DOCSLIB.ORG

A Status Update on the Development of Voluntary Do-Not-Track Standards

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Status Update on the Development of Voluntary Do-Not-Track Standards S. HRG. 113–550 A STATUS UPDATE ON THE DEVELOPMENT OF VOLUNTARY DO-NOT-TRACK STANDARDS HEARING BEFORE THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION APRIL 24, 2013 Printed for the use of the Committee on Commerce, Science, and Transportation ( U.S. GOVERNMENT PUBLISHING OFFICE 93–065 PDF WASHINGTON : 2015 For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512–1800; DC area (202) 512–1800 Fax: (202) 512–2104 Mail: Stop IDCC, Washington, DC 20402–0001 VerDate Nov 24 2008 11:57 Feb 19, 2015 Jkt 075679 PO 00000 Frm 00001 Fmt 5011 Sfmt 5011 S:\GPO\DOCS\93065.TXT JACKIE SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION JOHN D. ROCKEFELLER IV, West Virginia, Chairman BARBARA BOXER, California JOHN THUNE, South Dakota, Ranking BILL NELSON, Florida ROGER F. WICKER, Mississippi MARIA CANTWELL, Washington ROY BLUNT, Missouri FRANK R. LAUTENBERG, New Jersey MARCO RUBIO, Florida MARK PRYOR, Arkansas KELLY AYOTTE, New Hampshire CLAIRE MCCASKILL, Missouri DEAN HELLER, Nevada AMY KLOBUCHAR, Minnesota DAN COATS, Indiana MARK WARNER, Virginia TIM SCOTT, South Carolina MARK BEGICH, Alaska TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii RON JOHNSON, Wisconsin WILLIAM COWAN, Massachusetts ELLEN L. DONESKI, Staff Director JAMES REID, Deputy Staff Director JOHN WILLIAMS, General Counsel DAVID SCHWIETERT, Republican Staff Director NICK ROSSI, Republican Deputy Staff Director REBECCA SEIDEL, Republican General Counsel and Chief Investigator (II) VerDate Nov 24 2008 11:57 Feb 19, 2015 Jkt 075679 PO 00000 Frm 00002 Fmt 5904 Sfmt 5904 S:\GPO\DOCS\93065.TXT JACKIE C O N T E N T S Page Hearing held on April 24, 2013 .............................................................................. 1 Statement of Senator Rockefeller ........................................................................... 1 Statement of Senator Thune ................................................................................... 3 Statement of Senator McCaskill ............................................................................. 4 Statement of Senator Heller ................................................................................... 5 Statement of Senator Johnson ................................................................................ 6 Statement of Senator Blumenthal .......................................................................... 64 WITNESSES Harvey Anderson, Senior Vice President, Business and Legal Affairs, Mozilla . 6 Prepared statement .......................................................................................... 8 Luigi Mastria, CIPP, CISSP, Managing Director, Digital Advertising Alliance 14 Prepared statement .......................................................................................... 15 Justin Brookman, Director, Consumer Privacy, Center for Democracy & Tech- nology .................................................................................................................... 24 Prepared statement .......................................................................................... 26 Adam Thierer, Senior Research Fellow, Mercatus Center, George Mason Uni- versity ................................................................................................................... 33 Prepared statement .......................................................................................... 35 APPENDIX Response to written questions submitted to Harvey Anderson by: Hon. John D. Rockefeller IV ............................................................................ 69 Hon. Barbara Boxer ......................................................................................... 69 Hon. Frank R. Lautenberg ............................................................................... 71 Hon. Amy Klobuchar ........................................................................................ 72 Hon. Brian Schatz ............................................................................................ 72 Hon. Ron Johnson ............................................................................................. 73 Response to written questions submitted to Luigi Mastria by: Hon. John D. Rockefeller IV ............................................................................ 74 Hon. Barbara Boxer ......................................................................................... 75 Hon. Ron Johnson ............................................................................................. 78 Response to written questions submitted to Justin Brookman by: Hon. John D. Rockefeller IV ............................................................................ 86 Hon. Barbara Boxer ......................................................................................... 88 Hon. Frank R. Lautenberg ............................................................................... 89 Hon. Amy Klobuchar ........................................................................................ 90 Hon. Brian Schatz ............................................................................................ 91 Hon. Ron Johnson ............................................................................................. 93 Response to written questions submitted to Adam Thierer by: Hon. Barbara Boxer ......................................................................................... 