July 8, 2004 2

What are E-mail and the Web “like”?

Postal mail

Cable TV

Library

Telephone

Newspaper

Video game

They’re found in an office

They’re found in a room at home

July 8, 2004 3

Overarching Goal

Help align user privacy expectations with reality

The obvious tactics: Teach the users what it’s really like out

there, orTransform the wilderness into what it

should be

July 8, 2004 4

Web tracking summary

Request & receive main HTML page

ual.com

doubleclick.net(3rd party)

dm.cs.uml.eduRequest & receive embedded element(such as an image)while reporting referrer information

July 8, 2004 5

Cookie sharingthreat

A 3rd party content provider could track a user across all sites served by it (usually via an identifying cookie) Some indications of interest in doing

this from Internet advertising folks Threat led to fierce opt-in/opt-out

debates and lots of cookie-management software

And P3P, naturally

ual.combuy.comberklee.edu

July 8, 2004 6

Web bugs

A bug is a hidden eavesdropping device

Vague definition: A Web bug is an HTML element that is present for surveillance purposes, and is intended to go unnoticed by users

July 8, 2004 7

Our definition

A Bugnosis Web bug: is an image is too small to see (<= 7 square pixels) is third party to the main page (approx. RFC2965) has a third party cookie only appears once on page

Some other characteristics are used for secondary sorting purposes

July 8, 2004 8

Getting the word out

We knew there were a lot of Web bugs out there (from direct HTML inspection, and a later quantitative study)

Web bugs vs cookie sharing threat: Web bugs harder to thoroughly explain But have an easier take-home message: “This is

evidence that someone is intentionally noting your visit”

Still very hard to identify purpose of tracking

July 8, 2004 9

Bugnosis: the tool

Most important user interface decision: the audience would be journalistsSo we needed: easy install/uninstall reasonable default behavior zero configuration attention-grabbing runtime a bit of gobbledygook is OK

Didn’t need: web bug blocking behavior browser support other than Internet Explorer

July 8, 2004 10

Bugnosis demoAltace for cardiovascular risksMSNBC Cybercrime article use of JavaScript; latitude & longitude

Google search: “best music portsmouth NH” referrer

Mycomputer.com's privacy policy full probe, old junk in cookie, https

NY Times Movies pages thrilling cookie

July 8, 2004 11

Bugnosis details

Proxy model(not used in Bugnosis)

LocalProxy

<h1>United</h1> <img src=“…” width=1 height=1> …

<h1>United</h1> <img src=“…” width=1 height=1> …

www.ual.com

July 8, 2004 12

Bugnosis details

Document Object Model /Browser Helper Object

BHO

<h1>United</h1> <img src=“…”> …

width = document.imgs[0].width…document.imgs[0].src = “bug.gif”…

DocumentComplete…

www.ual.com

July 8, 2004 13

Bugnosis details

Advantages of BHO over proxy: accuracy– no need to reparse HTML image attributes– healthologysensing in spite of SSL encryption

Disadvantages: tightly coded to browser interactive

July 8, 2004 14

Successes and Failures

Success: graphic identity gave it a legitimacy that’s otherwise unobtainableSuccess: sufficiently in-your-faceSuccess: ability to remotely white-list sitesFailure before Success: original “drive-by” ActiveX installationFailure: no P3P integrationFailure: insufficient tech support structureFailure: no HTML email support

July 8, 2004 15

Bugnosis for Email

Web bugs in email – they know who you are! Thoroughly breaks expectations

Trend is clearly away from 3rd party image support in HTML email readers Yet in past 12 months we’ve seen Web bugs in

emails from Pfizer, Proctor & Gamble, Roche, Orthobiotech, RJ Reynolds, GlaxoSmithKline, Experian (for Pernod Ricard)

July 8, 2004 16

Conclusion

Designing for journalists meant designing for the masses

Get Bugnosis from www.bugnosis.org (Windows IE only)

BTW, 3 spots in my car

July 8, 2004 17

Quantifying the amount of tracking

The FTC samples: from 2000 report “Privacy Online”Of 91 “popular” sites, 84 remained in 2001Of 335 “random” (consumer-oriented)

sites, 298 remained

Searched 100 pages on each site for Web bugs <= 4 clicks from home

July 8, 2004 18

Results

Popular sample:84 sites: 58% contained >= 1 bug

29% of sites with bugs did not disclose them7,507 pages: 10% contained >=1 bug

Random sample:298 sites: 36% contained >=1 bug25,263 pages: 10% contained >=1 bug