brave privacy and standards
play

Brave, Privacy, and Standards Peter Snyder, Privacy Researcher, - PowerPoint PPT Presentation

Jul 07, 2023 •462 likes •1.01k views

Brave, Privacy, and Standards Peter Snyder, Privacy Researcher, pes@brave.com Pranjal Jumde, Security Engineer, pranjal@brave.com Overview Brave's goals on the Web How Brave protects privacy today How the standards process

  1. Brave, Privacy, and Standards Peter Snyder, Privacy Researcher, pes@brave.com 
 Pranjal Jumde, Security Engineer, pranjal@brave.com

  2. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 2

  3. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 3

  4. Brave Is 100% In on Web Openness • Anyone can join / code / view-source • No choke-point 
 Compatibility • Easy to share content • Best cross-device story 
 But things have gone off the rails… � 4

  5. Creators: Users: The Ecosystem Small & declining revenue Slow, abusive, creepy ads and is Broken: Commodification tracking 
 Advertisers: Fraud: 2017 - $16B in US 
 est. $50B by 2025 Data source: Business Insider, Atlantic, Fortune, PageFair � 5

  6. USERS: Already Paying a High Price Slow Invasive Expensive Insecure 5 124 $ 23 3x seconds per 
 trackers 
 monthly average 
 malware and 
 mobile page load 
 on media users pay to 
 ransomware 
 wasted by Adtech sites like TMZ download ads 
 growth in 2017 and trackers � 6 Data source: Bullet 1, New York Times and Medium ; Bullet 2: TMZ: Ghostery ; Bullet 3: New York Times ; Bullet 4: Forbes: Cylance .

  7. PUBLISHERS: Ad-tech Lumascape: High Cost, Low Quality � 7 Data source: www.lumapartners.com for graphic and World Federation of Advertisers for fraud.

  8. ADVERTISERS: 
 Users Respond with Ad-blocking Mobile 380M browsers 600M+ 
 275M devices 181M Desktop 236M browsers 119M 216M 54M 145M 2013 2014 2015 2016 2017 8 � Data source: Pagefair

  9. Our Vision Brave + BAT For a Better Web Reformed digital Private-by-default Reward users to advertising browsing browse/autopay � 9

  10. 
 
 
 Lack Of Browser Privacy is at the Center Draws advertisers away from high quality content 
 Incentivizes performance heck, multi-Mb websites 
 Insulting and abusive to users 
 Pushes users off Web, to closed platforms � 10

  11. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards processes makes privacy difficult 
 (and how it can be fixed) � 11

  12. 
 
 Overview Brave's goals on the web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 12

  13. 
 
 
 Privacy in Brave Tighter Default Storage Controls 
 Tor Integration 
 Resource Blocking 
 Web API / DOM Modifications � 13

  14. 
 
 
 Privacy in Brave Tighter Default Storage Controls 
 Tor Integration 
 Web Standards / W3C Resource Blocking 
 Web API / DOM Modifications � 14

  18. Web API Modifications

  19. Web API Modifications

  20. 
 Web Audio Fingerprinting Standard says websites can query hardware 
 Hardware is pseudo-identifying 
 Enough pseudo-identifiers yield a real identifier 
 So Brave breaks the standard… � 20

  21. 
 Breaking Standards for Privacy Hardware Detection: Font Enumeration: • Web Audio • Canvas • WebGL • SVG 
 • WebUSB Display Information: • Battery API 
 • Client Hints Network Information • WebRTC 
 Browsing History: • Referrer Policy 21 �

  22. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 22

  23. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 23

  24. Privacy vs Compatibility

  25. Three Standards 
 Privacy Anti-Patterns

  26. Three Standards 
 Privacy Anti-Patterns

  27. 1. Defined Functionality, 
 Non-Normative Mitigations 


  28. 
 
 
 Privacy Risk w/ Non-Normative Mitigations Privacy-harming / risky functionality 
 “Privacy considerations" section, but non-standardized mitigation 
 The Web assumes the dominant implementation, instead of the standard 
 Result: Harm is “locked in” / out of control of the standards process � 28

  32. 
 
 
 Result Well described functionality 
 Vaguely / undefined / unclear mitigations 
 Web assumes the defined functionality, privacy-harm gets locked in 
 Solution: Make mitigations normative and standardized! � 32

  33. 1. Defined Functionality, 
 Non-Normative Mitigations 
 2. Uncommon Use Case, 
 Common Availability 


  34. 
 
 
 Uncommon Use Case, Common Availability Genuinely useful functionality, for niche scenarios 
 Functionality is made widely available (first-party, third-party, frames, etc.) 
 Co-opted by tracking, code-paths assume availability 
 Result: can't be removed, even from irrelevant sites � 34

  39. 
 
 Widely Available 
 Sites / benign code expects 
 Removing / blocking breaks benign sites

  40. Lots of rare-use-case functionality Brightness sensors WebVR Machine Learning APIs High Resolution Timers Vibration WebGL operations Tracing APIs Many many many more… � 40

  41. 
 
