DOCSLIB.ORG

Enhancing the Security and Privacy of the Web Browser Platform Via Improved Web Measurement Methodology

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ABSTRACT JUECKSTOCK, JORDAN PHILIP. Enhancing the Security and Privacy of the Web Browser Platform via Improved Web Measurement Methodology. (Under the direction of Alexandros Kapravelos.) The web browser platform today serves as a dominant vehicle for commerce, communication, and content consumption, rendering the assessment and improvement of that platform’s user security and privacy important research priorities. Accurate web measurement via simulated user browsing across popular real-world web sites is essential to the process of assessing and improving web browser platform security and privacy, particularly when developing improved policies that can be deployed in production to millions of real-world users. However, the state of the art in web browser platform measurement instrumentation and methodology leaves much to be desired in terms of robust instrumentation, reproducible experiments, and realistic design parameters. We propose that enhancing web browser policies to improve privacy while retaining compatibility with legacy content requires robust and realistic web measurement methodologies leveraging deep browser instrumentation. This document comprises research results supporting the above-stated thesis. We demonstrate the limitations of shallow, in-band JavaScript (JS) instrumentation in web browsers, then describe and demonstrate an open source out-of-band instrumentation tool, VisibleV8 (VV8), embedded in the V8 JS engine. We show that VV8 consistently outperforms equivalent in-band instrumentation, provides coverage unavailable to in-band techniques, yet has proved readily maintainable across numerous updates to Chromium and the V8 JS engine. Next, we test the assumption, implicit in typical web measurement studies, that automated crawls generalize to the experience of typical web users with a robustly controlled parallel web measurement experiment comparing observations from multiple network vantage points (VP) and via naive or realistic browser configurations (BC). Our results indicate that VP and especially BC selection result in measurable shifts in HTTP traffic and JS behaviors observed from third-party content providers, underscoring the importance of realism in web measurement experiment design. Finally, we apply the insights gained from our work on instrumentation and experiment design to evaluate a novel web browser third-party storage policy designed to improve user protection against stateful online tracking while retaining compatibility with real-world content. Our evaluation results suggest that our proposed policy achieves its privacy and compatibility goals, as does Brave Software’s recent public deployment of a directly derived storage policy. © Copyright 2021 by Jordan Philip Jueckstock All Rights Reserved Enhancing the Security and Privacy of the Web Browser Platform via Improved Web Measurement Methodology by Jordan Philip Jueckstock A dissertation submitted to the Graduate Faculty of North Carolina State University in partial fulfillment of the requirements for the Degree of Doctor of Philosophy Computer Science Raleigh, North Carolina 2021 APPROVED BY: Anupam Das William Enck Bradley Reaves Alexandros Kapravelos Chair of Advisory Committee DEDICATION To my parents, who laid the moral and mental foundations of my life at great personal cost. To my wife, who built with me a loving and stable home for our three children and sustained it through this entire saga despite my late nights and frayed nerves. And to my Creator, without Whom none of this would matter. Soli Deo gloria. ii BIOGRAPHY Jordan Jueckstock was born in Princeton, West Virginia, and raised near Vicenza, Italy. He was homeschooled by his mother, a former secretary who never encountered a job too unimportant to do carefully, and by his father, a musicologist and former music teacher with a fearless talent for practical engineering. Jordan earned his Bachelor of Science in Computer Science from Bob Jones University (BJU) in Greenville, SC, in May 2009. After starting a graduate program at Clemson University the following fall, he transferred to the NSF CyberCorps program at The University of Tulsa in Tulsa, OK, completing a Master of Science in Computer Science there in December 2011. Following two-and-a-half years of work at the National Security Agency in Ft. Meade, MD, Jordan returned to BJU as an instructor. He set out to complete his formal education in computer science by joining the doctoral program at NC State in the fall of 2017. He collaborated with privacy researchers at Brave Software as a summer intern in 2020. Following his graduation from NC State, he will be resuming full-time teaching at BJU. iii ACKNOWLEDGEMENTS This document and the work it represents have been possible only with tremendous