SlideShare ist ein Scribd-Unternehmen logo

Online Privacy

IWMW
IWMW

Slides for a talk on "Online Privacy" given by Dave Raggett at UKOLN’s IWMW 2011 event held at the University of Reading on 25-26 July 2011. See http://iwmw.ukoln.ac.uk/iwmw2011/talks/raggett/

BildungTechnologieNews & Politik
1 von 42
Downloaden Sie, um offline zu lesen
Online Privacy Dave Raggett, W3C and UWE Reading, 27 July 2011 Institutional Web Managers Workshop 2011 1
What is Privacy? ● We can all recognize effects of its absence ● Injury or harm – Due to prejudice or malicious intentions – Financial harm, Physical harm, inability to work or travel ● Loss of face – Parents, friends or colleagues learning something that embarrasses you ● Loss of control – Inability to keep things private – Profiling by Search engines and advertisers 2
Evolution of Privacy on the Web ● HTTP logs ● IP address, time, URL ● Cookies ● Originally proposed to reduce burden on server ● Now have many uses, e.g. – Session management – User preferences – Saving where you left off viewing a video (app state) – Setting a unique id for a visitor over repeat visits – Recording profile data for targeted advertising 3
And worse . . . ● Proliferation of means to store data in browser ● HTML5 local storage, flash ● Fingerprinting ● “80% of browsers have unique fingerprint”, Electronic Frontier Foundation, 2010 – Try it yourself at http://panopticlick.eff.org/ – Based upon installed fonts and plugins, etc. ● History stealing ● Via CSS and JavaScript ● Web Bugs ● Unique tracking ids {hidden images, scripts, iframes, etc.} 4
Third Parties ● Websites commonly make use of third parties ● Content distribution – e.g. akamai ● Understanding website traffic – e.g. Google analytics and Quantcast ● Who are your visitors, where do they come from, and what pages do they like? ● Advertising – e.g. DoubleClick (Google) and RightMedia (Yahoo!) 5
Advertising ● Enabling websites to offer free services ● Initial focus on context-based advertising ● Ad networks matching ads to web page content ● Now based on profiling users through detailed tracking right across the web ● Via 3rd party cookies on many websites ● YOU are the product websites sell to profilers! 6
Facebook like button ● Added by website developers to allow facebook users to recommend a link to their friends ● Implemented as iframe or script element ● Enables facebook to track its users across all sites with the Like button ● You don't even need to click the button to be tracked! ● Browser sends identification cookie to facebook when loading the script or iframe ● Facebook tells you whether your friends like this page or invites you to be the first of your friends – 1,602 people like this page, be the first of your friends. 7
Surveillance on the cheap ● “Governments have changed to using data brokers for much of their surveillance, and buying profile data from advertisers” * ● Chris Hoofnagle, Berkeley Center for Law & Technology * Workshop on Internet Tracking, Advertising, and Privacy, Stanford University July 2011 8
Privacy doesn't matter ● “nobody cares about online privacy because they're worried about terrorism and the economy” * ● Russell Glass, Bizo – “Bizo is how marketers reach and engage business professionals, wherever they travel online. Bizo's unique ability to precisely target more than 80% of the US business population gives marketers cost-effective access and insight into business professionals – the most valuable online audience segment.” * Workshop on Internet Tracking, Advertising, and Privacy, Stanford University July 2011 9
Privacy doesn't matter What do you think? What do your customers think? 10
Ethnographic Perspective ● Privacy is not dead, but it is deeply misunderstood ● Danah Boyd, Microsoft researcher – Privacy, publicity and visibility ● “Public by default, private through effort” – http://www.danah.org/papers/talks/2010/TechFest2010.html – Living life in public: why american teens choose publicity over privacy ● “Using in-jokes and encoding information to limit visibility” – http://www.danah.org/papers/talks/2010/AOIR2010.html 11
Emergence of browser extensions for privacy ● Firefox addons relating to privacy that help with blocking ads and inhibiting cookies ● Adblock Plus ● BetterPrivacy ● NoScript ● Silent Block ● Privacy Dashboard 12
Privacy Dashboard ● Developed by EU PrimeLife project ● http://primelife.eu/ ● http://code.w3.org/privacy-dashboard/ ● See how websites are tracking you, and set per rd site preferences, e.g. to block 3 party content or cookies ● Share your findings with others ● Privacy Dashbot ● Automated survey of top 1000 websites 13
Information on current site 14
Query data on each site 15
Query data on each site 16
Privacy Dashbot ● Adaptation of Dashboard to scan top 1000 sites ● Based upon list provided by Google ● Determine associated 3rd party sites and form into clusters ● Rank hosts by the number of hosts citing them as direct 3rd parties 17
The Web as a galaxy of sites 18
The Web as a galaxy of sites 19
Frequency of citations rd counts as 3 parties 20
Is self regulation enough? ● Network Advertising Initiative opt out cookies ● NAI is a ooperative of online marketing and analytics companies ● Visit NAI opt-out page to set cookies as signal to 3rd parties to avoid targeted ads ● You are still tracked and the data may be sold on ● Switch browsers or devices and start all over again! ● Need for better regulation and better tools 21
Do Not Track (DNT) ● HTTP header or DOM property ● Set by browser to signal to 3rd parties to avoid tracking the user ● Persistent user preference setting in browser ● Relies on websites honouring user's request ● What does “do not track” mean exactly? ● Vested interests seeking to define it to their advantage ● Supported by US FTC ● Not set by default – i.e. users have to opt out of behavioural tracking 22