96 Hon. Frank R. Lautenberg ............................................................................... 97 Hon. Ron Johnson ............................................................................................. 97 (III) VerDate Nov 24 2008 11:57 Feb 19, 2015 Jkt 075679 PO 00000 Frm 00003 Fmt 5904 Sfmt 5904 S:\GPO\DOCS\93065.TXT JACKIE VerDate Nov 24 2008 11:57 Feb 19, 2015 Jkt 075679 PO 00000 Frm 00004 Fmt 5904 Sfmt 5904 S:\GPO\DOCS\93065.TXT JACKIE A STATUS UPDATE ON THE DEVELOPMENT OF VOLUNTARY DO-NOT-TRACK STANDARDS WEDNESDAY, APRIL 24, 2013 U.S. SENATE, COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION, Washington, DC. The committee met, pursuant to notice, at 2:38 p.m., in room SR–253, Russell Senate Office Building, Hon. John D. Rockefeller IV, Chairman of the Committee, presiding. OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, U.S. SENATOR FROM WEST VIRGINIA The CHAIRMAN. All right. This hearing will come to order. In February 2012, the Digital Advertising Alliance pledged that the online advertising industry would honor Do-Not-Track requests made by consumers. That commitment was supposed to happen by the end of the year which is called 2012. We are past that time. What it was supposed to mean, what that statement was sup- posed to mean was that when consumers made it clear they did not want advertisers to collect information about their Internet activi- ties, the advertisers would respect their wishes. It is now April 2013, and consumers are still waiting for these Do-Not-Track standards. Advertising folks are continuing to ignore Do-Not-Track headers and consumers’ requests for privacy. There is a broad feeling that the advertisers, brokers, et cetera, data brokers, are just dragging their feet, and I believe they are, and I believe they are doing it purposely. I personally have long expressed skepticism about the ability or the willingness of companies to regulate themselves on behalf of consumers when it affects their bottom line. It is just the way I am made. It is my experience. And my service in West Virginia makes me have that—and my service on this committee really makes me feel very strongly about that. And that is why for the past two Congresses, I have introduced legislation that would create meaningful Do-Not-Track standards for consumers. I do not believe that companies with business mod- els based upon the collection and monetization of personal informa- tion will voluntarily stop these practices if it negatively impacts their profit margins. I just think that is the way corporations, with obviously a number of exceptions, are run. They are there to make money. And consumers, particularly when you get something like the Internet, which everybody wants, worships, and loves, that is even more so. (1) VerDate Nov 24 2008 11:57 Feb 19, 2015 Jkt 075679 PO 00000 Frm 00005 Fmt 6633 Sfmt 6633 S:\GPO\DOCS\93065.TXT JACKIE 2 Having said that and disclosed what is a genuinely troublesome feeling that I have about the nature of corporations with a chance to make money, particularly when people don’t know what they are doing, in spite of that, I want to be open-minded today. I want to do my best, Senator Thune, to be open-minded. And I want to hear all sides on the matters at hand. For months, industry stakeholders, consumer groups, academics, and other interested parties have been in negotiation with the World Wide Web Consortium, known as W3C, attempting to reach an agreement on voluntary Do-Not-Track standards. But con- flicting reports about W3C negotiations continue to surface. On one side, I hear that online advertising industry is delib- erately dragging its feet, moving the goal posts, and refusing to stop collection practices that undermine the very essence of a meaningful Do-Not-Track standard. On the other side, I hear two software developers, in particular Microsoft and Mozilla—which I know are not necessarily popular with
Load more

Recommended publications
  • The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
    The Web Never Forgets: Persistent Tracking Mechanisms in the Wild Gunes Acar1, Christian Eubank2, Steven Englehardt2, Marc Juarez1 Arvind Narayanan2, Claudia Diaz1 1KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium {name.surname}@esat.kuleuven.be 2Princeton University {cge,ste,arvindn}@cs.princeton.edu ABSTRACT 1. INTRODUCTION We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies A 1999 New York Times article called cookies compre­ and use of “cookie syncing” in conjunction with evercookies. hensive privacy invaders and described them as “surveillance Canvas fingerprinting, a recently developed form of browser files that many marketers implant in the personal computers fingerprinting, has not previously been reported in the wild; of people.” Ten years later, the stealth and sophistication of our results show that over 5% of the top 100,000 websites tracking techniques had advanced to the point that Edward employ it. We then present the first automated study of Felten wrote “If You’re Going to Track Me, Please Use Cook­ evercookies and respawning and the discovery of a new ev­ ies” [18]. Indeed, online tracking has often been described ercookie vector, IndexedDB. Turning to cookie syncing, we as an “arms race” [47], and in this work we study the latest present novel techniques for detection and analysing ID flows advances in that race. and we quantify the amplification of privacy-intrusive track­ The tracking mechanisms we study are advanced in that ing practices due to cookie syncing. they are hard to control, hard to detect and resilient Our evaluation of the defensive techniques used by to blocking or removing.
