*

Online Privacy

May 19, 2014

Janine L. Spears, Ph.D.DePaul UniversityCNS 477

*AnnouncementsThe concept of PIIOnline behavioral tracking

*Reading assignment for next weekCase: Online Advertising, Behavioral Targeting, and Privacy, CACM, 2011The Nothing to Hide case and the case assigned for next week will both be part of a role-playing exercise next week

*The meaning of privacy is perceived as:The right to be left aloneThe right to be free from unreasonable personal intrusionThe right to determine what personal information can be communicated and to whom

*

Amazing mind reader reveals his secret:http://9gag.com/gag/5450071

*Source: Protecting Consumer Privacy in an Era of Rapid Change, U.S. Federal Trade Commission (FTC) Report, 2012, p. B-2

*In the context of privacy in a digital world, much is made about personally identifiable information (PII): those data attributes that identify a specific individualPII (within the US) has been limited to a short list of data attributesWhen PII has been shared with unauthorized parties, it is considered to be a data breachOtherwise, there is no data breach, and therefore, no legal protection

*Depending on the regulation and/or perspective, PII (in the US) may include name + any one of the following:AddressE-mail addressDrivers license numberFinancial account numbersPhone numberSocial security number

*Two categories of personal information the FTC has defined in its complaints against companies:

account-level information (e.g., financial account #)identity-level information (e.g., SSN)

Breaches to identity-level personal information has a higher penalty than account-level. Why?Hanson, J of LTC, Washington Univ, 2008

*At the core of privacy laws is the concept of PII

The basic assumption of privacy laws is that in absence of PII, no harm is done

Privacy regulation focuses on the collection, use, and disclosure of PII and leaves non-PII largely unregulated

Schwartz & Solove, NY University Law Review 2011

*US privacy laws lack a uniform definition of PII:

Three approaches to defining PII: Tautological: any info that identifies a personNon-public: any info not in public domainSpecific types of information: list of data typesNo need to memorize these 3 approaches; the key point is that there is no uniform definition of PII

Schwartz & Solove, NY University Law Review 2011

*Non-PII can be transformed into PII. Consequently, privacy laws do not cover:Data miningOnline behavioral advertising (online tracking)Data aggregation and re-identificationWhether information is identifiable to a person depends upon context and cannot be pre-determined a priori.

Schwartz & Solove, NY University Law Review 2011

*

What companies know about Joel Stein @ Time mag: (2:33)http://www.time.com/time/video/player/0,32068,821500876001_2058396,00.html

*Online behavioral advertising refers to the tracking of a consumers activities online including the searches the consumer has conducted, the web pages visited, and the content viewed in order to deliver advertising targeted to the individual consumers interests.

http://www.ftc.gov/os/2007/12/P859900stmt.pdf

*Upon visiting a web site, at least the following info may be sent to the web server:Your IP addressThe referring page (i.e., page last visited)Your web browser type and configurationOperating system type/versionThe time of visit

*

How Advertisers Use Internet Cookies to Track You, WSJ video (7:14):http://live.wsj.com/video/how-advertisers-use-internet-cookies-to-track-you/92E525EB-9E4A-4399-817D-8C4E6EF68F93.html#!92E525EB-9E4A-4399-817D-8C4E6EF68F93

*Advances in cookie technologies1st party vs. 3rd party cookiesCookie size larger, detection harderHTTP (4kb), Flash (100kb), HTML5 (5MB)Cookie respawningOriginal study: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862Technology explained: http://ashkansoltani.org/docs/respawn_redux.html

*Browser fingerprintingA researcher developed Panopticlick as a tool to test your browser to see how unique it is based on the information it will share with sites it visits.http://panopticlick.eff.org/ (see uniqueness of your browser)A fingerprint that carries no more than 15-20 bits of identifying information will in almost all cases be sufficient to uniquely identify a particular browserConsequently, a browser (i.e., user) can be tracked without the use of cookiesSource: Peter Eckerley 2010

*Web beacons (aka web bugs)Are typically a 1x1 image that is invisible to the user and is embedded in the HTML code on a web page or in an email for the purpose of tracking a users site and page visits.A web bug viewed by a user may transmit to a server (e.g., of an advertising entity) the users IP address, web page visited, time, and value of previously set cookiesOne study found that all 50 of the top sites contained at least 1 web bug

Source: Gomez et al., KnowPrivacy.org 2009

*

Mobile device apps

Video: (4:17)http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html#articleTabs%3Dvideo

Article:http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html#articleTabs%3Darticle

*Source: Wall Street Journal, http://graphicsweb.wsj.com/documents/divSlider/ecosystems100730.html

