Online Privacy: Protect your Presence in the Cyberworld

Sumesh J. PhilipSchool of Computer SciencesWestern Illinois UniversityMacomb IL 61455sj-philip@wiu.edu

Outline

Defining PrivacyTracking MethodsActive steps to maintaining privacyConclusion

Digital Privacy in the news

What is Privacy?

“The state or condition of being free from being observed or disturbed by other people”

Data privacy

Alan Westin (“Privacy and Freedom”, 1967)“right to control, edit, manage, and delete information about themselves and decide when, how, and to what extent information is communicated to others”

Private Data

Sensitive data Personal information (Name, SSN, address…) Current location Online activity (browsing habits and history, Social

network presence, online purchases etc.)Financial recordsHealth information

Internet and Web Applications

Originally designed as a military application, the Internet is the choice of medium for communication in today’s world

Web and HTTP

HTTP: hypertext transfer protocol

Web browsing client/server modelclient: browser that

requests, receives, and “displays” Web pagesFirst party

server: Web server sends objects in response to requestsSecond party

PC runningFirefox browser

server running

Apache Webserver

iPhone runningSafari browser

Outline

Defining PrivacyTracking MethodsActive steps to maintaining privacyConclusion

IP Addresses

IP addressesIdentifiers needed to communicate between clients are

serversRough idea of geographical location

clientserver

usual http response msg

usual http response msg

cookie file

one week later:

usual http request msgcookie: 1678 cookie-

specificaction

access

ebay 8734 usual http request msg Amazon servercreates ID

1678 for user createentry

usual http response set-cookie: 1678ebay 8734

amazon 1678

usual http request msgcookie: 1678 cookie-

specificaction

access

ebay 8734amazon 1678

backenddatabase

HTTP Cookies

Cookie Types

Third party cookiesPlaced by a company other than the website

(advertisers)Flash cookiesCookies on steroids, respawns deleted cookies

EvercookiesDesigned to make cookies persistentRemains even after flash cookies and other cookies

have been deleted

HTTP Referer

Header metadata allows a browser to inform server about where it came

fromOriginally meant to fix broken/outdated links

Advertising networks (e.g., Google’s DoubleClick) use referrer header to build user profile and browsing habits

Web Beacons (Pixel tags)

Block of code referring to a small image from a third party website1x1 pixel image

While retrieving the image, the browser can send information

Allows third party websites to build user profile, browsing habits etc.

Device fingerprinting

Information collected about a remote device for identificationDevice configuration, allowed plugins, hardware,

operating systems version etc.Canvas fingerprintingBrowser tracking even when cookies are turned off

Search Engines

Popular search engines like Google and AOL store search history to provide “better services”

Collected information stored over long periodsGoogle – 180 days

Despite claims of anonymity in data collection, it is possible to build user profile AOL search data leak (2006)

Internet Service Providers (ISP)

Provide Internet access to customersCustomer identified by IP address, MAC address of

gateway deviceISPs can monitor unencrypted traffic and

browsing activitiesProviders may also keep a history of web browsing

records, text messages etc. over a period of time

DNS resolutions (mapping domain names to IP addresses) allow ISPs to build a profile on the user

Online Social Networks

State of the art means to communicate in the world Treasure trove for personal

data

OSNs not only collect data for enhancing user experience, but resell user profiles to consumer data companies

Social Network Data Analytics

“Big data” companies use social analytics tools to study consumer practicesPrimary data and secondary data

Firms that use data may not abide by terms of service

Discrimination based on predictive analytics

Data breaches are becoming increasingly common

Social Network Behaviors

Unwittingly leads to information leaks

Mobile Privacy

Always on

Always connected

Constant GPS beaconing

Apps offer location based services

Are apps on our phone intruding into our privacy?

Data harvested by Apps

Type of data collectedLocationAddress book (names, phone number, e-mail addresses)Device ID (IMEI)Usage statistics

On many occasions, data sent in the clear Apps may not even be turned on for use when data

collection happens!Apps collude in pairs to collect data as well

Outline

Defining PrivacyTracking MethodsActive steps to maintaining privacyConclusion

HTTPS (Secure HTTP)

HTTPS is the secure version of HTTPVerifies website using a digital certificate from a

Certificate AuthorityEncrypts all communication so that intruders cannot

snoop or track your informationLook for the “locked” icon on the URL box ISPs are not able to learn by snooping into your

packetsPossible to learn which sites you visited

Plugins for safe browsing

HTTPS Everywhere (Firefox, Chrome, Opera)Enables HTTPS if URL is HTTP, and the website

supports HTTPSNo script suiteBlocks active contents like scripts, flash objects User interface allows option to run scripts

Privacy badgerAd and tracker blocker

Browser Choice

Choose a browser that maximizes your privacy settingsClears cookies after browsing sessionBlock ads and tracking cookiesPrevents modules from loading (fingerprinting scripts)Route through proxy (hide IP address/location)

Epic Browser

Based on ChromiumEliminates cookies after

each sessionBuild in ad blocking and

trackers including fingerprinting scripts

Search done through epic servers

Encrypted proxy option to hide IP address and browsing content

TOR Network

Anonymous relays (servers run by volunteers)Each relay has enough information to forward to next

TOR Browser

Based on Mozilla FirefoxRoutes traffic through relay nodesPrivacy featuresCookies and scripts turned off by defaultBuilt in HTTPS Everywhere and NoScript suite

DisadvantagesPerformance takes a hit due to relay nodesCertain websites block Tor traffic

“Do NoT Track” (DNT) Header

HTTP header that can be used to request website not to trackFeature must be supported by website

Turned off by default in common browsers

Privacy Settings for Search Engines

Popular search engines allow users to set privacy preferences

Google dashboardAllows users to control the data that Google storesGoogle activityAd settings

Most controls are turned off by default until actively managed by end user

Anonymous Search Engines

Allows Internet searches without tracking users or targeted advertisements

Sites delete/do not store search dataDuckDuckGo (US based/Amazon Web Services)StartPage (Netherlands/Proprietary hardware)

Virtual Private Networks (VPN)

Create encrypted tunnels between VPN client and server over public Internet (i.e., coffee shop Wi-fi)Originally intended to connect corporate branch offices

to main office over the Internet for security

Virtual Private Networks

Several private VPN providers availableVPN Protocols supported for data encryptionPPTPL2TP/IPSECOpenVPN

Use VPN router as client to encrypt multiple devices

Mobile Privacy

Delete unused appsLimit app permissionsTurn location services

off when not neededAndroidConfigure account

preferences to limit what Google stores

Takeaways

Privacy on the Internet is increasingly difficultSeveral ways to track users Tradeoff between convenience and privacy

Be aware of privacy risks“If something online is free, you’re the product”

Take active steps to prevent data leaksNo silver bulletCombination of methods may be effective