    [Show full text]
  • Do Not Track a Nokia Browser Look
    Do Not Track Nokia Browser Position - Vikram Malaiya Copyright: Nokia Corporation, 2011 Our understanding of Do Not Track (DNT) • DNT is a technology to enables users to opt out of third-party web tracking • No agreed upon definition of DNT. There are currently 3 major technology proposals for responding to third-party privacy concern. 1. Stanford University and Mozilla’s DNT HTTP Header technique. 2. Blacklist based technique such as Microsoft’s ‘Tracking Protection’ which is part of IE9 3. Network Advertising Initiative’s model of a per company opt-out cookie. Opt-out cookie approach is being promoted by Google. DNT as HTTP Header The Browser adds ‘DNT’/ ‘X-Do-Not-Track’ to its http header. The header is sent out to the server with every web request. This header acts as a signal to the server suggesting that the user wishes to opt out of tracking. Adoption: Firefox 4, IE9 DNT as HTTP Header • Pros: – Scope: Server could apply restrictions to all third party entities and tracking mechanisms – Persistent: No reconfiguration needed once set – Simple: Easy to implement on the browser side • Cons: – Only work as long as the server honors users preferences – No way to enforce national regulations/legislations to servers located beyond country boundaries Block(Black) List / Tracking Protection This is a consumer opt-in mechanism which blocks web connections from known tracking domains that are compiled on a list. First party Third party Adoption: ‘Tracking Protection’ in Internet Explorer 9 cy.analytix.com The downloadable Tracking allow Protection Lists enable IE9 xy.ads.com consumers to control what deny third-party site content can deny track them when they’re ads.tracker.com Tracking Protection online.
    [Show full text]
  • Adchoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements
    AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements Saranga Komanduri, Richard Shay, Greg Norcie, Blase Ur, Lorrie Faith Cranor March 30, 2011 (revised October 7, 2011) CMU-CyLab-11-005 CyLab Carnegie Mellon University Pittsburgh, PA 15213 AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements Saranga Komanduri, Richard Shay, Greg Norcie, Blase Ur, Lorrie Faith Cranor Carnegie Mellon University, Pittsburgh, PA {sarangak, rshay, ganorcie, bur, lorrie}@cmu.edu Abstract. Online behavioral advertisers track users across websites, often without users' knowledge. Over the last twelve years, the online behavioral advertising industry has responded to the resulting privacy concerns and pressure from the FTC by creating private self- regulatory bodies. These include the Network Advertising Initiative (NAI) and an umbrella organization known as the Digital Advertising Alliance (DAA). In this paper, we enumerate the DAA and NAI notice and choice requirements and check for compliance with those requirements by examining NAI members' privacy policies and reviewing ads on the top 100 websites. We also test DAA and NAI opt-out mechanisms and categorize how their members define opting out. Our results show that most members are in compliance with some of the notice and choice requirements, but two years after the DAA published its Self-Regulatory Principles, there are still numerous instances of non-compliance. Most examples of non- compliance are related to the ``enhanced notice” requirement, which requires advertisers to mark behavioral ads with a link to further information and a means of opting out. Revised October 7, 2011. Keywords: Online behavioral advertising; privacy; consumer choice; notice; public policy 1 Introduction The Federal Trade Commission (FTC) defines online behavioral advertising (OBA) as “the practice of tracking consumers' activities online to target advertising.”1 The FTC has been examining ways to reduce the privacy concerns associated with OBA for over a decade.