*The WSJ conducted a major study and published a series of articles in 2010 on online tracking. Findings included:the nation's 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning.the Journal identified more than 100 middlementracking companies, data brokers and advertising networksthe top 50 sites placed 3,180 tracking files in total on the Journal's test computer.Nearly a third of these were innocuous Over two-thirds2,224were installed by 131 companies, many of which are in the business of tracking Web users to create rich databases of consumer profiles that can be soldSource: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html#articleTabs%3Darticle

*Joel Stein, Times columnist:http://www.time.com/time/printout/0,8816,2058205,00.htmlWhat were the economics?What are the threats?One example of massive consumer profiles assembled per individual:

*

Online Anonymity? Don't Bet On It: (6:44)http://online.wsj.com/article/SB10001424127887324784404578143144132736214.htmlNote comments on: (a) online forms, (b) Like and similar buttons for major social networking sites

*Massive consumer profiles assembled per individualName not included in profileProfiles sold for 1/10 to 2/3 of a centTargeted ads and pricing, based on income-level & interestsE.g., shopping botsOne example of behavioral target advertising:

*Another example of online behavioral advertising:

*A Big Interview with Sir Martin Sorrell, CEO of WPP Group, Wall Street Journals What They Know Series:Video: (23:50)http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html#articleTabs%3DvideoThis video gives an advertising executives perspective of online behavioral advertisingThe WPP Group is the worlds largest advertising company, according to Wikipedia.

*The perspective of online behavioral advertising exec:

*It matters little if your name is John Smith, Yesh Mispar, or 3211466. The persistence of information about you will lead firms to act based on what they know []. (bold added, p. 7)

from Joseph Turows book, The Daily You: How the New Advertising Industry is Defining Your Identity and Your Worth (2011)(Turow is a Chaired Communications Professor at Univ of Penn with extensive knowledge of the media industry.)

*Customize browser settingsDo Not Track (voluntary compliance)InPrivate browsing (MS Internet Explorer) Cookie deletionFlash cookies require use of another tool to delete themClear browser history and cache:http://www.piriform.com/ccleanerOpt out:http://www.networkadvertising.org/choices/http://www.lotame.com/privacy/

*Browse anonymouslyVPN, Tor browsers, use of proxies not providing your IP addressBrowser add-ons:NoScriptProhibits JavaScript execution unless user permission givenGhosteryAlerts users about the web bugs, ad networks and widgets on visited web pagesBetterPrivacyAlerts users of hidden, never expiring Local Shared Objects (Flash cookies) and provides a means to view and manage them since browsers are unable to do that for you.

*Lightbeam for Mozilla FirefoxAn add-on that allows you see the trackers that are tracking you as you move from site to site. Formerly called CollusionVideo: http://www.youtube.com/watch?v=PvqGy9wz_wA About: http://www.mozilla.org/en-US/lightbeam/about/ Download: http://www.mozilla.org/en-US/lightbeam/

*The problem with the nothing to hide view is that it myopically views privacy as a form of secrecy, not taking into account other threats beyond the potential disclosure of bad things. (Daniel Solove 2011)What are some other threats that Solove describes?A key point Solove makes is that we (e.g., public policy debaters, and I would add, researchers) need to move beyond discussions on data collection and explore further information processing and use

****Rebecca Herod, 2002, Ch 1

**Link to FTC report: http://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers

*******http://www.time.com/time/video/player/0,32068,821500876001_2058396,00.html, Joel Stein, Time magazine, 2011

*Online Behavioral Advertising uses information collected across multiple websites that you visit to predict your preferences or infer interests and to show you ads that are more likely to be of interest to you. Source: http://www.networkadvertising.org/faq#n167

**More info links on tracking: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html

**More info links on tracking: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.htmlBrowser fingerprinting (research paper): http://panopticlick.eff.org/browser-uniqueness.pdfFingerprinting: http://www.computerworld.com/s/article/9176904/EFF_Forget_cookies_your_browser_has_fingerprints*More info links on tracking: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.htmlBrowser fingerprinting (research paper): http://panopticlick.eff.org/browser-uniqueness.pdfFingerprinting: http://www.computerworld.com/s/article/9176904/EFF_Forget_cookies_your_browser_has_fingerprints**More info links on tracking: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html*http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html#articleTabs%3Darticle*WSJ source: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html#articleTabs%3Darticle*Which Websites Are Sharing Your Personal Details?http://online.wsj.com/article/SB10001424127887324640104578165651354042798.html?mod=WSJ_WhatTheyKnowPrivacy_LeadStory

*Source of life insurance example: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html#articleTabs%3Darticle*Source of Merriam-Webster & Healthline example: http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html#articleTabs%3Darticle**Source of Russell Glass quote: http://www.time.com/time/printout/0,8816,2058205,00.html*****