support, help, and encouragement from many people and sources. The following deserve particular attention and thanks for their essential role in whatever success I have achieved in this process: ...my advisor: Dr. Alexandros Kapravelos. Thanks to his proactive outreach, I actually missed out on that most stressful of freshman-PhD-student activities: finding an advisor. My advisor found me! His practical approach to research removed my chief barriers to entry, and his personal manner made meeting and working with him a genuine pleasure. His bleeding-edge approach to lab infrastructure may have caused me some uncomfortably deep dives into Kubernetes documentation and code, but it forced me to grow both my technical and management skills. He made me a researcher, to the extent that I am one; a better teacher; and a better hacker. ...my committee members: Drs. Will Enck, Brad Reaves, and Anupam Das. Individually they have provided both encouragement and challenges to me in classrooms, lab meetings, and personal conversations. As a committee, they have provided a healthy blend of confirmation, criticism, and counsel in directing me to the conclusion of my studies and rounding out my education in the art and science of research. ...my WSPR lab colleagues who shared valuable educational and technical advice, daily com- miseration, and memorable life stories. At the risk of leaving out somebody important, memorable names (past and present) include: Micah Bushouse, Lucas Enloe, Abida Haque, Igibek Koishybayev, Nikolaos Pantelaios, and Isaac Polinsky. Two of my lab mates require special mention: Shaown Sarker and Kyle Martin. Shaown has shared with me friendship, serial coauthorship, intriguing philo- sophical discussion, and the special misery of debugging distributed systems written in NodeJS. Kyle has shared with me friendship, serial late-night collaboration at DARPA hackathons, and the mystical bond of brothers-in-arms formed in joint combat against recalcitrant routers, switches, servers, and Ansible playbooks. He even does not hate me—too much, anyway—for making him learn Rust for that compiler class project. ...the collaborators and mentors I met working with Brave Software: Pete Snyder, Matteo Varvello, Panos Papadopoulos, and Ben Livshits. Special thanks to Pete for multiple research project ideas and collaborations, for engineering my Brave internship at the last possible moment, and for tearing apart and reworking my writing when necessary (which was ... frequently). ... my family, already mentioned but impossible to thank enough. My parents, John and Judy Jueckstock, deserve all credit for whatever positive character traits and skills I possessed when starting my higher education saga, to say nothing of life in general. My in-laws, David and Deborah Andrews, are responsible for the raising of the most wonderful woman in the world: Jessica Jueck- stock, nee Andrews, my darling wife. Our three children, Johnny, Josie, and Jadyn, have suffered much in the way of an absent-minded if not simply absent father at various points over the last four years, but their love and joy and energy in spite of it are reflections of their mother’s steadfast home-making magic. This is yours, too, Jessica. It simply could not have happened without you. iv TABLE OF CONTENTS LIST OF TABLES ......................................................... viii LIST OF FIGURES ........................................................ ix Chapter 1 Introduction .................................................. 1 1.1 Thesis Statement.................................................. 1 1.2 Contributions .................................................... 2 1.3 Thesis Organization................................................ 4 Chapter 2 Background & Motivation ........................................ 6 2.1 Overview........................................................ 6 2.2 JavaScript Instrumentation for Browsers................................. 7 2.2.1 Trends and Trade-offs......................................... 7 2.2.2 Fundamental Criteria......................................... 8 2.2.3 The Case Against In-Band JS Instrumentation ....................... 9 2.2.4 Summary.................................................. 12 2.3 Web Browser Storage & Security Policies................................. 12 2.3.1 Same-Origin Policy & Storage Basics .............................. 12 2.3.2 User Tracking............................................... 14 2.3.3 Threat Model............................................... 15 2.3.4 Deployed Stateful Tracking Defenses.............................. 16 2.3.5 Compatibility and Tracking Protections............................ 18 Chapter 3 VisibleV8: In-browser Monitoring of JavaScript in the Wild ............... 20 3.1
Recommended publications
  • SHOW TEASE: It's Time for Security Now!. Steve Gibson Is Here. We're Going to Talk About the Strange Case of the Estonian ID Cards

