privacy analysis for the casual user through bugnosis david martin [email protected] joint work with...
TRANSCRIPT
![Page 1: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/1.jpg)
July 8, 2004 2
What are E-mail and the Web “like”?
Postal mail
Cable TV
Library
Telephone
Newspaper
Video game
They’re found in an office
They’re found in a room at home
![Page 2: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/2.jpg)
July 8, 2004 3
Overarching Goal
Help align user privacy expectations with reality
The obvious tactics: Teach the users what it’s really like out
there, orTransform the wilderness into what it
should be
![Page 3: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/3.jpg)
July 8, 2004 4
Web tracking summary
Request & receive main HTML page
ual.com
doubleclick.net(3rd party)
dm.cs.uml.eduRequest & receive embedded element(such as an image)while reporting referrer information
![Page 4: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/4.jpg)
July 8, 2004 5
Cookie sharingthreat
A 3rd party content provider could track a user across all sites served by it (usually via an identifying cookie) Some indications of interest in doing
this from Internet advertising folks Threat led to fierce opt-in/opt-out
debates and lots of cookie-management software
And P3P, naturally
ual.combuy.comberklee.edu
![Page 5: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/5.jpg)
July 8, 2004 6
Web bugs
A bug is a hidden eavesdropping device
Vague definition: A Web bug is an HTML element that is present for surveillance purposes, and is intended to go unnoticed by users
![Page 6: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/6.jpg)
July 8, 2004 7
Our definition
A Bugnosis Web bug: is an image is too small to see (<= 7 square pixels) is third party to the main page (approx. RFC2965) has a third party cookie only appears once on page
Some other characteristics are used for secondary sorting purposes
![Page 7: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/7.jpg)
July 8, 2004 8
Getting the word out
We knew there were a lot of Web bugs out there (from direct HTML inspection, and a later quantitative study)
Web bugs vs cookie sharing threat: Web bugs harder to thoroughly explain But have an easier take-home message: “This is
evidence that someone is intentionally noting your visit”
Still very hard to identify purpose of tracking
![Page 8: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/8.jpg)
July 8, 2004 9
Bugnosis: the tool
Most important user interface decision: the audience would be journalistsSo we needed: easy install/uninstall reasonable default behavior zero configuration attention-grabbing runtime a bit of gobbledygook is OK
Didn’t need: web bug blocking behavior browser support other than Internet Explorer
![Page 9: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/9.jpg)
July 8, 2004 10
Bugnosis demoAltace for cardiovascular risksMSNBC Cybercrime article use of JavaScript; latitude & longitude
Google search: “best music portsmouth NH” referrer
Mycomputer.com's privacy policy full probe, old junk in cookie, https
NY Times Movies pages thrilling cookie
![Page 10: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/10.jpg)
July 8, 2004 11
Bugnosis details
Proxy model(not used in Bugnosis)
LocalProxy
<h1>United</h1> <img src=“…” width=1 height=1> …
<h1>United</h1> <img src=“…” width=1 height=1> …
www.ual.com
![Page 11: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/11.jpg)
July 8, 2004 12
Bugnosis details
Document Object Model /Browser Helper Object
BHO
<h1>United</h1> <img src=“…”> …
width = document.imgs[0].width…document.imgs[0].src = “bug.gif”…
DocumentComplete…
www.ual.com
![Page 12: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/12.jpg)
July 8, 2004 13
Bugnosis details
Advantages of BHO over proxy: accuracy– no need to reparse HTML image attributes– healthologysensing in spite of SSL encryption
Disadvantages: tightly coded to browser interactive
![Page 13: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/13.jpg)
July 8, 2004 14
Successes and Failures
Success: graphic identity gave it a legitimacy that’s otherwise unobtainableSuccess: sufficiently in-your-faceSuccess: ability to remotely white-list sitesFailure before Success: original “drive-by” ActiveX installationFailure: no P3P integrationFailure: insufficient tech support structureFailure: no HTML email support
![Page 14: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/14.jpg)
July 8, 2004 15
Bugnosis for Email
Web bugs in email – they know who you are! Thoroughly breaks expectations
Trend is clearly away from 3rd party image support in HTML email readers Yet in past 12 months we’ve seen Web bugs in
emails from Pfizer, Proctor & Gamble, Roche, Orthobiotech, RJ Reynolds, GlaxoSmithKline, Experian (for Pernod Ricard)
![Page 15: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/15.jpg)
July 8, 2004 16
Conclusion
Designing for journalists meant designing for the masses
Get Bugnosis from www.bugnosis.org (Windows IE only)
BTW, 3 spots in my car
![Page 16: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/16.jpg)
July 8, 2004 17
Quantifying the amount of tracking
The FTC samples: from 2000 report “Privacy Online”Of 91 “popular” sites, 84 remained in 2001Of 335 “random” (consumer-oriented)
sites, 298 remained
Searched 100 pages on each site for Web bugs <= 4 clicks from home
![Page 17: Privacy Analysis for the Casual User through Bugnosis David Martin dm@cs.uml.edu Joint work with Adil Alsaid Funded by Privacy Foundation](https://reader035.vdocuments.us/reader035/viewer/2022072116/56649cf35503460f949c0ec2/html5/thumbnails/17.jpg)
July 8, 2004 18
Results
Popular sample:84 sites: 58% contained >= 1 bug
29% of sites with bugs did not disclose them7,507 pages: 10% contained >=1 bug
Random sample:298 sites: 36% contained >=1 bug25,263 pages: 10% contained >=1 bug