Online Tracking COMP 150-4: Human Factors in Security and Privacy - Lecture 17 Prof. Daniel Votipka
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
COMP 150-4: Human Factors in Security and Privacy
Online Tracking
Lecture 17
Prof. Daniel Votipka
Spring 2021
(some slides courtesy of Adam Aviv) 1
Administrivia
• HW3 - Due next Tuesday (4/13)
• HW3 problem 3 - You should set up a participant account
• Talks this week:
• Kevin Fu (Thursday @ 3pm) — Medical Device Security
• Link: https://tufts.zoom.us/j/98610939077
2
What we did last time!
• NEAT/SPRUCE Guidelines
• Wogalter Communication-Human Interaction Process
• Getting the users’ attention
• Nudges
3
What are we doing today?
• How does the ad market work?
• Who is tracking me and what are they collecting?
• Defenses against tracking
• Tracker blocking
• Notice and consent
4
Online Ad Marketplace
Online Behavior Advertising (OBA) • Who is tracking me? • What data do they have?
Prevalence of Tracking • Used “headless” browser to CCS 2016 measure the prevalence of tracking on the web
Measurement Parameters
• Stateful Measurements • Detecting ID Cookies
• Tracking requires state • Parse cookies key/value strings
• Maintain cookies and other • Must be…
persistent browser storage • Expiration date over 90 days
• Seed profile • 8 < length < 100
• Top 10,000 sites • Remains same throughout
• Can’t do top 1M (too much!) • Different between machines
• Fingerprinting
• Canvas, Canvas Font, WebRTC,
Audio
Tracker Lists: EasyList and EasyPrivacy
Results of 1 Million Site Census
• Long-thin-tail
• 123 of 81,000 trackers are found Long-tail
on more than 1% of the sites
• Number of trackers is small, but
those are very prevalent!Few Companies Track a Lot!
Fingerprint tracking was
rare and used by less
prominent trackersSo what do these sites know about you?
Ex: Twitter advertising data
• Twitter provides…
• …all ads displayed to the user in the last 90
days
• …the criteria advertisers used to target those
ads
• …all interests associated with that account
• …all advertisers who targeted ads to that
account
• Asked 231 Twitter users to
download and share this data
• Asked participants how they felt
about Twitter targetingHow does Twitter target?
How does Twitter target?
Relate to a user’s lifestyle, behavioral, or attitudinal propensitiesHow does Twitter target?
Participants didn’t like these and also
didn’t think they worked
Information provided by advertisers; unrelated to Twitter behaviorNew Frontier of Tracking
CCS’19
CCS’19Quick Exercise --- • Go to Googles Ad Settings • https://adssettings.google.com/authenticated?hl=en • What inferences stood out to you? Why? • Is there anything you think might be on here by mistake? Why? • Is there anything on there that makes you feel uncomfortable? • Is there any information missing you would have expected to see? • How do you think that information was chosen?
Discussion Topics • Is personalized tracking wrong? • Why do users care and maybe not care? • Have you ever looked at your OBA or used anti-tracking tools? • How might you conduct a study to measure user perceptions of OBA and tracking awareness?
How can we prevent tracking?
Block tracking
Tracking settings in Browsers (Mozilla)
uBlock Origin / Ghostery
W3C Standards: Do Not Track
Browser Designed to Stop Tracking
Brave Settings
Notice and Consent
YourAdChoices, WebChoices, AppChoices
Digital Advertising Alliance (DAA)
• DAA - Self Regulatory Program
• Also in Argentina, Canada,
and the EU (e.g., for GDPR)
• Principles and Enforcement
• Transparency Political Advertising
• Facebook is not a member
• Across device usage
• Multi site
• Online Behavior AdvertisingOnline Behavior Advertising (OBA)
• Not noticed
• “AdChoices” outperformed
by several other phrases
• “Why did I get this ad?”
• “Interest based ads”
• “Learn about your ad choices”
• Users are afraid to click
What do online behavioral advertising disclosures communicate to users? Leon et al. 2012Example: Google
Do users use these features?
PETS 2016How do users react to advertising inferences?
SOUPS 2020
• Participant viewed their Google
inferences
• Plausible/Implausible/
No-Connection
• Struggle to consider platform
perspective
• Confusion about the
individual vs. aggregate inference
• Demographic Aggregation
• Individual targetingLongitudinal tracking data • Client-side tracking of online behaviors • Presents in-depth information to users about expected inferences
Participants were surprised by the
scope of tracking
Tracking Transparency users better
understood online trackingImproved Ad Explanations
Users want detail, ambiguity seems More information did not increase like they’re hiding something trust in advertiser
What we did today!
• How does the ad market work?
• Who is tracking me and what are they collecting?
• Defenses against tracking
• Tracker blocking
• Notice and consent
42What’s next?
• Breach Notifications
• End users
• Organizations
43You can also read