Tracking Protection Lists ● Microsoft feature for IE9 and later ● Lists of rules for which 3rd party sites should be blocked or enabled ● Users decide which lists to apply ● Lists supplied by Internet privacy organizations ● Not enabled by default – i.e. users have to opt out of behavioural tracking ● Relationship to P3P (machine readable privacy policies) 23
European Perspective ● Neelie Kroes, European Commission VP for Digital Agenda ● Principles for privacy in the digital age – Transparency, fairness and user control – http://europa.eu/rapid/pressReleasesAction.do? reference=SPEECH/11/461 ● E-Privacy directive 2002/58 on Privacy and Electronic Communications – Only UK, Estonia, Finland, Sweden and the Netherlands have implemented the directive in their domestic laws as of June 2011 24
Transparency, fairness & user control ● Users must be given clear and comprehensive information on the purposes and retention policy ● This must be fair – sites must not present a one sided agreement to the detriment of the user ● The user must be given a means to opt in or out of behavioural tracking ● The EU legislator's desire to leave the implementation of the directive open to future technological innovations ● No guidance on what constitutes an opt-out – “Self-regulatory efforts are clearly part of the equation on the implementation side. But we need to go further and look beyond cookies and specific sectors. DNT can help us do this.”, Neelie Kroes 25
E-Privacy Directive ● Security obligations ● Duty to inform subscribers of risks from viruses or malware ● Prohibition on listening, tapping, storage or other kinds of interception or surveillance of communication and “related traffic”, unless the users have given their consent – some exceptions under Article 15(1) ● Data retention ● Obligation to erase or anonymize traffic data ● Right to non-itemised billing 26
E-Privacy Directive ● Spam ● Prohibition of use of email and SMS for marketing except with prior agreement of the recipient ● Cookies ● May only be set if the user is provided with clear and comprehensive information about the purpose, and the user is offered a means to opt-out ● Does this apply to other means of implementing behavioural tracking or is it limited to cookies? ● Is a browser based cookie blocker sufficient? 27
Privacy Policies ● Many websites have a privacy policy ● It is often hard to find, and hard for ordinary people to understand ● Cookies have lots of useful purposes ● Policy should state what broad classes of information are being collected, for what purposes, who it may be shared with and for how long it will be retained ● “Operational purposes” is no longer acceptable! 28
Fairness ● If the user has opted out of behavioural tracking the user shouldn't be penalized in an unfair manner ● If a site is ad-supported, is it reasonable to ask users who opt out of effectively targeted ads to pay in some manner? ● Can we look forward to online equivalent of the nectar card and other loyalty schemes that act across a group of non-competing businesses? 29
Privacy friendly strong authentication ● Increasing use of email addresses as user ids ● Facilitates linkability of personal information across sites ● Sites need strong assurances as to attributes of identified party, but not a globally linkable id ● User defined personae can help ● Browser based account management ● New cryptographic techniques for proving user has trusted credential with given attributes BUT without disclosing user's identity ● Age, address, nationality, membership of named group, etc. ● We need better credentials with robust processes 30
W3C's Role ● Initial work on P3P ● Platform for Privacy Preferences ● Involvement in EU PrimeLife project ● Many workshops related to privacy ● Policy Languages Interest Group ● Privacy by design for Web APIs, e.g. gelocation ● New Privacy Interest Group ● New WG's expected on DNT and Protection Lists ● Implementation work on new technologies ● Funded through W3C involvement in EU webinos project 31
Platform for Privacy Preferences ● P3P 1.0 Recommendation issued April 2001 ● Machine readable privacy policies ● But initial specification too flexible! ● Makes it hard to generate report of mismatch between user preferences and site policy ● Complicates UI for setting user preferences ● Compact policies as a (bad) compromise ● Implemented in Internet Explorer and other browsers – 3rd party cookies blocked is there is no (compact) P3P policy ● Only covers cookies 32
Fresh take on P3P ● Developed as part of EU PrimeLife project ● Improves on compact policies to cover a much bigger subset of P3P ● Expressed in JSON ● Chosen to make it easy to create UI for user preferences and to generate reports of mismatch with site policy ● Includes link to full human readable policy ● For details see http://www.w3.org/2011/D1.2.3/ 33
Machine generated view of P3P privacy policy 34
Machine generated view of P3P privacy policy 35
UI for user preferences 36
Dealing with the click-thru effect ● Tendency for most users to click through security and privacy dialogues ● Seen as an annoying interruption ● Most users aren't in good position to make informed decision ● Solution is to delegate decision to a trusted third party ● White lists for sites which are known to be trustworthy – no warning UI presented ● Black lists for sites which are deemed bad ● Otherwise show user the security/privacy dialogue 37
Demo of Anonymous Credentials ● Student union issues credentials to new students ● Only current students can access the student union's social website ● No university staff, no would be employers, no ex students ● Website exposes machine readable policy covering authentication and privacy ● User authenticates to browser, then browser to website ● Website has strong proof that user is current student, but doesn't learn which student! ● Zero knowledge proof with IBM's idemix library ● No need to contact credential issuer to create proof 38
39
Authenticating the User 40
41
Questions? Dave Raggett <dsr@w3.org> 42

