Online Privacy Presented by: Ben Williams
Outline: • What is privacy? • Value of private information • Industry and Government response • Advertising • Search results • Real world impacts • Personal safety • Browser versus mobile. • How to protect your privacy.
What is Privacy? • Merriam-Webster Dictionary defines privacy as “freedom from unauthorized intrusion” • Online privacy is protecting your information online, whether you chose to willingly share that information or not. • “If you aren't doing anything wrong, what do you have to hide?” versus “If I'm not doing anything wrong, then you have no cause to watch me.”
Computer security researcher Bruce Schneier in 2006 had the following to say on privacy: “For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.”
Industry & Government Response • Privacy Preferences Project (P3P) was created 10 years ago and implemented in Internet Explorer • White House Feb. 2012: Consumer Privacy Bill of Rights • Do Not Track agreement - Google, Yahoo, Microsoft, AOL are on board • FTC enforced
Facebook protects your personal data. If they gave it away it would erode their ability to target ads so exclusively. • In 2010 researchers at Stanford University described a method of breaching user privacy through microtargeted advertising on Facebook. Though Facebook changed their advertising system to make this more difficult, it is still possible today. • RapLeaf profiles users by name
Real World Impacts • Private information publicly disclosed • Netflix prize contest in 2006 – handed out anonymized data on over 480,000 customers. U. Texas researchers correlated that data with publicly available IMDB ratings to determine identities. A second prize contest was initially planned to include ages, genders, and ZIP codes – a lawsuit made the company reconsider. • iPhone & Android tracking – location information available on devices or relayed to app developers/carriers in some cases (iOS 4, CarrierIQ, etc.)
Metadata from files posted online (exiftool, irfanview) • PDF documents and Office files can contain author, editor, creation/modify/print date & time, creation software, etc. • Images can contain creation date & time, camera model, lens used, focal length, shutter speed, other camera settings, GPS position • In 2007 a new fleet of helicopters arrived at a base in Iraq and soldiers took photos and uploaded images to the internet. The enemy was able to determine the exact location of the helicopters from the image metadata and conduct a mortar attack, destroying four helicopters.
Life insurance company Aviva has begun using “predictive modeling” based on consumer-marketing data as a replacement for a checkup and lab analysis for predicting people’s longevity. • Deloitte Consulting LLP is promoting this use of consumer data in the insurance industry. • Deloitte’s models assume many diseases relate to lifestyle factors such as exercise habits and diet. • Cheaper ($5 vs $125), perceived as less intrusive. • American International Group (AIG) and Prudential Financial Inc. are exploring similar technologies.
Personal Safety • Physical tracking – Path Intelligence’s Footpath • How do modern thieves know you are on vacation? • Should deployed soldiers have concerns with their families posting photos online? • What if foreign governments requested information from advertising companies during the Arab Spring? • Consumers view privacy as a worthwhile, just not worth very much. A study of online consumers found they were reluctant to spend more than $0.65 more to buy a product from a site with better privacy policies.
Browser Versus Mobile • Browser – tracking typically occurs with cookies, flash cookies, supercookies, and “zombie” cookies • Mobile – built-in GPS, microphone, contacts and account info stored on the phone • Apps often have access to information they should not, and limited or no notification to the user when GPS, camera, or microphone are activated by an app. • Consumers often do not thoroughly review apps to see what they are requesting access to. • Lost devices - many devices still do not support full disk encryption.
How To Protect Your Privacy • Disable GPS tagging of images for mobile devices and cameras. • Use built-in utilities to remove metadata from MS Office and PDF files • TRUSTe • Carefully choose your search engine (Startpage/Ixquick, DuckDuckGo, other privacy focused search engines) • Use do-not-track options in browsers • Firefox has a “Do Not Track” option in preferences (+mobile) • Chrome utilizes a third party extension: “Keep My Opt-Outs” • Safari included “Do Not Track” option starting w/Lion • IE included a more difficult to use solution in IE 9
Privacy apps/plugins/add-ons • HTTPS Everywhere (FF/Chrome) • NoScript(FF)/ScriptNo(Chrome)/NotScripts(Opera) • Ghostery(IE/FF/Chrome/Safari) • Disconnect (FF/Chrome/Safari) • BetterPrivacy (FF) • Beef Taco (FF) • AdBlock(Chrome/Safari)/AdBlock Plus(FF/Chrome) • Abine (FF) • Tor (Windows/Mac/Linux/Mobile)
References: • http://theory.stanford.edu/~korolova/Privacy_violations_using_microtargeted_ads.pdf • http://www.wired.com/epicenter/2011/11/mall-pull-plug-cell-tracking/ • http://arstechnica.com/tech-policy/news/2012/02/can-do-not-track-tame-the-webs-cookie-monsters.ars • http://www.technolog.msnbc.msn.com/technology/technolog/us-army-soldiers-check-ins-can-kill-405150 • http://www.pcpro.co.uk/features/373735/how-social-networks-sold-your-privacy • https://threatpost.com/en_us/blogs/value-data-privacy-consumers-about-65-cents-031412 • http://www.wired.com/threatlevel/2009/12/netflix-privacy-lawsuit/ • https://www.infoworld.com/t/internet-privacy/zombie-cookies-wont-die-microsoft-admits-use-and-html5-looms-new-vector-170511 • http://www.whitehouse.gov/sites/default/files/email-files/privacy_white_paper.pdf • http://online.wsj.com/article/SB10001424052748704648604575620750998072986.html