online privacy: protect your presence in the cyberworld · network presence, online purchases etc.)...
TRANSCRIPT
Online Privacy: Protect your Presence in the Cyberworld
Sumesh J. PhilipSchool of Computer SciencesWestern Illinois UniversityMacomb IL [email protected]
Outline
Defining PrivacyTracking MethodsActive steps to maintaining privacyConclusion
Digital Privacy in the news
What is Privacy?
“The state or condition of being free from being observed or disturbed by other people”
Data privacy
Alan Westin (“Privacy and Freedom”, 1967)“right to control, edit, manage, and delete information about themselves and decide when, how, and to what extent information is communicated to others”
Private Data
Sensitive data Personal information (Name, SSN, address…) Current location Online activity (browsing habits and history, Social
network presence, online purchases etc.)Financial recordsHealth information
Internet and Web Applications
Originally designed as a military application, the Internet is the choice of medium for communication in today’s world
Web and HTTP
HTTP: hypertext transfer protocol
Web browsing client/server modelclient: browser that
requests, receives, and “displays” Web pagesFirst party
server: Web server sends objects in response to requestsSecond party
PC runningFirefox browser
server running
Apache Webserver
iPhone runningSafari browser
Outline
Defining PrivacyTracking MethodsActive steps to maintaining privacyConclusion
IP Addresses
IP addressesIdentifiers needed to communicate between clients are
serversRough idea of geographical location
clientserver
usual http response msg
usual http response msg
cookie file
one week later:
usual http request msgcookie: 1678 cookie-
specificaction
access
ebay 8734 usual http request msg Amazon servercreates ID
1678 for user createentry
usual http response set-cookie: 1678ebay 8734
amazon 1678
usual http request msgcookie: 1678 cookie-
specificaction
access
ebay 8734amazon 1678
backenddatabase
HTTP Cookies
Cookie Types
Third party cookiesPlaced by a company other than the website
(advertisers)Flash cookiesCookies on steroids, respawns deleted cookies
EvercookiesDesigned to make cookies persistentRemains even after flash cookies and other cookies
have been deleted
HTTP Referer
Header metadata allows a browser to inform server about where it came
fromOriginally meant to fix broken/outdated links
Advertising networks (e.g., Google’s DoubleClick) use referrer header to build user profile and browsing habits
Web Beacons (Pixel tags)
Block of code referring to a small image from a third party website1x1 pixel image
While retrieving the image, the browser can send information
Allows third party websites to build user profile, browsing habits etc.
Device fingerprinting
Information collected about a remote device for identificationDevice configuration, allowed plugins, hardware,
operating systems version etc.Canvas fingerprintingBrowser tracking even when cookies are turned off
Search Engines
Popular search engines like Google and AOL store search history to provide “better services”
Collected information stored over long periodsGoogle – 180 days
Despite claims of anonymity in data collection, it is possible to build user profile AOL search data leak (2006)
Internet Service Providers (ISP)
Provide Internet access to customersCustomer identified by IP address, MAC address of
gateway deviceISPs can monitor unencrypted traffic and
browsing activitiesProviders may also keep a history of web browsing
records, text messages etc. over a period of time
DNS resolutions (mapping domain names to IP addresses) allow ISPs to build a profile on the user
Online Social Networks
State of the art means to communicate in the world Treasure trove for personal
data
OSNs not only collect data for enhancing user experience, but resell user profiles to consumer data companies
Social Network Data Analytics
“Big data” companies use social analytics tools to study consumer practicesPrimary data and secondary data
Firms that use data may not abide by terms of service
Discrimination based on predictive analytics
Data breaches are becoming increasingly common
Social Network Behaviors
Unwittingly leads to information leaks
Mobile Privacy
Always on
Always connected
Constant GPS beaconing
Apps offer location based services
Are apps on our phone intruding into our privacy?
Data harvested by Apps
Type of data collectedLocationAddress book (names, phone number, e-mail addresses)Device ID (IMEI)Usage statistics
On many occasions, data sent in the clear Apps may not even be turned on for use when data
collection happens!Apps collude in pairs to collect data as well
Outline
Defining PrivacyTracking MethodsActive steps to maintaining privacyConclusion
HTTPS (Secure HTTP)
HTTPS is the secure version of HTTPVerifies website using a digital certificate from a
Certificate AuthorityEncrypts all communication so that intruders cannot
snoop or track your informationLook for the “locked” icon on the URL box ISPs are not able to learn by snooping into your
packetsPossible to learn which sites you visited
Plugins for safe browsing
HTTPS Everywhere (Firefox, Chrome, Opera)Enables HTTPS if URL is HTTP, and the website
supports HTTPSNo script suiteBlocks active contents like scripts, flash objects User interface allows option to run scripts
Privacy badgerAd and tracker blocker
Browser Choice
Choose a browser that maximizes your privacy settingsClears cookies after browsing sessionBlock ads and tracking cookiesPrevents modules from loading (fingerprinting scripts)Route through proxy (hide IP address/location)
Epic Browser
Based on ChromiumEliminates cookies after
each sessionBuild in ad blocking and
trackers including fingerprinting scripts
Search done through epic servers
Encrypted proxy option to hide IP address and browsing content
TOR Network
Anonymous relays (servers run by volunteers)Each relay has enough information to forward to next
TOR Browser
Based on Mozilla FirefoxRoutes traffic through relay nodesPrivacy featuresCookies and scripts turned off by defaultBuilt in HTTPS Everywhere and NoScript suite
DisadvantagesPerformance takes a hit due to relay nodesCertain websites block Tor traffic
“Do NoT Track” (DNT) Header
HTTP header that can be used to request website not to trackFeature must be supported by website
Turned off by default in common browsers
Privacy Settings for Search Engines
Popular search engines allow users to set privacy preferences
Google dashboardAllows users to control the data that Google storesGoogle activityAd settings
Most controls are turned off by default until actively managed by end user
Anonymous Search Engines
Allows Internet searches without tracking users or targeted advertisements
Sites delete/do not store search dataDuckDuckGo (US based/Amazon Web Services)StartPage (Netherlands/Proprietary hardware)
Virtual Private Networks (VPN)
Create encrypted tunnels between VPN client and server over public Internet (i.e., coffee shop Wi-fi)Originally intended to connect corporate branch offices
to main office over the Internet for security
Virtual Private Networks
Several private VPN providers availableVPN Protocols supported for data encryptionPPTPL2TP/IPSECOpenVPN
Use VPN router as client to encrypt multiple devices
Mobile Privacy
Delete unused appsLimit app permissionsTurn location services
off when not neededAndroidConfigure account
preferences to limit what Google stores
Takeaways
Privacy on the Internet is increasingly difficultSeveral ways to track users Tradeoff between convenience and privacy
Be aware of privacy risks“If something online is free, you’re the product”
Take active steps to prevent data leaksNo silver bulletCombination of methods may be effective