Empfohlen

Internet Privacy
Internet PrivacyInternet Privacy
Internet Privacy
realpeterz
 
Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & security
Priyab Satoshi
 
Internet Privacy
Internet PrivacyInternet Privacy
Internet Privacy
Kristin Briney
 
Privacy issues and internet privacy
Privacy issues and internet privacyPrivacy issues and internet privacy
Privacy issues and internet privacy
vinyas87
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
PraphullaShrestha1
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Ramesh Upadhaya
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
Dipesh Waghela
 
Social media privacy and safety
Social media privacy and safetySocial media privacy and safety
Social media privacy and safety
Sarah K Miller
 

Empfohlen

Internet Privacy
Internet PrivacyInternet Privacy
Internet Privacy
realpeterz
 
Online privacy & security
Online privacy & securityOnline privacy & security
Online privacy & security
Priyab Satoshi
 
Internet Privacy
Internet PrivacyInternet Privacy
Internet Privacy
Kristin Briney
 
Privacy issues and internet privacy
Privacy issues and internet privacyPrivacy issues and internet privacy
Privacy issues and internet privacy
vinyas87
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
PraphullaShrestha1
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Ramesh Upadhaya
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
Dipesh Waghela
 
Social media privacy and safety
Social media privacy and safetySocial media privacy and safety
Social media privacy and safety
Sarah K Miller
 
My darkweb-presentation
My darkweb-presentationMy darkweb-presentation
My darkweb-presentation
Paul Wilson
 
Digital Security
Digital SecurityDigital Security
Digital Security
accenture
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
Aurora Computer Studies
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurity
Home
 
Internet security
Internet securityInternet security
Internet security
Mohamed El-malki
 
Ppt
PptPpt
Ppt
Geetu Khanna
 
Internet privacy presentation
Internet privacy presentationInternet privacy presentation
Internet privacy presentation
Matthew Momney
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
Chitra Mudunuru
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
mukeshkaran
 
Information security threats
Information security threatsInformation security threats
Information security threats
complianceonline123
 
presentation on cyber crime and security
presentation on cyber crime and securitypresentation on cyber crime and security
presentation on cyber crime and security
Alisha Korpal
 
Network security
Network securityNetwork security
Network security
Nkosinathi Lungu
 
Cyber Crime - What is it ?
Cyber Crime - What is it ?Cyber Crime - What is it ?
Cyber Crime - What is it ?
Mubaraka Halvadwala
 
Latest Top 10 Types of Cyber Security Threats
Latest Top 10 Types of Cyber Security ThreatsLatest Top 10 Types of Cyber Security Threats
Latest Top 10 Types of Cyber Security Threats
B R SOFTECH PVT LTD
 
