Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka

Page created by Kathryn Johnson
 
CONTINUE READING
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
COMP 150-4: Human Factors in Security and Privacy

         Online Tracking
                     Lecture 17
               Prof. Daniel Votipka
                  Spring 2021
            (some slides courtesy of Adam Aviv)     1
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
Administrivia
• HW3 - Due next Tuesday (4/13)
• HW3 problem 3 - You should set up a participant account
• Talks this week:
   • Kevin Fu (Thursday @ 3pm) — Medical Device Security
     • Link: https://tufts.zoom.us/j/98610939077

                                                            2
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
What we did last time!
• NEAT/SPRUCE Guidelines
• Wogalter Communication-Human Interaction Process
   • Getting the users’ attention
• Nudges

                                                     3
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
What are we doing today?
• How does the ad market work?
• Who is tracking me and what are they collecting?
• Defenses against tracking
   • Tracker blocking
   • Notice and consent

                                                     4
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
Online Ad Marketplace
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
Online Behavior Advertising (OBA)
• Who is tracking me?
• What data do they have?
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
Prevalence of Tracking
• Used “headless” browser to   CCS 2016
  measure the prevalence of
  tracking on the web
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
Measurement Parameters
• Stateful Measurements                   • Detecting ID Cookies
   • Tracking requires state                 • Parse cookies key/value strings
   • Maintain cookies and other              • Must be…
     persistent browser storage                 •   Expiration date over 90 days
   • Seed profile                               •   8 < length < 100
      • Top 10,000 sites                        •   Remains same throughout
          • Can’t do top 1M (too much!)         •   Different between machines

• Fingerprinting
   • Canvas, Canvas Font, WebRTC,
     Audio
Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
Tracker Lists: EasyList and EasyPrivacy
Results of 1 Million Site Census
• Long-thin-tail
   • 123 of 81,000 trackers are found   Long-tail
     on more than 1% of the sites
   • Number of trackers is small, but
     those are very prevalent!
Few Companies Track a Lot!

                             Fingerprint tracking was
                               rare and used by less
                                prominent trackers
So what do these sites know
about you?
Ex: Twitter advertising data
• Twitter provides…
   • …all ads displayed to the user in the last 90
     days
   • …the criteria advertisers used to target those
     ads
   • …all interests associated with that account
   • …all advertisers who targeted ads to that
     account

• Asked 231 Twitter users to
  download and share this data
• Asked participants how they felt
  about Twitter targeting
How does Twitter target?
How does Twitter target?

     Relate to a user’s lifestyle, behavioral, or attitudinal propensities
How does Twitter target?

                         Participants didn’t like these and also
                                didn’t think they worked

    Information provided by advertisers; unrelated to Twitter behavior
New Frontier of Tracking
                           CCS’19

                                    CCS’19
Quick Exercise ---
• Go to Googles Ad Settings
   • https://adssettings.google.com/authenticated?hl=en

•   What inferences stood out to you? Why?
•   Is there anything you think might be on here by mistake? Why?
•   Is there anything on there that makes you feel uncomfortable?
•   Is there any information missing you would have expected to see?
•   How do you think that information was chosen?
Discussion Topics
• Is personalized tracking wrong?

• Why do users care and maybe not care?

• Have you ever looked at your OBA or used anti-tracking tools?

• How might you conduct a study to measure user perceptions of OBA and
  tracking awareness?
How can we prevent tracking?
Block tracking
Tracking settings in Browsers (Mozilla)
uBlock Origin / Ghostery
W3C Standards: Do Not Track
Browser Designed to Stop Tracking
Brave Settings
Notice and Consent
YourAdChoices, WebChoices, AppChoices
Digital Advertising Alliance (DAA)
• DAA - Self Regulatory Program
   • Also in Argentina, Canada,
     and the EU (e.g., for GDPR)

• Principles and Enforcement
   • Transparency Political Advertising
      • Facebook is not a member
   • Across device usage
   • Multi site
   • Online Behavior Advertising
Online Behavior Advertising (OBA)
• Not noticed
                                       • “AdChoices” outperformed
                                         by several other phrases
                                            • “Why did I get this ad?”
                                            • “Interest based ads”
                                            • “Learn about your ad choices”

                                       • Users are afraid to click

What do online behavioral advertising disclosures communicate to users? Leon et al. 2012
Example: Google
Do users use these features?

                               PETS 2016
How do users react to advertising inferences?
                                       SOUPS 2020
• Participant viewed their Google
  inferences
   • Plausible/Implausible/
     No-Connection

• Struggle to consider platform
  perspective
• Confusion about the
  individual vs. aggregate inference
   • Demographic Aggregation
   • Individual targeting
Longitudinal tracking data
• Client-side tracking of online
  behaviors
• Presents in-depth information to
  users about expected inferences
Participants were surprised by the
         scope of tracking

Tracking Transparency users better
    understood online tracking
Improved Ad Explanations
Users want detail, ambiguity seems   More information did not increase
   like they’re hiding something             trust in advertiser
What we did today!
• How does the ad market work?
• Who is tracking me and what are they collecting?
• Defenses against tracking
   • Tracker blocking
   • Notice and consent

                                                     42
What’s next?
• Breach Notifications
   • End users
   • Organizations

                         43
You can also read