privacy leakage on the internet
play

Privacy leakage on the Internet Balachander Krishnamurthy AT&T - PowerPoint PPT Presentation

Aug 13, 2022 •794 likes •1.35k views

Privacy leakage on the Internet Balachander Krishnamurthy AT&T LabsResearch http://www.research.att.com/~bala/papers Joint work with Craig E. Wills, http://www.cs.wpi.edu/~cew AT&T LabsResearch 1 Talk outline 1. Privacy

  1. Privacy leakage on the Internet Balachander Krishnamurthy AT&T Labs–Research http://www.research.att.com/~bala/papers Joint work with Craig E. Wills, http://www.cs.wpi.edu/~cew AT&T Labs–Research 1

  2. Talk outline 1. Privacy footprint: a longitudinal study report 2. Personally identifiable information leakage in Online Social Networks 3. Some IETF mumbling AT&T Labs–Research 2

  3. July 5 1993, New Yorker, Peter Steiner’s cartoon Sadly, this cartoon is out of date. AT&T Labs–Research 3

  4. Internet and Web Privacy • Security is about keeping unwanted traffic from entering our network • Privacy is about keeping wanted information from leaving our network Privacy is thus the dual of security • Privacy can be examined at user-, organizational-, ISP-level • Higher awareness due to e-commerce, new demographics (e.g., children) identity theft, and Online Social Networks. AT&T Labs–Research 4

  5. Should we care about privacy? • Depends on the information disseminated, ability to combine external data, what data collectors might do with it • We need to know what information is being diffused, who is tracking it, and how Goal is to allow standard network activity while preserving desired privacy AT&T Labs–Research 5

  6. Privacy footprint • Various daily interactions on the Web (commerce, email, search...): • Sites use many techniques to track users (1x1 pixel Web bugs, tracking cookies, JavaScript) • Aggregators track across sites ( dclk, googlesyndication, tacoda ) • Privacy footprint: measure of dissemination of user-related information across unrelated sites AT&T Labs–Research 6

  7. First-party vs. Third-Party nodes Connections between first-party visible (servers explicitly visited) and hidden third-party (visited as by-product) nodes Visible Nodes Hidden Nodes www.accuweather.com a248.e.akamai.net www.nationalreview.com i.a.cnn.net www.cnn.com m.2mdn.net www.americanexpress.com m.doubleclick.net online.wsj.com cnn.122.2o7.net www.amazon.com americanexpress.122.2o7.net www.target.com dowjones.122.2o7.net g−images.amazon.com AT&T Labs–Research 7

  8. Third parties 1. Ad Networks: First-party sites (publishers) arrange with ad networks to place ads on their pages via images or javascript code. E.g., Google’s Adsense (googlesyndication.com, doubleclick.net), AOL (advertising.com, tacoda.net), Yahoo!(yieldmanager.net) 2. Analytics companies: measure traffic, characterize users by downloading a JavaScript file and send back information in a URL. E.g., google-analytics.com (urchin.js), 2o7.net (Omniture), atdmt.com (Microsoft/aquantive), quantserve.com (Quantcast) 3. CDNs: Serve images, rarely JavaScript. e.g., akamai.net, yimg.com Privacy leaks to all of them. AT&T Labs–Research 8

  9. Mechanics of our data collection • Visible nodes: Popular 1200 Web sites in dozen Alexa categories • Extracted hidden nodes corresponding to each visible node via a Firefox extension that fetches objects and records request/response • Tests of popular Web sites in 68 countries and 19 languages. • Examined cookies, JavaScript, identifying URLs (those with ? = &) • Narrowed examination to consumer and fiduciary sites: subset of sites that raise more privacy concerns. • Study carried out nine times over a five year period: Oct ’05, April/Oct ’06, Feb/Sep ’08, March/June/Sept ’09, March ’10 AT&T Labs–Research 9

  10. Node association Two visible nodes are associated if accessing them results in accessing the same hidden node. Association can be due to several reasons: 1. server: Identical server name ( www.google-analytics.com ) 2. domain: Aggregated by merging hidden nodes with same 2nd-level domain names. E.g. cnn.112.2o7.net and dowjones.112.2o7.net 3. adns: Aggregated by merging hidden nodes that share the same ADNS (authoritative DNS server). e.g. doubleclick.net and ebayobjects.com have the same ADNS. (try dig ... NS) AT&T Labs–Research 10