Cyber crime and cyber laws
Cyber crime and cyber lawsCyber crime and cyber laws
Cyber crime and cyber laws
ishmecse13
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
Parab Mishra
 
Cyber security & Data Protection
Cyber security & Data ProtectionCyber security & Data Protection
Cyber security & Data Protection
Dr. Hemant Kumar Singh
 
Internet Use, Privacy and security
Internet Use, Privacy and securityInternet Use, Privacy and security
Internet Use, Privacy and security
Awais Haider
 
Cyber crimes and their prevention
Cyber crimes and their preventionCyber crimes and their prevention
Cyber crimes and their prevention
Tejasvi Bhatia
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
tomasztopa
 
Privacy on the Internet
Privacy on the InternetPrivacy on the Internet
Privacy on the Internet
Phil Bradley
 

Weitere ähnliche Inhalte

Was ist angesagt?

CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurity
Home
 
Internet privacy presentation
Internet privacy presentationInternet privacy presentation
Internet privacy presentation
Matthew Momney
 
Information security threats
Information security threatsInformation security threats
Information security threats
complianceonline123
 

Was ist angesagt? (20)

My darkweb-presentation
My darkweb-presentationMy darkweb-presentation
My darkweb-presentation
 
Digital Security
Digital SecurityDigital Security
Digital Security
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurity
 
Internet security
Internet securityInternet security
Internet security
 
Ppt
PptPpt
Ppt
 
Internet privacy presentation
Internet privacy presentationInternet privacy presentation
Internet privacy presentation
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Information security threats
Information security threatsInformation security threats
Information security threats
 
presentation on cyber crime and security
presentation on cyber crime and securitypresentation on cyber crime and security
presentation on cyber crime and security
 
Network security
Network securityNetwork security
Network security
 
Cyber Crime - What is it ?
Cyber Crime - What is it ?Cyber Crime - What is it ?
Cyber Crime - What is it ?
 
Latest Top 10 Types of Cyber Security Threats
Latest Top 10 Types of Cyber Security ThreatsLatest Top 10 Types of Cyber Security Threats
Latest Top 10 Types of Cyber Security Threats
 
Cyber crime and cyber laws
Cyber crime and cyber lawsCyber crime and cyber laws
Cyber crime and cyber laws
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cyber security & Data Protection
Cyber security & Data ProtectionCyber security & Data Protection
Cyber security & Data Protection
 
Internet Use, Privacy and security
Internet Use, Privacy and securityInternet Use, Privacy and security
Internet Use, Privacy and security
 
Cyber crimes and their prevention
Cyber crimes and their preventionCyber crimes and their prevention
Cyber crimes and their prevention
 

Andere mochten auch

Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
Hajarul Cikyen
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online security
Paul Berryman
 
Internet privacy
Internet privacyInternet privacy
Internet privacy
hafsan
 
Kashoyas Paper (Comp)
Kashoyas Paper (Comp)Kashoyas Paper (Comp)
Kashoyas Paper (Comp)
kaat1
 
Internet Privacy Presentation (In Service)
Internet Privacy Presentation (In Service)Internet Privacy Presentation (In Service)
Internet Privacy Presentation (In Service)
Bonnie Brzozowski
 
Ethics and privacy ppt 3rd period
Ethics and privacy ppt 3rd periodEthics and privacy ppt 3rd period
Ethics and privacy ppt 3rd period
charvill
 

Andere mochten auch (16)

“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
Privacy on the Internet
Privacy on the InternetPrivacy on the Internet
Privacy on the Internet
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online security
 
Internet privacy
Internet privacyInternet privacy
Internet privacy
 
Illegal downloading
Illegal downloadingIllegal downloading
Illegal downloading
 
Online Privacy and Security
Online Privacy and SecurityOnline Privacy and Security
Online Privacy and Security
 
Internet of things_by_economides_keynote_speech_at_ccit2014_final
Internet of things_by_economides_keynote_speech_at_ccit2014_finalInternet of things_by_economides_keynote_speech_at_ccit2014_final
Internet of things_by_economides_keynote_speech_at_ccit2014_final
 
Audio&Video
Audio&VideoAudio&Video
Audio&Video
 
Ethics online
Ethics onlineEthics online
Ethics online
 
Kashoyas Paper (Comp)
Kashoyas Paper (Comp)Kashoyas Paper (Comp)
Kashoyas Paper (Comp)
 
Online ethics
Online ethicsOnline ethics
Online ethics
 
Pro privacy
Pro privacyPro privacy
Pro privacy
 
Internet Privacy Presentation (In Service)
Internet Privacy Presentation (In Service)Internet Privacy Presentation (In Service)
Internet Privacy Presentation (In Service)
 
Ethics and privacy ppt 3rd period
Ethics and privacy ppt 3rd periodEthics and privacy ppt 3rd period
Ethics and privacy ppt 3rd period
 

Ähnlich wie Online Privacy

Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
RiskIQ, Inc.
 