    SHOW TEASE: It's Time for Security Now!. Steve Gibson Is Here. We're Going to Talk About the Strange Case of the Estonian ID Cards

    Security Now! Transcript of Episode #642 Page 1 of 30 Transcript of Episode #642 BGP Description: This week we examine how Estonia handled the Infineon crypto bug; two additional consequences of the pressure to maliciously mine cryptocurrency; zero-day exploits in the popular vBulletin forum system; Mozilla in the doghouse over "Mr. Robot"; Win10's insecure password manager mistake; when legacy protocol come back to bite us; how to bulk-steal any Chrome user's entire stored password vault; and we finally know where and why the uber-potent Mirai botnet was created, and by whom. We also have a bit of errata and some fun miscellany. Then we're going to take a look at BGP, another creaky yet crucial - and vulnerable - protocol that glues the global Internet together. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-642.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-642-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We're going to talk about the strange case of the Estonian ID cards. A weird bug or actually flaw introduced into Microsoft's Windows 10. We're still not sure exactly who got it and why. We'll also talk about the case of the Firefox plugin promoting "Mr. Robot," and a whole lot more, all coming up next on Security Now!. Leo Laporte: This is Security Now! with Steve Gibson, Episode 642, recorded Tuesday, December 19th, 2017: BGP. It's time for Security Now!, the show where we cover your security online with this guy right here, the Explainer in Chief, Steve Gibson.
  • EPIC Google FTC Complaint

    EPIC Google FTC Complaint

    Before the Federal Trade Commission Washington, DC 20580 In the Matter of ) ) Google, Inc. and ) Cloud Computing Services ) ________________________________ ) Complaint and Request for Injunction, Request for Investigation and for Other Relief SUMMARY OF COMPLAINT 1. This complaint concerns privacy and security risks associated with the provision of “Cloud Computing Services” by Google, Inc. to American consumers, businesses, and federal agencies of the United States government. Recent reports indicate that Google does not adequately safeguard the confidential information that it obtains. Given the previous opinions of the Federal Trade Commission regarding the obligation of service providers to ensure security, EPIC hereby petitions the Federal Trade Commission to open an investigation into Google’s Cloud Computing Services, to determine the adequacy of the privacy and security safeguards, to assess the representations made by the firm regarding these services, to determine whether the firm has engaged in unfair and/or deceptive trade practices, and to take any such measures as are necessary, including to enjoin Google from offering such services until safeguards are verifiably established. Such action by the Commission is necessary to ensure the safety and security of information submitted to Google by American consumers, American businesses, and American federal agencies. PARTIES 1. The Electronic Privacy Information Center (“EPIC”) is a public interest research organization incorporated in Washington, DC. EPIC’s activities include the review of government and private sector policies and practices to determine their impact on the privacy interests of the American public. Among its other activities, EPIC initiated the complaint to the FTC regarding Microsoft Passport in which the Commission subsequently required Microsoft to implement a comprehensive information security program for 1 Passport and similar services.1 EPIC also filed the complaint with the Commission regarding databroker ChoicePoint, Inc.
  • Anonymous Rate Limiting with Direct Anonymous Attestation

    Anonymous Rate Limiting with Direct Anonymous Attestation

    Anonymous rate limiting with Direct Anonymous Attestation Alex Catarineu Philipp Claßen Cliqz GmbH, Munich Konark Modi Josep M. Pujol 25.09.18 Crypto and Privacy Village 2018 Data is essential to build services 25.09.18 Crypto and Privacy Village 2018 Problems with Data Collection IP UA Timestamp Message Payload Cookie Type 195.202.XX.XX FF.. 2018-07-09 QueryLog [face, facebook.com] Cookie=966347bfd 14:01 1e550 195.202.XX.XX Chrome.. 2018-07-09 Page https://analytics.twitter.com/user/konark Cookie=966347bfd 14:06 modi 1e55040434abe… 195.202.XX.XX Chrome.. 2018-07-09 QueryLog [face, facebook.com] Cookie=966347bfd 14:10 1e55040434abe… 195.202.XX.XX Chrome.. 2018-07-09 Page https://booking.com/hotels/barcelona Cookie=966347bfd 16:15 1e55040434abe… 195.202.XX.XX Chrome.. 2018-07-09 QueryLog [face, facebook.com] Cookie=966347bfd 14:10 1e55040434abe… 195.202.XX.XX FF.. 2018-07-09 Page https://shop.flixbus.de/user/resetting/res Cookie=966347bfd 18:40 et/hi7KTb1Pxa4lXqKMcwLXC0XzN- 1e55040434abe… 47Tt0Q 25.09.18 Crypto and Privacy Village 2018 Anonymous data collection Timestamp Message Type Payload 2018-07-09 14 Querylog [face, facebook.com] 2018-07-09 14 Querylog [boo, booking.com] 2018-07-09 14 Page https://booking.com/hotels/barcelona 2018-07-09 14 Telemetry [‘engagement’: 0 page loads last week, 5023 page loads last month] More details: https://gist.github.com/solso/423a1104a9e3c1e3b8d7c9ca14e885e5 http://josepmpujol.net/public/papers/big_green_tracker.pdf 25.09.18 Crypto and Privacy Village 2018 Motivation: Preventing attacks on anonymous data collection Timestamp Message Type Payload 2018-07-09 14 querylog [book, booking.com] 2018-07-09 14 querylog [fac, facebook.com] … ….
  • Chrome Devtools Protocol (CDP)