  11. Cleaning up domain association • DNS for third-party servers may be provided by sites like ultradns.net • CDNs are increasingly used to serve content for third party servers (e.g., JavaScript or images with cookies) • We check ADNS of 3d-party and 1st-party servers—if they differ and the ADNS server is not that of a known CDN or DNS service, we use the 3d-party server as the domain • e.g. pixel.quantserve.com’s ADNS is akamai, so root domain is quantserve.com, but w88.go.com’s root domain is omniture.com (based on its ADNS). • Root domain: identifies the root cause of the origin for each server AT&T Labs–Research 11

  12. Association: Common hidden node between two visible nodes CCDF of number of other visible nodes associated with each visible node 1 alledge-root alledge-domain alledge-server 0.8 CCDF of Visible Nodes 0.6 0.4 0.2 0 0 100 200 300 400 500 600 700 800 900 Number of Associated Visible Nodes X-axis: Single visible node’s maximal association: (www.vonage.com) Server: 813 (75%), Domain: 850 (78%), ADNS: 885 (81%) of 1086 nodes. Y-axis: Degree of association: 87% server, 91% domain, 94% ADNS 75% of all visible nodes are associated with over 100 visible nodes AT&T Labs–Research 12

  13. Cumulative count of unique associated visible nodes Some visible nodes are associated via more than one hidden node. E.g., (www.cnn.com, online.wsj.com) with (doubleclick.net, 2o7.net) domains Top-10 associated ADNS nodes connected to 78.5% of visible nodes doubleclick.net, google-analytics.com, 2mdn.net, quantserve.com, scorecardresearch.com, atdmt.com, omniture.com, googlesyndication.com, yieldmanager.com,2o7.net Merging holding companies: Google, Omniture, MSFT, Yahoo, etc. OK to focus on these. AT&T Labs–Research 13

  14. Hidden Nodes in 68 countries (older data) Hidden nodes appearing in at least 20% of Per-Country Top-10 Lists Number of Appearances Hidden in Country Top-10 Node Hidden Node List (%) google-analytics.com 61 (90%) yahoo.com 58 (85%) yimg.com 47 (69%) googlesyndication.com 44 (65%) doubleclick.net 39 (57%) 2o7.net 31 (46%) atdmt.com 24 (35%) 2mdn.net 22 (32%) statcounter.com 15 (22%) imrworldwide.com 14 (21%) adbrite.com 14 (21%) Google is thus present in 90% of countries’ top-10 lists. AT&T Labs–Research 14

  15. Hidden Nodes in 19 languages Top-100 Lists (older data) French, Italian, Portugese, Spanish, English, German, Dutch, Greek, Danish, Norwegian, Finnish, Swedish, Arabic, Turkish, Czech, Russian, Korean, Japanese, Chinese. Weighted average of three footprint metrics: visible nodes association range from 76% to 92%. AT&T Labs–Research 15

  16. Privacy footprint: longitudinal study • Footprint shows the number and diversity of 3d-party sites visited as a result of a user visiting first party sites. • We examine the penetration of the top 3d-party domains that aggregate information about user’s movements on the Web • Multiple 3d-parties may track users on a given first-party site and so this is examined as well • Finally, we examine the role of economic acquisitions of aggregator companies that buy others and increase their tracking ability AT&T Labs–Research 16

  17. Top 3d-party domains over time 80 top-10 doubleclick.net google-analytics.com 70 2mdn.net First-Party Server Extent (%) quantserve.com 60 scorecardresearch.com atdmt.com 50 40 30 20 10 0 Oct’05 Apr’06 Oct’06 Feb’08 Sep’08 Sep’09 Mar’10 Time Epochs Combined impact of the top-10 domains: up from 40% to nearly 80%. AT&T Labs–Research 17

  18. Manner of tracking Initially just 3d-party cookies, but now through 1st-party cookies and JavaScript. We examined traces of requested objects, cookies and JavaScript downloaded. Four categories of 3d-party domains: 1. Only set 3d-party cookies, no JS (dclk, atdmt, 2o7.net) 2. Use JS with state saved in 1st-party cookies (google-analytics: urchin.js examines 1st-party cookies, forces retrieval via an identifying URL to send information to 3d-party server) 3. Both 3d-party cookies and JS to set 1st-party cookies (quantserve) 4. 3d-party cookies and JS not used to set 1st-party cookies but instead serve ad URLs with tracking information (adbrite, adbureau) AT&T Labs–Research 18