 Lesson Learned Assume people will find bad uses for your functionality 
 General access -> difficult to remove / modify 
 Solution: Restrict access to the use cases you care about • User gestures • Permission prompts • Not-in-frames � 41

  42. 1. Defined Functionality, 
 Non-Normative Mitigations 
 2. Uncommon Use Case, 
 Common Availability 
 3. “No worse than the 
 status quo”

  43. 
 
 “No worse than the status quo” Privacy-harming / risky functionality 
 “Information is available elsewhere, so no additional harm” 
 Result: Web compat difficulty expands… � 43

  45. Client Server

  46. Client Server GET /index.html

  47. Client Server GET /index.html Accept-CH: DPR 
 Accept-CH: Viewport-Width

  48. Client Server GET /index.html Accept-CH: DPR 
 Accept-CH: Viewport-Width DPR: 2 
 Viewport-Width: 1434

  49. Values in Client Hints are Identifying Eckersley, Peter. "How unique is your web browser?." PETS 2010 
 Viewport height and width Laperdrix et al. ”Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints." S&P 2016. 
 Device color depth 
 Englehardt et al. "Online Tracking: A 1-million-site Measurement and Analysis.” CCS 2016 
 The above are being used often! � 49

  50. 
 
 Client Hints Authors’ Current Position This information is already available No further exposure / no marginal harm 
 Brave’s Concerns with the Client-Hints Proposal 
 https://brave.com/brave-and-client-hints/ � 50

  52. 
 
 Lesson Learned “Horizontal” privacy risk is technological debt 
 Same data in more places entrenches the risk 
 Solution: Treat all additional privacy risk as equally problematic � 52

  53. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 53

  54. 
 Conclusion Brave is working to improve the 
 Web for users, content creators and advertisers. 
 Privacy preserving standards are Pete Snyder 
 important to improving the Web. 
 Privacy Researcher 
 pes@brave.com 
 The standards process can be Pranjal Jumde 
 improved to help privacy. Security Engineer 
 pranjal@brave.com

Recommend

Privacy, Standards and Anti-Patterns Peter Snyder, Privacy Researcher, pes@brave.com

Privacy, Standards and Anti-Patterns Peter Snyder, Privacy Researcher, pes@brave.com

Privacy, Standards and Anti-Patterns Peter Snyder, Privacy Researcher, pes@brave.com Overview Standards as a privacy focused implementor How the standards process makes privacy difficult (and how it can be fixed)

467 views • 46 slides
Privacy Preserving Bandits Joint work with: Mohammad Malekzadeh (QMUL/Brave) Hamed

Privacy Preserving Bandits Joint work with: Mohammad Malekzadeh (QMUL/Brave) Hamed

Privacy Preserving Bandits Joint work with: Mohammad Malekzadeh (QMUL/Brave) Hamed Haddadi(ICL/Brave) Ben Livshits (ICL/Brave) Dimitrios Athanasakis (Brave) 02.03.2020 @dimmu Why this is an important topic Personalization

906 views • 23 slides
IoT's Brave New World: What it Means to Privacy Pros Today and Tomorrow IAPP KnowledgeNet

IoT's Brave New World: What it Means to Privacy Pros Today and Tomorrow IAPP KnowledgeNet

IoT's Brave New World: What it Means to Privacy Pros Today and Tomorrow IAPP KnowledgeNet Detroit July 29, 2015 Agenda Intros, announcements and administration Discuss privacy aspects of IoT 2 Intro Matters Future Meeting Dates

418 views • 11 slides
Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago

Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago

Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago actual Chicago Law school, then freelance web design Started: Anchorage, AK Ended: Judge Judy Show invitation PhD in Computer Science

1.09k views • 105 slides
The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda

The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda

The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda Grses Motivation imec - ESAT/COSIC, KU Leuven Threat Modeling 1. Characterize the system 2. Identify the threats 3. Threat and Risk analysis

147 views • 12 slides
Towards Privacy Standards Based on Empirical Data Serge Egelman Erika McCallister 2 Previous

Towards Privacy Standards Based on Empirical Data Serge Egelman Erika McCallister 2 Previous

Towards Privacy Standards Based on Empirical Data Serge Egelman Erika McCallister 2 Previous Privacy Standards P3P had highly granular privacy options Major web browsers supported it >25% of the most popular websites supported

446 views • 8 slides
BUTTON PROJECT OVERVIEW PRESENTATION OVERVIEW Brave Technology Coop Brave Button Overview

BUTTON PROJECT OVERVIEW PRESENTATION OVERVIEW Brave Technology Coop Brave Button Overview

4/5/19 Brave Technology Cooperative BUTTON PROJECT OVERVIEW PRESENTATION OVERVIEW Brave Technology Coop Brave Button Overview Ongoing Project Highlights System Features Implementation Co-Design and Onboarding Testing and Installation

315 views • 5 slides
Designing Privacy into Systems (and what is the role of organizations developing standards)

Designing Privacy into Systems (and what is the role of organizations developing standards)