    Chrome Devtools Protocol (CDP)

    e e c r i è t t s s u i n J i a M l e d Headless Chr me Automation with THE CRRRI PACKAGE Romain Lesur Deputy Head of the Statistical Service Retrouvez-nous sur justice.gouv.fr Web browser A web browser is like a shadow puppet theater Suyash Dwivedi CC BY-SA 4.0 via Wikimedia Commons Ministère crrri package — Headless Automation with p. 2 de la Justice Behind the scenes The puppet masters Mr.Niwat Tantayanusorn, Ph.D. CC BY-SA 4.0 via Wikimedia Commons Ministère crrri package — Headless Automation with p. 3 de la Justice What is a headless browser? Turn off the light: no visual interface Be the stage director… in the dark! Kent Wang from London, United Kingdom CC BY-SA 2.0 via Wikimedia Commons Ministère crrri package — Headless Automation with p. 4 de la Justice Some use cases Responsible web scraping (with JavaScript generated content) Webpages screenshots PDF generation Testing websites (or Shiny apps) Ministère crrri package — Headless Automation with p. 5 de la Justice Related packages {RSelenium} client for Selenium WebDriver, requires a Selenium server Headless browser is an old (Java). topic {webshot}, {webdriver} relies on the abandoned PhantomJS library. {hrbrmstr/htmlunit} uses the HtmlUnit Java library. {hrbrmstr/splashr} uses the Splash python library. {hrbrmstr/decapitated} uses headless Chrome command-line instructions or the Node.js gepetto module (built-on top of the puppeteer Node.js module) Ministère crrri package — Headless Automation with p. 6 de la Justice Headless Chr me Basic tasks can be executed using command-line
  • Silkperformer® 2010 R2 Release Notes Borland Software Corporation 4 Hutton Centre Dr., Suite 900 Santa Ana, CA 92707

    Silkperformer® 2010 R2 Release Notes Borland Software Corporation 4 Hutton Centre Dr., Suite 900 Santa Ana, CA 92707

    SilkPerformer® 2010 R2 Release Notes Borland Software Corporation 4 Hutton Centre Dr., Suite 900 Santa Ana, CA 92707 Copyright 2009-2010 Micro Focus (IP) Limited. All Rights Reserved. SilkPerformer contains derivative works of Borland Software Corporation, Copyright 1992-2010 Borland Software Corporation (a Micro Focus company). MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries or affiliated companies in the United States, United Kingdom and other countries. BORLAND, the Borland logo and SilkPerformer are trademarks or registered trademarks of Borland Software Corporation or its subsidiaries or affiliated companies in the United States, United Kingdom and other countries. All other marks are the property of their respective owners. ii Contents SilkPerformer Release Notes ..............................................................................4 What's New in SilkPerformer 2010 R2 ...............................................................5 Browser-Driven Load Testing Enhancements .......................................................................5 Enhanced Support for Large-Scale Load Testing .................................................................6 Support for Testing BlazeDS Server Applications .................................................................7 Support for Custom Terminal Emulation Screen Sizes .........................................................7 Graceful Disconnect for Citrix Sessions ................................................................................7
  • Whotracks. Me: Shedding Light on the Opaque World of Online Tracking

    Whotracks. Me: Shedding Light on the Opaque World of Online Tracking

    WhoTracks.Me: Shedding light on the opaque world of online tracking Arjaldo Karaj Sam Macbeth Rémi Berson [email protected] [email protected] [email protected] Josep M. Pujol [email protected] Cliqz GmbH Arabellastraße 23 Munich, Germany ABSTRACT print users and their devices [25], and the extent to Online tracking has become of increasing concern in recent which these methods are being used across the web [5], years, however our understanding of its extent to date has and quantifying the value exchanges taking place in on- been limited to snapshots from web crawls. Previous at- line advertising [7, 27]. There is a lack of transparency tempts to measure the tracking ecosystem, have been done around which third-party services are present on pages, using instrumented measurement platforms, which are not and what happens to the data they collect is a common able to accurately capture how people interact with the web. concern. By monitoring this ecosystem we can drive In this work we present a method for the measurement of awareness of the practices of these services, helping to tracking in the web through a browser extension, as well as inform users whether they are being tracked, and for a method for the aggregation and collection of this informa- what purpose. More transparency and consumer aware- tion which protects the privacy of participants. We deployed ness of these practices can help drive both consumer this extension to more than 5 million users, enabling mea- and regulatory pressure to change, and help researchers surement across multiple countries, ISPs and browser con- to better quantify the privacy and security implications figurations, to give an accurate picture of real-world track- caused by these services.
  • Automated Testing of Your Corporate Website from Multiple Countries with Selenium Contents