  19. Situation grimmer in the face of acquisitions Family Acquired Date AOL advertising.com Jun’04 tacoda.net, adsonar.com Jul’07/Dec’07 Doubleclick falkag.net Mar’06 Google youtube.com ($1.65B) Oct’06 doubleclick.net ($3.1B) Mar’07 feedburner.com,admobs.com ($750M) Jun’07/Nov ’09 Microsoft aquantive.com (atdmt.com, $6B) May’07 Omniture offermatica.com Sep’07 visual sciences (hitbox.com, $0.4B) Oct’07 Valueclick mediaplex.com Oct’01 fastclick.net Sep’05 Yahoo overture.com ($1.6B) Dec’03 yieldmanager.com, adrevolver.com Apr’07/Oct’07 Adobe Omniture ($1.8B) Sept ’09 AT&T Labs–Research 19

  20. Family 1: Growth of Google Family 70 overlap feedburner doubleclick 60 youtube First-Party Server Extent (%) google-analytics googlesyndication 50 google* Google Family 40 *includes google.com, googleadservices.com and google*.com 30 20 10 0 Oct’05 Apr’06 Oct’06 Feb’08 Sep’08 Mar’09 Jun’09 Sep’09 Mar’10 Time Epochs Sep’09 Google family reach: over 70%—highest among all third parties by far. AT&T Labs–Research 20

Recommend

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science Department Worcester Polytechnic Institute Worcester, MA USA W3C Workshop on Web Tracking and User Privacy April, 2011 1 Its Not Just Tracking

474 views • 4 slides
The Price of Free: Privacy Leakage in Personalized Mobile In-App Ads Wei Meng, Ren Ding, Simon P.

The Price of Free: Privacy Leakage in Personalized Mobile In-App Ads Wei Meng, Ren Ding, Simon P.

The Price of Free: Privacy Leakage in Personalized Mobile In-App Ads Wei Meng, Ren Ding, Simon P. Chung, Steven Han, Wenke Lee College of Computing Georgia Institute of Technology Outline Background & Motivation Methodology

576 views • 34 slides
Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

882 views • 58 slides
INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY

INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY

INTERNET LAW SESSION 5 DR ANGELA DALY 15 NOVEMBER 2019 WELCOME BACK TO INTERNET LAW! PRIVACY AND PART I DATA PROTECTION OVERVIEW Privacy Data protection Surveillance Exercises Privacy the right to be let alone Warren and

611 views • 44 slides
Privacy Leakage in Mobile Online Social Networks Balachander Krishnamurthy, AT&T Labs

Privacy Leakage in Mobile Online Social Networks Balachander Krishnamurthy, AT&T Labs

Privacy Leakage in Mobile Online Social Networks Balachander Krishnamurthy, AT&T Labs Research Craig E. Wills, Worcester Polytechnic Institute Workshop on Online Social Networks Boston, MA USA June 2010 1 Introduction Previously

775 views • 20 slides
Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android Vaibhav

Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android Vaibhav

Uranine: Real-time Privacy Leakage Monitoring without System Modification for Android Vaibhav Rastogi 1 , Zhengyang Qu 2 , Jedidiah McClurg 3 , Yinzhi Cao 4 , and Yan Chen 2 1 University of Wisconsin and Pennsylvania State University 2 Northwestern

327 views • 28 slides
Internet Privacy Proxies, VPNs and Tor for private communications in the public Internet

Internet Privacy Proxies, VPNs and Tor for private communications in the public Internet

Free Technology Workshop Internet Privacy Proxies, VPNs and Tor for private communications in the public Internet Organised by Steven Gordon Room RS401 9am - 12noon Friday 20 June 2014 http://ict.siit.tu.ac.th/moodle/ Demos and Tasks

684 views • 10 slides
Internet Privacy Options Options Other Issues Networking Sirindhorn International Institute of

Internet Privacy Options Options Other Issues Networking Sirindhorn International Institute of

Networking Privacy Options The Internet Internet Security Internet Privacy Options Options Other Issues Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 19 June 2014

805 views • 38 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital < HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
Reviewing for privacy in Internet and Web standard-setting Nick Doty UC Berkeley, School of

Reviewing for privacy in Internet and Web standard-setting Nick Doty UC Berkeley, School of

Reviewing for privacy in Internet and Web standard-setting Nick Doty UC Berkeley, School of Information Outline 1. Internet standards at IETF & W3C 2. History of security and privacy reviews 3. Reactions to Snowden 4. Future directions What

550 views • 14 slides
Designing for Pragmatists and Fundamentalists: Privacy Concerns and Attitudes on the Internet of

Designing for Pragmatists and Fundamentalists: Privacy Concerns and Attitudes on the Internet of

