
9205b6cad9c9bdb83314a5a603fc8503.ppt
- Количество слайдов: 17
What are E-mail and the Web “like”? Postal mail Cable TV Library Telephone Newspaper Video game They’re found in an office They’re found in a room at home July 8, 2004 2
Overarching Goal Help align user privacy expectations with reality The obvious tactics: Teach the users what it’s really like out there, or l Transform the wilderness into what it should be l July 8, 2004 3
Web tracking summary ual. com Request & receive main HTML page dm. cs. uml. edu July 8, 2004 Request & receive embedded element (such as an image) while reporting referrer information doubleclick. net (3 rd party) 4
Cookie sharing threat berklee. edu buy. com ual. com A 3 rd party content provider could track a user across all sites served by it (usually via an identifying cookie) l l l Some indications of interest in doing this from Internet advertising folks Threat led to fierce opt-in/opt-out debates and lots of cookiemanagement software And P 3 P, naturally July 8, 2004 5
Web bugs A bug is a hidden eavesdropping device Vague definition: A Web bug is an HTML element that is present for surveillance purposes, l and is intended to go unnoticed by users l July 8, 2004 6
Our definition A Bugnosis Web bug: l l l is an image is too small to see (<= 7 square pixels) is third party to the main page (approx. RFC 2965) has a third party cookie only appears once on page Some other characteristics are used for secondary sorting purposes July 8, 2004 7
Getting the word out We knew there were a lot of Web bugs out there (from direct HTML inspection, and a later quantitative study) Web bugs vs cookie sharing threat: l l l Web bugs harder to thoroughly explain But have an easier take-home message: “This is evidence that someone is intentionally noting your visit” Still very hard to identify purpose of tracking July 8, 2004 8
Bugnosis: the tool Most important user interface decision: the audience would be journalists So we needed: l l l easy install/uninstall reasonable default behavior zero configuration attention-grabbing runtime a bit of gobbledygook is OK Didn’t need: l l web bug blocking behavior browser support other than Internet Explorer July 8, 2004 9
Bugnosis demo Altace for cardiovascular risks MSNBC Cybercrime article l use of Java. Script; latitude & longitude Google search: “best music portsmouth NH” l referrer Mycomputer. com's privacy policy l full probe, old junk in cookie, https NY Times Movies pages l thrilling cookie July 8, 2004 10
Bugnosis details Proxy model (not used in Bugnosis) www. ual. com <h 1>United</h 1> <img src=“…” width=1 height=1> … July 8, 2004 Local Proxy <h 1>United</h 1> <img src=“…” width=1 height=1> … 11
Bugnosis details Document Object Model / Browser Helper Object <h 1>United</h 1> <img src=“…”> … Document. Complete… www. ual. com BHO July 8, 2004 width = document. imgs[0]. width … document. imgs[0]. src = “bug. gif” … 12
Bugnosis details Advantages of BHO over proxy: accuracy– no need to reparse HTML l image attributes– healthology l sensing in spite of SSL encryption l Disadvantages: tightly coded to browser l interactive l July 8, 2004 13
Successes and Failures Success: graphic identity gave it a legitimacy that’s otherwise unobtainable Success: sufficiently in-your-face Success: ability to remotely white-list sites Failure before Success: original “drive-by” Active. X installation Failure: no P 3 P integration Failure: insufficient tech support structure Failure: no HTML email support July 8, 2004 14
Bugnosis for Email Web bugs in email – they know who you are! l Thoroughly breaks expectations Trend is clearly away from 3 rd party image support in HTML email readers l Yet in past 12 months we’ve seen Web bugs in emails from Pfizer, Proctor & Gamble, Roche, Orthobiotech, RJ Reynolds, Glaxo. Smith. Kline, Experian (for Pernod Ricard) July 8, 2004 15
Conclusion Designing for journalists meant designing for the masses Get Bugnosis from www. bugnosis. org (Windows IE only) BTW, 3 spots in my car July 8, 2004 16
Quantifying the amount of tracking The FTC samples: from 2000 report “Privacy Online” Of 91 “popular” sites, 84 remained in 2001 l Of 335 “random” (consumer-oriented) sites, 298 remained l Searched 100 pages on each site for Web bugs <= 4 clicks from home July 8, 2004 17
Results Popular sample: l 84 sites: 58% contained >= 1 bug l l 29% of sites with bugs did not disclose them 7, 507 pages: 10% contained >=1 bug Random sample: 298 sites: 36% contained >=1 bug l 25, 263 pages: 10% contained >=1 bug l July 8, 2004 18
9205b6cad9c9bdb83314a5a603fc8503.ppt