    Automated Testing of Your Corporate Website from Multiple Countries with Selenium Contents

    presents Automated Testing of Your Corporate Website from Multiple Countries with Selenium Contents 1. Summary 2. Introduction 3. The Challenges 4. Components of a Solution 5. Steps 6. Working Demo 7. Conclusion 8. Questions & Answers Summary Because of the complexities involved in testing large corporate websites and ecommerce stores from multiple countries, test automation is a must for every web and ecommerce team. Selenium is the most popular, straightforward, and reliable test automation framework with the largest developer community on the market. This white paper details how Selenium can be integrated with a worldwide proxy network to verify website availability, performance, and correctness on a continuous basis. Introduction Modern enterprise web development teams face a number of challenges when they must support access to their website from multiple countries. These challenges include verifying availability, verifying performance, and verifying content correctness on a daily basis. Website content is presented in different languages, website visitors use different browsers and operating systems, and ecommerce carts must comprehend different products and currencies. Because of these complexities involved, instituting automated tests via a test automation framework is the only feasible method of verifying all of these aspects in a repeatable and regular fashion. Why automate tests? Every company tests its products before releasing them to their customers. This process usually involves hiring quality assurance engineers and assigning them to test the product manually before any release. Manual testing is a long process that requires time, attention, and resources in order to validate the products’ quality. The more complex the product is, the more important, complex, and time- consuming the quality assurance process is, and therefore the higher the demand for significant resources.
  • Client-Side Diversification for Defending Against

    Client-Side Diversification for Defending Against

    Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting Erik Trickel, Arizona State University; Oleksii Starov, Stony Brook University; Alexandros Kapravelos, North Carolina State University; Nick Nikiforakis, Stony Brook University; Adam Doupé, Arizona State University https://www.usenix.org/conference/usenixsecurity19/presentation/trickel This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting Erik Trickel?, Oleksii Starov†, Alexandros Kapravelos‡, Nick Nikiforakis†, and Adam Doupé? ?Arizona State University †Stony Brook University {etrickel, doupe}@asu.edu {ostarov, nick}@cs.stonybrook.edu ‡North Carolina State University [email protected] Abstract by users, as they see fit, by installing browser extensions. Namely, Google Chrome and Mozilla Firefox, the browsers Browser fingerprinting refers to the extraction of attributes with the largest market share, offer dedicated browser exten- from a user’s browser which can be combined into a near- sion stores that house tens of thousands of extensions. In turn, unique fingerprint. These fingerprints can be used to re- these extensions advertise a wide range of additional features, identify users without requiring the use of cookies or other such as enabling the browser to store passwords with online stateful identifiers. Browser extensions enhance the client- password managers, blocking ads, and saving articles for later side browser experience; however, prior work has shown that reading. their website modifications are fingerprintable and can be From a security perspective, the ability to load third-party used to infer sensitive information about users.
  • Tracking Users Across the Web Via TLS Session Resumption