Designing for Pragmatists and Fundamentalists: Privacy Concerns and Attitudes on the Internet of Things The Rise of the INTERNET OF THINGS Internet of Things (IoT) A two-sided technology UTILITY RISK Privacy The right to be let alone

926 views • 20 slides
Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy Alexandra Wood Berkman Klein Center for Internet & Society at Harvard University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to

964 views • 54 slides
The Internet was not designed with Privacy in mind. We need to redesign it. 1 1) Common

The Internet was not designed with Privacy in mind. We need to redesign it. 1 1) Common

Hannes Tschofenig The Internet was not designed with Privacy in mind. We need to redesign it. 1 1) Common statement in Future Internet Architecture proposals. Complex Eco-System Business > Consumer Interest > Policy Makers >

396 views • 6 slides
Insights into Internet Privacy for Visually Impaired and Blind People Georg Regal , Elke

Insights into Internet Privacy for Visually Impaired and Blind People Georg Regal , Elke

Insights into Internet Privacy for Visually Impaired and Blind People Georg Regal , Elke Mattheiss, Marc Busch, Manfred Tscheligi Photo: AIT Austrian Institute of Technology/ Michael Bsendorfer Internet Privacy Personal data in the

618 views • 26 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de Louvain Belgium SUMMARY Background about RFID Privacy: Information Leakage Privacy: Malicious Traceability Is Privacy a Research Challenge?

343 views • 32 slides
Data Privacy and Security in the Age of IoT(Internet of Things) What is IoT? (The Internet of

Data Privacy and Security in the Age of IoT(Internet of Things) What is IoT? (The Internet of

Data Privacy and Security in the Age of IoT(Internet of Things) What is IoT? (The Internet of Things) IoT is the concept of connecting any device with an on and off switch to the Internet (and/or to each other). IoT is a Concept, This

952 views • 27 slides
PRIVACY POST-SNOWDEN Ian Brown, Prof. of Information Security and Privacy Oxford Internet

PRIVACY POST-SNOWDEN Ian Brown, Prof. of Information Security and Privacy Oxford Internet

PRIVACY POST-SNOWDEN Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of Oxford @IanBrownOII Implants in the supply chain International law and politics International Covenant on Civil and Political

384 views • 17 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
Privacy Presentation Task Force on Autonomous Vehicles Subcommittee on Cybersecurity, Privacy,

Privacy Presentation Task Force on Autonomous Vehicles Subcommittee on Cybersecurity, Privacy,

Privacy Presentation Task Force on Autonomous Vehicles Subcommittee on Cybersecurity, Privacy, and Data April 18, 2019 The Pessimistic View (or, Privacy is Dead) Internet Privacy A More Realistic View Privacy Monetization Convenience

355 views • 9 slides
Outline of New GOJ Privacy Framework JIM FOSTER KEIO INTERNATIONAL PROJECT FOR THE INTERNET &

Outline of New GOJ Privacy Framework JIM FOSTER KEIO INTERNATIONAL PROJECT FOR THE INTERNET &

Outline of New GOJ Privacy Framework JIM FOSTER KEIO INTERNATIONAL PROJECT FOR THE INTERNET & SOCIETY Basic Outline Proposed revisions to Personal Information Privacy Law released June 24 by IT Strategy HQ; 30-day public comment period ends

364 views • 12 slides
N G I Z e r o : y e a r 0 Come work for the internet on privacy, trust, search &

N G I Z e r o : y e a r 0 Come work for the internet on privacy, trust, search &

N G I Z e r o : y e a r 0 Come work for the internet on privacy, trust, search & discovery Powered by the European Commission Directorate-General for Communications Networks Content and Technology 825322 / 825310 F O S D

784 views • 31 slides
How much will the platform learn about consumers in the end? \begin{theorem} In the long run,

How much will the platform learn about consumers in the end? \begin{theorem} In the long run,

Dynamic Privacy Choices (Shota Ichihashi, Bank of Canada) In each period Activity produces Consumer data on persistent type uses platform Platform monetizes info Privacy cost (e.g., data leakage) How much will the

412 views • 4 slides
Privacy Enhancing Technologies for the Internet, Parts I and II Ian Goldberg, David Wagner, Eric

Privacy Enhancing Technologies for the Internet, Parts I and II Ian Goldberg, David Wagner, Eric

Privacy Enhancing Technologies for the Internet, Parts I and II Ian Goldberg, David Wagner, Eric Brewer presented by Nikita Borisov ECE598NB - Spring 2006 Motivation Threats to privacy Online actions monitored Information

776 views • 26 slides

More recommend