Creating Trust for the Internet of Things
Creating Trust for the Internet of ThingsCreating Trust for the Internet of Things
Creating Trust for the Internet of Things
PECB
 

Ähnlich wie Online Privacy (20)

IP and ICT - Intro
IP and ICT - IntroIP and ICT - Intro
IP and ICT - Intro
 
Introduction to the open rights group censorship monitoring project
Introduction to the open rights group censorship monitoring projectIntroduction to the open rights group censorship monitoring project
Introduction to the open rights group censorship monitoring project
 
Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design
Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by DesignSay Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design
Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
 
Media Kitchen - The Cookieless Future
Media Kitchen - The Cookieless FutureMedia Kitchen - The Cookieless Future
Media Kitchen - The Cookieless Future
 
The role and impact of IT in society
The role and impact of IT in societyThe role and impact of IT in society
The role and impact of IT in society
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Understanding and responding to content blocking
Understanding and responding to content blockingUnderstanding and responding to content blocking
Understanding and responding to content blocking
 
European Search Conference, Liverpool, 2018
European Search Conference, Liverpool, 2018European Search Conference, Liverpool, 2018
European Search Conference, Liverpool, 2018
 
Cookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspectiveCookies and Data Protection - a Practitioner's perspective
Cookies and Data Protection - a Practitioner's perspective
 
Online Focus Groups Privacy and Security Considerations
Online Focus Groups Privacy and Security ConsiderationsOnline Focus Groups Privacy and Security Considerations
Online Focus Groups Privacy and Security Considerations
 
Data Mining - GCPCUG May 2011
Data Mining - GCPCUG May 2011Data Mining - GCPCUG May 2011
Data Mining - GCPCUG May 2011
 
GDPR Part 1: Quick Facts
GDPR Part 1: Quick FactsGDPR Part 1: Quick Facts
GDPR Part 1: Quick Facts
 
Mobile Web and Apps World New Orleans Session 10 Patricia Poss Federal Trade ...
Mobile Web and Apps World New Orleans Session 10 Patricia Poss Federal Trade ...Mobile Web and Apps World New Orleans Session 10 Patricia Poss Federal Trade ...
Mobile Web and Apps World New Orleans Session 10 Patricia Poss Federal Trade ...
 
Creating Trust for the Internet of Things
Creating Trust for the Internet of ThingsCreating Trust for the Internet of Things
Creating Trust for the Internet of Things
 
Analytics, privacy, and all that
Analytics, privacy, and all thatAnalytics, privacy, and all that
Analytics, privacy, and all that
 
Creating a GDPR Action Plan; Not a Freakout Plan
Creating a GDPR Action Plan; Not a Freakout PlanCreating a GDPR Action Plan; Not a Freakout Plan
Creating a GDPR Action Plan; Not a Freakout Plan
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
 
Internet of Things With Privacy in Mind
Internet of Things With Privacy in MindInternet of Things With Privacy in Mind
Internet of Things With Privacy in Mind
 
How Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-UsersHow Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-Users
 

Mehr von IWMW

Mehr von IWMW (20)

Look who's talking now
Look who's talking nowLook who's talking now
Look who's talking now
 
Introduction to IWMW 2000 (Liz Lyon)
Introduction to IWMW 2000 (Liz Lyon)Introduction to IWMW 2000 (Liz Lyon)
Introduction to IWMW 2000 (Liz Lyon)
 
Web Tools report
Web Tools reportWeb Tools report
Web Tools report
 
Personal Contingency Plan - Beat The Panic
Personal Contingency Plan - Beat The PanicPersonal Contingency Plan - Beat The Panic
Personal Contingency Plan - Beat The Panic
 
Whose site is it anyway?
Whose site is it anyway?Whose site is it anyway?
Whose site is it anyway?
 
