Adnostic: Privacy Preserving Targeted

Advertising

Rachel Stonehirsch and Nan Wu

Online Behavioral Advertising• Track users across web sites to infer user

interests and preferences

• Better ad placement

• Not a new practiceo 1990s: DoubleClick used 3rd party cookies to track

users

Parties

• Advertisero Has an online ad to embed in web pages

• Publishero Owns web pages and is willing to place ads from

others

• Ad-networko Collects ads/payment from advertiserso Places ads on publisher pages

Parties

• Content Distribution Network(CDN)- "Collude" with ad network

• Trusted third party- Cryptographic service provider

- Not "collude" with any other parties

Tracking

• Associate an identifier with a user

• Cookies, IP address and User-Agent strings

Privacy

• Privacy and consumer advocacy groups concerned about how OBA affects privacy

• Argument:o Behavioral targeting is inherently in conflict with

privacy

• Our work shows that it is possible to have effective targeted advertising and still preserve privacy

Privacy Threat s

• Clickstream

• Behavioral profile

• Ad impression history

• Ad click history

Adnostic

• A Firefox extension

• Uses browsing history database

• Runs behavioral targeting algorithm in browser

o User information not leaked outside the browser

Motivation: A complement, not a replacement

Adnostic

• Cryptographic techniques for accurate billing

• Only click history is provided to ad network

o Against click fraud scams

o Available from advertisers

Why adnostic?

1. Pleasure privacy-conscious publishers

2. More visibility

3. Maybe better than user tracking

4. Private browsing mode

5. User control

6. Standardized segmentation

Adnostic Architecture: Targeting with Privacy

1. Behavior profiling

2. Ad insertion

3. Accounting

Behavioral Profiling

• Continually updates interest categorizations

• More than interest: intent and influence

• User sessions: keystroke dynamic or last few pages viewed

Ad Insertion

• Ad-network detects Adnostic

• A list of n ads is send back, each with a classification

• One of n ads is chosen to display

Billing: Charge per Click Model

• Users click on ad and re-directed to advertiser's site

• Billing takes place directly at the site

Billing: Charge per Impression Model

• N ads are pushed to the browser

• One ad is displayed to user

• One advertiser is chargedo How can the ad-network charge the correct

advertiser without knowing which ad was displayed?

• Solution:o Additively homomorphic encryptiono Zero knowledge proofs

Homomorphic Encryption

• Given public key pk

• Given ciphertexts E(pk, x1) and E(pk, x2)o Can create ciphertext E(pk, x1 + x2)o Can create ciphertext E(pk, c*x) for any scalar

c

Billing: Initialization

• �Ad-network identifies ad by an ID

• �Ad-network stores each ad and encrypted

counter, CID

• �When ad is first uploaded

o CID E(pk, 0)

Billing: Ad Insertion• Ad-network sends pk and n ads to browser

o (pk, ad1, ad2, ...,adn)

• Browser chooses ad to display to usero Creates binary vector v with n componentso Encrypt each element of v using pk and send to ad-

network with zero-knowledge proofs (E(pk, v1),...,E(pk,vn))

Billing: Ad Insertion

• Ad-network multiplies vector by co (E(pk, c*v1),...E(pk,c*vn))

• Ad-network adds encrypted vector values to each ad's encrypted countero Result: Quantity c is added to counter of ad

displayed

Billing: Settlement

• Ad-network sends encrypted counters to a trusted third party (TTP)

• TTP decrypts counters and sends response to ad network

Implementation

• User Profiling Moduleo Monitors browsing activity to build a list of user

interests

• Ad Rendering Moduleo Selects ads based on user profileo Inserts ads into the web pages

Implementation: User Profiling

• Adnostic extracts keywords from the page meta-data and the URL

• List of keywords used to retrieve categories related to page content

• Categories derived from all pages visited used to make up profile

Implementation: In-Browser Categorization

• Adnostic comes with:o List of categorieso Cosine-similarity matrix

Used to compute categories for a list of keywords obtained from a web page

Implementation: Ad Rendering

• Ad-network sends to the browser:o List of behavioral categorieso A score representing relevancy of the ado For each extension any numerical parameters that

the extension accepts

• Browser creates combined score for each ado Uses score sent by ad-network o Uses how well list of categories match the user's

profile

Implementation: Ad Rendering

• adnostic.render()o Attributes are an id, url, and targeting inputs

described earlier, height and width parameters, and cryptographic key

• Browser creates n DOM elements

• All ads are downloadedo Only one is displayed to the user

Evaluation

• Based on advertisement rendering delay• Observe impact on page loading time

• Websites cano Publish many adso Intensively use scriptso Include external elements that take time to load

• Adnostic increases loading dealyo Might be negligible on heavy websiteso Might affect lightweight websites

Evaluation

1. SlashDot• Lightweight website (3 banner ads)

1. ReadWriteWeb• Heavy website( 13 banner ads and

content from external websites) 1. WeSecretSoftwareClub

• Lightweight website (3 text ads)1. TheRegister

• Publishes text ads and banners.

Evaluation: Ad Rendering Time

• Website 3 achieves fastest rendering timeo Publishes only text ads

• Faster when 10 text ads are downloaded• Time increases when banner ad are

displayed• Time to download 10 banner is similar to

time to download 20 text ads

Evaluation: Page Loading Time• In general, impact on loading time was low• Website 2

o Includes external content and publishes many adso To load page, browser opens many connectionso Firefox limits number of simultaneous connections

• Solution: o Increase number of simultaneous connections

Degrade browsing experience

• Alternative: Fetch n ads via a single HTTP request

Conclusion

• Address issues between tension surrounding behavioral targeting and user privacy

• Primary goal: Create a system that would preserve user privacy and still serve ads effectively

• Complement existing ad infrastructure not replace it