    Tracking Users Across the Web Via TLS Session Resumption

    Tracking Users across the Web via TLS Session Resumption Erik Sy Christian Burkert University of Hamburg University of Hamburg Hannes Federrath Mathias Fischer University of Hamburg University of Hamburg ABSTRACT modes, and browser extensions to restrict tracking practices such as User tracking on the Internet can come in various forms, e.g., via HTTP cookies. Browser fingerprinting got more difficult, as trackers cookies or by fingerprinting web browsers. A technique that got can hardly distinguish the fingerprints of mobile browsers. They are less attention so far is user tracking based on TLS and specifically often not as unique as their counterparts on desktop systems [4, 12]. based on the TLS session resumption mechanism. To the best of Tracking based on IP addresses is restricted because of NAT that our knowledge, we are the first that investigate the applicability of causes users to share public IP addresses and it cannot track devices TLS session resumption for user tracking. For that, we evaluated across different networks. As a result, trackers have an increased the configuration of 48 popular browsers and one million of the interest in additional methods for regaining the visibility on the most popular websites. Moreover, we present a so-called prolon- browsing habits of users. The result is a race of arms between gation attack, which allows extending the tracking period beyond trackers as well as privacy-aware users and browser vendors. the lifetime of the session resumption mechanism. To show that One novel tracking technique could be based on TLS session re- under the observed browser configurations tracking via TLS session sumption, which allows abbreviating TLS handshakes by leveraging resumptions is feasible, we also looked into DNS data to understand key material exchanged in an earlier TLS session.
  • Interstitial Content Detection Arxiv:1708.04879V1 [Cs.CY] 13 Aug

    Interstitial Content Detection Arxiv:1708.04879V1 [Cs.CY] 13 Aug

    Interstitial Content Detection Elizabeth Lucas, Mozilla Research August 2017 Abstract Interstitial content is online content which grays out, or otherwise obscures the main page content. In this technical report, we discuss exploratory research into detecting the presence of interstitial content in web pages. We discuss the use of computer vision techniques to detect interstitials, and the potential use of these techniques to provide a labelled dataset for machine learning. 1. Introduction The structure and underlying nature of content in the web is fundamentally different than most rigorously structured data, and often requires deviating from the traditional approaches of recognizing patterns in more heavily structured data. Within the types of content on the web, interstitials are of interest due to their interrupting of the user's web experience. This report represents the preliminary research necessary to explore the structure of interstitial content, and the beginnings of a machine learning application to assist with our understanding of web content and interstitials. The scripts used for data collection and evaluation are available [1]. 1.1. Definitions For the purpose of this research project, `interstitials', or `interstitial content', are defined as online content, often advertisements or other promotional content, which grays out or otherwise obscures the main page content. These interstitials often require the user to interact in order to return to the main content, interrupting the user's experience. `Servo' refers to the Servo browser engine, sponsored by Mozilla Research [6]. Written in the Rust programming language, this modern parallel browser engine aims to improve performance, security, modularity, and parallelization. Future work will involve eventually bringing interstitial ad detection into the Servo browser engine itself.
  • Building Research Tools with Google for Dummies (2005).Pdf

    Building Research Tools with Google for Dummies (2005).Pdf

    01_57809x ffirs.qxd 3/3/05 12:46 PM Page i Building Research Tools with Google™ FOR DUMmIES‰ by Harold Davis TEAM LinG - Live, Informative, Non-cost and Genuine ! 01_57809x ffirs.qxd 3/3/05 12:46 PM Page ii Building Research Tools with Google™ For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis- sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www. wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
  • A Deep Dive Into the Technology of Corporate Surveillance

    A Deep Dive Into the Technology of Corporate Surveillance

    Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Author: Bennett Cyphers and Gennie Gebhart ​ A publication of the Electronic Frontier Foundation, 2019. “Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance” is released under a Creative Commons Attribution 4.0 International License (CC BY 4.0). View this report online: https://www.eff.org/wp/behind-the-one-way-mirror ELECTRONIC FRONTIER FOUNDATION 1 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Behind the One-Way Mirror A Deep Dive Into the Technology of Corporate Surveillance BENNETT CYPHERS AND GENNIE GEBHART December 2, 2019 ELECTRONIC FRONTIER FOUNDATION 2 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Introduction 4 First-party vs. third-party tracking 4 What do they know? 5 Part 1: Whose Data is it Anyway: How Do Trackers Tie Data to People? 6 Identifiers on the Web 8 Identifiers on mobile devices 17 Real-world identifiers 20 Linking identifiers over time 22 Part 2: From bits to Big Data: What do tracking networks look like? 22 Tracking in software: Websites and Apps 23 Passive, real-world tracking 27 Tracking and corporate power 31 Part 3: Data sharing: Targeting, brokers, and real-time bidding 33 Real-time bidding 34 Group targeting and look-alike audiences 39 Data brokers 39 Data consumers 41 Part 4: Fighting back 43 On the web 43 On mobile phones 45 IRL 46 In the legislature 46 ELECTRONIC FRONTIER FOUNDATION 3 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Introduction Trackers are hiding in nearly every corner of today’s Internet, which is to say nearly every corner of modern life.