Open Source - the case against
Open Source - the case againstOpen Source - the case against
Open Source - the case against
 
IWMW 2002: Avoiding Portal Wars - an MIS view
IWMW 2002: Avoiding Portal Wars - an MIS viewIWMW 2002: Avoiding Portal Wars - an MIS view
IWMW 2002: Avoiding Portal Wars - an MIS view
 
What does open source mean for the institutional web manager?
What does open source mean for the institutional web manager?What does open source mean for the institutional web manager?
What does open source mean for the institutional web manager?
 
Library 2.0
Library 2.0Library 2.0
Library 2.0
 
Social participation in student recruitment
Social participation in student recruitmentSocial participation in student recruitment
Social participation in student recruitment
 
Supporting Institutions in Changing Times: Manifesto
Supporting Institutions in Changing Times: ManifestoSupporting Institutions in Changing Times: Manifesto
Supporting Institutions in Changing Times: Manifesto
 
IWMW 2019 photo scavenger hunt highlights
IWMW 2019 photo scavenger hunt highlightsIWMW 2019 photo scavenger hunt highlights
IWMW 2019 photo scavenger hunt highlights
 
How to Turn a Web Strategy into Web Services
How to Turn a Web Strategy into Web ServicesHow to Turn a Web Strategy into Web Services
How to Turn a Web Strategy into Web Services
 
Static Site Generators - Developing Websites in Low-resource Condition
Static Site Generators - Developing Websites in Low-resource ConditionStatic Site Generators - Developing Websites in Low-resource Condition
Static Site Generators - Developing Websites in Low-resource Condition
 
Looking to the Future
Looking to the FutureLooking to the Future
Looking to the Future
 
Looking to the Future
Looking to the FutureLooking to the Future
Looking to the Future
 
Developing Communities of Practice
Developing Communities of PracticeDeveloping Communities of Practice
Developing Communities of Practice
 
How to train your content- so it doesn't slow you down...
How to train your content- so it doesn't slow you down... How to train your content- so it doesn't slow you down...
How to train your content- so it doesn't slow you down...
 
Grassroots & Guerrillas: The Beginnings of a UX Revolution
Grassroots & Guerrillas: The Beginnings of a UX RevolutionGrassroots & Guerrillas: The Beginnings of a UX Revolution
Grassroots & Guerrillas: The Beginnings of a UX Revolution
 
Connecting Your Content: How to Save Time and Improve Content Quality through...
Connecting Your Content: How to Save Time and Improve Content Quality through...Connecting Your Content: How to Save Time and Improve Content Quality through...
Connecting Your Content: How to Save Time and Improve Content Quality through...
 

Kürzlich hochgeladen

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Kürzlich hochgeladen (20)