Designing Privacy into Systems (and what is the role of organizations developing standards) Hannes Tschofenig (IAB) Jon Peterson (IAB) Bernard Aboba (IAB) Karen Solins (MIT CFP PrivSec) Privacy In the context of this presentation the

674 views • 8 slides
Privacy Resilience and Techno-Policy Standards (?) The case of the W3C Julien Rossi

Privacy Resilience and Techno-Policy Standards (?) The case of the W3C Julien Rossi

Privacy Resilience and Techno-Policy Standards (?) The case of the W3C Julien Rossi julien.rossi@utc.fr @julienrossi Can privacy resilience be a property of the information and communication systems we use? And if so, then how? Standards

232 views • 21 slides
BEING BRAVE & THE SHIFT TO MEANING A Presentation to the PANA 29 August 20 19 Philip

BEING BRAVE & THE SHIFT TO MEANING A Presentation to the PANA 29 August 20 19 Philip

BEING BRAVE & THE SHIFT TO MEANING A Presentation to the PANA 29 August 20 19 Philip Tiongson T: @Ptiongson || @HavasOrtega www.havasortega.com For internal sharing only. Not for public distribution BRAVE UNIQUE NOVEL DIFFERENT

1.13k views • 92 slides
Surviving Th e Mam m y Com p le x: Be in g Th e On ly In A Brave Ne w W orld

Surviving Th e Mam m y Com p le x: Be in g Th e On ly In A Brave Ne w W orld

Surviving Th e Mam m y Com p le x: Be in g Th e On ly In A Brave Ne w W orld Deena A. Sellers Faculty, Modern and Classical Languages and English Departments Diversity Coordinator Xavier High School, New York, NY But

395 views • 16 slides
Faculty Professional Development as Shared Brave Space 4CSD Conference Breakout Session #2

Faculty Professional Development as Shared Brave Space 4CSD Conference Breakout Session #2

Faculty Professional Development as Shared Brave Space 4CSD Conference Breakout Session #2 16 March 2017 Kristine Oliveira and Michelle Hernandez Antelope Valley College How can academic professionals engage in Brave Spaces in our own

468 views • 19 slides
Brave Browser & Basic Attention Token Blockchain and new revenue models NOVEMBER 27, 2018

Brave Browser & Basic Attention Token Blockchain and new revenue models NOVEMBER 27, 2018

Brave Browser & Basic Attention Token Blockchain and new revenue models NOVEMBER 27, 2018 Twitter: @brave Early days of the web This simple ad spawned a huge industry Data source: www.lumapartners.com for graphic and World Federation

603 views • 39 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
THE ROLE OF SPIRITUALITY WHEN DISCUSSING SUICIDE Victoria Welle 2020 Invitation to Brave Space

THE ROLE OF SPIRITUALITY WHEN DISCUSSING SUICIDE Victoria Welle 2020 Invitation to Brave Space

THE ROLE OF SPIRITUALITY WHEN DISCUSSING SUICIDE Victoria Welle 2020 Invitation to Brave Space Together we will create brave space Because there is no such thing as a safe space We exist in the real world We all carry scars and we have

376 views • 14 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
DATA PRIVACY FROM THE LEGAL TO THE ETHICAL ? ERIC SALAMA, SENIOR FELLOW HARVARD KENNEDY SCHOOL

DATA PRIVACY FROM THE LEGAL TO THE ETHICAL ? ERIC SALAMA, SENIOR FELLOW HARVARD KENNEDY SCHOOL

DATA PRIVACY FROM THE LEGAL TO THE ETHICAL ? ERIC SALAMA, SENIOR FELLOW HARVARD KENNEDY SCHOOL M-RCBG 29 TH OCTOBER 2020 HOUSE REPORT SEES POOR STANDARDS OF DATA PRIVACY AS EVIDENCE OF MONOPOLY POWER In the absence of adequate privacy

523 views • 29 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
VCSE Conference Brave New World Revisited 22 nd March 2016 AJ Bell Stadium Making a

VCSE Conference Brave New World Revisited 22 nd March 2016 AJ Bell Stadium Making a

VCSE Conference Brave New World Revisited 22 nd March 2016 AJ Bell Stadium Making a difference in Salford since 1973 Welcome and Introductions Alison Page Chief Executive Salford CVS Welcome to Brave New World Revisited Huxley

929 views • 62 slides
Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It?

Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It?

Web 2.0 Securing the Brave New World May 23, 2007 Agenda Web 2.0 What Is It? Security Implications, and an Example Some Emerging Use of Technology Whats Needed Web 2.0 Non-Technical Issues A Modest

395 views • 18 slides
Bitcoin & Blockchains Kevin Sekniqi A Brave New World - The Vision of David Chaum David

Bitcoin & Blockchains Kevin Sekniqi A Brave New World - The Vision of David Chaum David

Bitcoin & Blockchains Kevin Sekniqi A Brave New World - The Vision of David Chaum David Chaum PhD CS/Business Adm from Berkeley 1982 Founded IACR same year eCash, mix nets, voting systems A Brave New World - The Vision of David Chaum

791 views • 52 slides

More recommend