Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
COMP 150-4: Human Factors in Security and Privacy Online Tracking Lecture 17 Prof. Daniel Votipka Spring 2021 (some slides courtesy of Adam Aviv) 1
Administrivia • HW3 - Due next Tuesday (4/13) • HW3 problem 3 - You should set up a participant account • Talks this week: • Kevin Fu (Thursday @ 3pm) — Medical Device Security • Link: https://tufts.zoom.us/j/98610939077 2
What we did last time! • NEAT/SPRUCE Guidelines • Wogalter Communication-Human Interaction Process • Getting the users’ attention • Nudges 3
What are we doing today? • How does the ad market work? • Who is tracking me and what are they collecting? • Defenses against tracking • Tracker blocking • Notice and consent 4
Prevalence of Tracking • Used “headless” browser to CCS 2016 measure the prevalence of tracking on the web
Measurement Parameters • Stateful Measurements • Detecting ID Cookies • Tracking requires state • Parse cookies key/value strings • Maintain cookies and other • Must be… persistent browser storage • Expiration date over 90 days • Seed profile • 8 < length < 100 • Top 10,000 sites • Remains same throughout • Can’t do top 1M (too much!) • Different between machines • Fingerprinting • Canvas, Canvas Font, WebRTC, Audio
Results of 1 Million Site Census • Long-thin-tail • 123 of 81,000 trackers are found Long-tail on more than 1% of the sites • Number of trackers is small, but those are very prevalent!
Few Companies Track a Lot! Fingerprint tracking was rare and used by less prominent trackers
So what do these sites know about you?
Ex: Twitter advertising data • Twitter provides… • …all ads displayed to the user in the last 90 days • …the criteria advertisers used to target those ads • …all interests associated with that account • …all advertisers who targeted ads to that account • Asked 231 Twitter users to download and share this data • Asked participants how they felt about Twitter targeting
How does Twitter target?
How does Twitter target? Relate to a user’s lifestyle, behavioral, or attitudinal propensities
How does Twitter target? Participants didn’t like these and also didn’t think they worked Information provided by advertisers; unrelated to Twitter behavior
New Frontier of Tracking CCS’19 CCS’19
Quick Exercise --- • Go to Googles Ad Settings • https://adssettings.google.com/authenticated?hl=en • What inferences stood out to you? Why? • Is there anything you think might be on here by mistake? Why? • Is there anything on there that makes you feel uncomfortable? • Is there any information missing you would have expected to see? • How do you think that information was chosen?
Discussion Topics • Is personalized tracking wrong? • Why do users care and maybe not care? • Have you ever looked at your OBA or used anti-tracking tools? • How might you conduct a study to measure user perceptions of OBA and tracking awareness?
How can we prevent tracking?
Block tracking
Tracking settings in Browsers (Mozilla)
uBlock Origin / Ghostery
W3C Standards: Do Not Track
Browser Designed to Stop Tracking
Brave Settings
Notice and Consent
YourAdChoices, WebChoices, AppChoices Digital Advertising Alliance (DAA) • DAA - Self Regulatory Program • Also in Argentina, Canada, and the EU (e.g., for GDPR) • Principles and Enforcement • Transparency Political Advertising • Facebook is not a member • Across device usage • Multi site • Online Behavior Advertising
Online Behavior Advertising (OBA)
• Not noticed • “AdChoices” outperformed by several other phrases • “Why did I get this ad?” • “Interest based ads” • “Learn about your ad choices” • Users are afraid to click What do online behavioral advertising disclosures communicate to users? Leon et al. 2012
Example: Google
Do users use these features? PETS 2016
How do users react to advertising inferences? SOUPS 2020 • Participant viewed their Google inferences • Plausible/Implausible/ No-Connection • Struggle to consider platform perspective • Confusion about the individual vs. aggregate inference • Demographic Aggregation • Individual targeting
Longitudinal tracking data • Client-side tracking of online behaviors • Presents in-depth information to users about expected inferences
Participants were surprised by the scope of tracking Tracking Transparency users better understood online tracking
Improved Ad Explanations
Users want detail, ambiguity seems More information did not increase like they’re hiding something trust in advertiser
What we did today! • How does the ad market work? • Who is tracking me and what are they collecting? • Defenses against tracking • Tracker blocking • Notice and consent 42
What’s next? • Breach Notifications • End users • Organizations 43
You can also read