2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 

Online Privacy

  • 1. Online Privacy Dave Raggett, W3C and UWE Reading, 27 July 2011 Institutional Web Managers Workshop 2011 1
  • 2. What is Privacy? ● We can all recognize effects of its absence ● Injury or harm – Due to prejudice or malicious intentions – Financial harm, Physical harm, inability to work or travel ● Loss of face – Parents, friends or colleagues learning something that embarrasses you ● Loss of control – Inability to keep things private – Profiling by Search engines and advertisers 2
  • 3. Evolution of Privacy on the Web ● HTTP logs ● IP address, time, URL ● Cookies ● Originally proposed to reduce burden on server ● Now have many uses, e.g. – Session management – User preferences – Saving where you left off viewing a video (app state) – Setting a unique id for a visitor over repeat visits – Recording profile data for targeted advertising 3
  • 4. And worse . . . ● Proliferation of means to store data in browser ● HTML5 local storage, flash ● Fingerprinting ● “80% of browsers have unique fingerprint”, Electronic Frontier Foundation, 2010 – Try it yourself at http://panopticlick.eff.org/ – Based upon installed fonts and plugins, etc. ● History stealing ● Via CSS and JavaScript ● Web Bugs ● Unique tracking ids {hidden images, scripts, iframes, etc.} 4
  • 5. Third Parties ● Websites commonly make use of third parties ● Content distribution – e.g. akamai ● Understanding website traffic – e.g. Google analytics and Quantcast ● Who are your visitors, where do they come from, and what pages do they like? ● Advertising – e.g. DoubleClick (Google) and RightMedia (Yahoo!) 5
  • 6. Advertising ● Enabling websites to offer free services ● Initial focus on context-based advertising ● Ad networks matching ads to web page content ● Now based on profiling users through detailed tracking right across the web ● Via 3rd party cookies on many websites ● YOU are the product websites sell to profilers! 6
  • 7. Facebook like button ● Added by website developers to allow facebook users to recommend a link to their friends ● Implemented as iframe or script element ● Enables facebook to track its users across all sites with the Like button ● You don't even need to click the button to be tracked! ● Browser sends identification cookie to facebook when loading the script or iframe ● Facebook tells you whether your friends like this page or invites you to be the first of your friends – 1,602 people like this page, be the first of your friends. 7
  • 8. Surveillance on the cheap ● “Governments have changed to using data brokers for much of their surveillance, and buying profile data from advertisers” * ● Chris Hoofnagle, Berkeley Center for Law & Technology * Workshop on Internet Tracking, Advertising, and Privacy, Stanford University July 2011 8
  • 9. Privacy doesn't matter ● “nobody cares about online privacy because they're worried about terrorism and the economy” * ● Russell Glass, Bizo – “Bizo is how marketers reach and engage business professionals, wherever they travel online. Bizo's unique ability to precisely target more than 80% of the US business population gives marketers cost-effective access and insight into business professionals – the most valuable online audience segment.” * Workshop on Internet Tracking, Advertising, and Privacy, Stanford University July 2011 9
  • 10. Privacy doesn't matter What do you think? What do your customers think? 10
  • 11. Ethnographic Perspective ● Privacy is not dead, but it is deeply misunderstood ● Danah Boyd, Microsoft researcher – Privacy, publicity and visibility ● “Public by default, private through effort” – http://www.danah.org/papers/talks/2010/TechFest2010.html – Living life in public: why american teens choose publicity over privacy ● “Using in-jokes and encoding information to limit visibility” – http://www.danah.org/papers/talks/2010/AOIR2010.html 11
  • 12. Emergence of browser extensions for privacy ● Firefox addons relating to privacy that help with blocking ads and inhibiting cookies ● Adblock Plus ● BetterPrivacy ● NoScript ● Silent Block ● Privacy Dashboard 12
  • 13. Privacy Dashboard ● Developed by EU PrimeLife project ● http://primelife.eu/ ● http://code.w3.org/privacy-dashboard/ ● See how websites are tracking you, and set per rd site preferences, e.g. to block 3 party content or cookies ● Share your findings with others ● Privacy Dashbot ● Automated survey of top 1000 websites 13
  • 15. Query data on each site 15
  • 16. Query data on each site 16
  • 17. Privacy Dashbot ● Adaptation of Dashboard to scan top 1000 sites ● Based upon list provided by Google ● Determine associated 3rd party sites and form into clusters ● Rank hosts by the number of hosts citing them as direct 3rd parties 17
  • 18. The Web as a galaxy of sites 18
  • 19. The Web as a galaxy of sites 19
  • 20. Frequency of citations rd counts as 3 parties 20
  • 21. Is self regulation enough? ● Network Advertising Initiative opt out cookies ● NAI is a ooperative of online marketing and analytics companies ● Visit NAI opt-out page to set cookies as signal to 3rd parties to avoid targeted ads ● You are still tracked and the data may be sold on ● Switch browsers or devices and start all over again! ● Need for better regulation and better tools 21
  • 22. Do Not Track (DNT) ● HTTP header or DOM property ● Set by browser to signal to 3rd parties to avoid tracking the user ● Persistent user preference setting in browser ● Relies on websites honouring user's request ● What does “do not track” mean exactly? ● Vested interests seeking to define it to their advantage ● Supported by US FTC ● Not set by default – i.e. users have to opt out of behavioural tracking 22
  • 23. Tracking Protection Lists ● Microsoft feature for IE9 and later ● Lists of rules for which 3rd party sites should be blocked or enabled ● Users decide which lists to apply ● Lists supplied by Internet privacy organizations ● Not enabled by default – i.e. users have to opt out of behavioural tracking ● Relationship to P3P (machine readable privacy policies) 23
