mail and the Web “like”? • Postal mail • Cable TV • Library • Telephone • Newspaper • Video game • They’re found in an office • They’re found in a room at home

  2. Overarching Goal • Help align user privacy expectations with reality • The obvious tactics: • Teach the users what it’s really like out there, or • Transform the wilderness into what it should be

  3. Web tracking summary ual.com Request & receive main HTML page Request & receive embedded element(such as an image)while reporting referrer information dm.cs.uml.edu doubleclick.net(3rd party)

  4. berklee.edu buy.com ual.com Cookie sharingthreat • A 3rd party content provider could track a user across all sites served by it (usually via an identifying cookie) • Some indications of interest in doing this from Internet advertising folks • Threat led to fierce opt-in/opt-out debates and lots of cookie-management software • And P3P, naturally

  5. Web bugs • A bug is a hidden eavesdropping device • Vague definition: A Web bug is an HTML element that is • present for surveillance purposes, • and is intended to go unnoticed by users

  6. Our definition • A Bugnosis Web bug: • is an image • is too small to see (<= 7 square pixels) • is third party to the main page (approx. RFC2965) • has a third party cookie • only appears once on page • Some other characteristics are used for secondary sorting purposes

  7. Getting the word out • We knew there were a lot of Web bugs out there (from direct HTML inspection, and a later quantitative study) • Web bugs vs cookie sharing threat: • Web bugs harder to thoroughly explain • But have an easier take-home message: “This is evidence that someone is intentionally noting your visit” • Still very hard to identify purpose of tracking

  8. Bugnosis: the tool • Most important user interface decision: the audience would be journalists • So we needed: • easy install/uninstall • reasonable default behavior • zero configuration • attention-grabbing runtime • a bit of gobbledygook is OK • Didn’t need: • web bug blocking behavior • browser support other than Internet Explorer

  9. Bugnosis demo • Altace for cardiovascular risks • MSNBC Cybercrime article • use of JavaScript; latitude & longitude • Google search: “best music portsmouth NH” • referrer • Mycomputer.com's privacy policy • full probe, old junk in cookie, https • NY Times Movies pages • thrilling cookie

  10. Bugnosis details • Proxy model(not used in Bugnosis) www.ual.com <h1>United</h1> <img src=“…” width=1 height=1> … LocalProxy <h1>United</h1> <img src=“…” width=1 height=1> …

  11. Bugnosis details • Document Object Model /Browser Helper Object <h1>United</h1> <img src=“…”> … DocumentComplete… www.ual.com width = document.imgs[0].width…document.imgs[0].src = “bug.gif”… BHO

  12. Bugnosis details • Advantages of BHO over proxy: • accuracy– no need to reparse HTML • image attributes– healthology • sensing in spite of SSL encryption • Disadvantages: • tightly coded to browser • interactive

  13. Successes and Failures • Success: graphic identity gave it a legitimacy that’s otherwise unobtainable • Success: sufficiently in-your-face • Success: ability to remotely white-list sites • Failure before Success: original “drive-by” ActiveX installation • Failure: no P3P integration • Failure: insufficient tech support structure • Failure: no HTML email support

  14. Bugnosis for Email • Web bugs in email – they know who you are! • Thoroughly breaks expectations • Trend is clearly away from 3rd party image support in HTML email readers • Yet in past 12 months we’ve seen Web bugs in emails from Pfizer, Proctor & Gamble, Roche, Orthobiotech, RJ Reynolds, GlaxoSmithKline, Experian (for Pernod Ricard)

  15. Conclusion • Designing for journalists meant designing for the masses • Get Bugnosis from www.bugnosis.org (Windows IE only) • BTW, 3 spots in my car

  16. Quantifying the amount of tracking • The FTC samples: from 2000 report “Privacy Online” • Of 91 “popular” sites, 84 remained in 2001 • Of 335 “random” (consumer-oriented) sites, 298 remained • Searched 100 pages on each site for Web bugs <= 4 clicks from home

  17. Results • Popular sample: • 84 sites: 58% contained >= 1 bug • 29% of sites with bugs did not disclose them • 7,507 pages: 10% contained >=1 bug • Random sample: • 298 sites: 36% contained >=1 bug • 25,263 pages: 10% contained >=1 bug

More Related