  • 24. European Perspective ● Neelie Kroes, European Commission VP for Digital Agenda ● Principles for privacy in the digital age – Transparency, fairness and user control – http://europa.eu/rapid/pressReleasesAction.do? reference=SPEECH/11/461 ● E-Privacy directive 2002/58 on Privacy and Electronic Communications – Only UK, Estonia, Finland, Sweden and the Netherlands have implemented the directive in their domestic laws as of June 2011 24
  • 25. Transparency, fairness & user control ● Users must be given clear and comprehensive information on the purposes and retention policy ● This must be fair – sites must not present a one sided agreement to the detriment of the user ● The user must be given a means to opt in or out of behavioural tracking ● The EU legislator's desire to leave the implementation of the directive open to future technological innovations ● No guidance on what constitutes an opt-out – “Self-regulatory efforts are clearly part of the equation on the implementation side. But we need to go further and look beyond cookies and specific sectors. DNT can help us do this.”, Neelie Kroes 25
  • 26. E-Privacy Directive ● Security obligations ● Duty to inform subscribers of risks from viruses or malware ● Prohibition on listening, tapping, storage or other kinds of interception or surveillance of communication and “related traffic”, unless the users have given their consent – some exceptions under Article 15(1) ● Data retention ● Obligation to erase or anonymize traffic data ● Right to non-itemised billing 26
  • 27. E-Privacy Directive ● Spam ● Prohibition of use of email and SMS for marketing except with prior agreement of the recipient ● Cookies ● May only be set if the user is provided with clear and comprehensive information about the purpose, and the user is offered a means to opt-out ● Does this apply to other means of implementing behavioural tracking or is it limited to cookies? ● Is a browser based cookie blocker sufficient? 27
  • 28. Privacy Policies ● Many websites have a privacy policy ● It is often hard to find, and hard for ordinary people to understand ● Cookies have lots of useful purposes ● Policy should state what broad classes of information are being collected, for what purposes, who it may be shared with and for how long it will be retained ● “Operational purposes” is no longer acceptable! 28
  • 29. Fairness ● If the user has opted out of behavioural tracking the user shouldn't be penalized in an unfair manner ● If a site is ad-supported, is it reasonable to ask users who opt out of effectively targeted ads to pay in some manner? ● Can we look forward to online equivalent of the nectar card and other loyalty schemes that act across a group of non-competing businesses? 29
  • 30. Privacy friendly strong authentication ● Increasing use of email addresses as user ids ● Facilitates linkability of personal information across sites ● Sites need strong assurances as to attributes of identified party, but not a globally linkable id ● User defined personae can help ● Browser based account management ● New cryptographic techniques for proving user has trusted credential with given attributes BUT without disclosing user's identity ● Age, address, nationality, membership of named group, etc. ● We need better credentials with robust processes 30
  • 31. W3C's Role ● Initial work on P3P ● Platform for Privacy Preferences ● Involvement in EU PrimeLife project ● Many workshops related to privacy ● Policy Languages Interest Group ● Privacy by design for Web APIs, e.g. gelocation ● New Privacy Interest Group ● New WG's expected on DNT and Protection Lists ● Implementation work on new technologies ● Funded through W3C involvement in EU webinos project 31
  • 32. Platform for Privacy Preferences ● P3P 1.0 Recommendation issued April 2001 ● Machine readable privacy policies ● But initial specification too flexible! ● Makes it hard to generate report of mismatch between user preferences and site policy ● Complicates UI for setting user preferences ● Compact policies as a (bad) compromise ● Implemented in Internet Explorer and other browsers – 3rd party cookies blocked is there is no (compact) P3P policy ● Only covers cookies 32
  • 33. Fresh take on P3P ● Developed as part of EU PrimeLife project ● Improves on compact policies to cover a much bigger subset of P3P ● Expressed in JSON ● Chosen to make it easy to create UI for user preferences and to generate reports of mismatch with site policy ● Includes link to full human readable policy ● For details see http://www.w3.org/2011/D1.2.3/ 33
  • 34. Machine generated view of P3P privacy policy 34
  • 35. Machine generated view of P3P privacy policy 35
  • 36. UI for user preferences 36
  • 37. Dealing with the click-thru effect ● Tendency for most users to click through security and privacy dialogues ● Seen as an annoying interruption ● Most users aren't in good position to make informed decision ● Solution is to delegate decision to a trusted third party ● White lists for sites which are known to be trustworthy – no warning UI presented ● Black lists for sites which are deemed bad ● Otherwise show user the security/privacy dialogue 37
  • 38. Demo of Anonymous Credentials ● Student union issues credentials to new students ● Only current students can access the student union's social website ● No university staff, no would be employers, no ex students ● Website exposes machine readable policy covering authentication and privacy ● User authenticates to browser, then browser to website ● Website has strong proof that user is current student, but doesn't learn which student! ● Zero knowledge proof with IBM's idemix library ● No need to contact credential issuer to create proof 38
  • 39. 39
  • 41. 41