    [Show full text]
  • Statement of Justin Brookman Director, Consumer Privacy Center for Democracy & Technology Before the U.S. Senate Committee O
    Statement of Justin Brookman Director, Consumer Privacy Center for Democracy & Technology Before the U.S. Senate Committee on Commerce, Science, and Transportation Hearing on “A Status Update on the Development of Voluntary Do-Not-Track Standards” April 24, 2013 Chairman Rockefeller, Ranking Member Thune, and Members of the Committee: On behalf of the Center for Democracy & Technology (CDT), I thank you for the opportunity to testify today. We applaud the leadership the Chairman has demonstrated in examining the challenges in developing a consensus Do Not Track standard and appreciate the opportunity to address the continued insufficiency of self-regulatory consumer privacy protections. CDT is a non-profit, public interest organization dedicated to preserving and promoting openness, innovation, and freedom on the decentralized Internet. I currently serve as the Director of CDT’s Consumer Privacy Project. I am also an active participant in the Worldwide Web Consortium’s Tracking Protection Working Group, where I serve as editor of the “Tracking Compliance and Scope” specification — the document that purports to define what Do Not Track should mean. My testimony today will briefly describe the history of online behavioral advertising and the genesis of the Do Not Track initiative. I will then describe the current state of the World Wide Web Consortium’s efforts to create Do Not Track standards and the challenges going forward to implement Do Not Track tools successfully. I will conclude with my thoughts on the future of Do Not Track. and why I believe that this protracted struggle demonstrates the need for the fundamental reform of our nation’s privacy protection framework for commercial and government collection and use of personal information.
    [Show full text]
  • Amazon Silk Developer Guide Amazon Silk Developer Guide
    Amazon Silk Developer Guide Amazon Silk Developer Guide Amazon Silk: Developer Guide Copyright © 2015 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. The following are trademarks of Amazon Web Services, Inc.: Amazon, Amazon Web Services Design, AWS, Amazon CloudFront, AWS CloudTrail, AWS CodeDeploy, Amazon Cognito, Amazon DevPay, DynamoDB, ElastiCache, Amazon EC2, Amazon Elastic Compute Cloud, Amazon Glacier, Amazon Kinesis, Kindle, Kindle Fire, AWS Marketplace Design, Mechanical Turk, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon VPC, and Amazon WorkDocs. In addition, Amazon.com graphics, logos, page headers, button icons, scripts, and service names are trademarks, or trade dress of Amazon in the U.S. and/or other countries. Amazon©s trademarks and trade dress may not be used in connection with any product or service that is not Amazon©s, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS documentation posted on the Alpha server is for internal testing and review purposes only. It is not intended for external customers. Amazon Silk Developer Guide Table of Contents What Is Amazon Silk? .................................................................................................................... 1 Split Browser Architecture ......................................................................................................
    [Show full text]
  • I Can't Generalize a Whole Lot About the Maxthon Cloud Browser, Which Got
    I can’t generalize a whole lot about the Maxthon Cloud Browser, which got a major upgrade to Version 4.x in a December preview and was officially released on February 25. Maxthon Cloud Browser versions are available for Windows, OS X, iOS and Android, and it’s designed to provide users with a seamless and unified user experience across multiple devices and platforms. I can’t speak to the Windows and Android versions, but I’m unevenly impressed with the OS X and iOS variants. I found myself quickly becoming a fan of the OS X version; it’s a lot like Google’s Chrome browser—very fast and slick with super-smooth performance—but more so. It incorporates pretty much everything I like about Chrome, such as an automatic Google Translate machine translation option. The iOS version isn’t bad, just not nearly as outstanding as the OS X version. Interestingly, that would be my assessment of Google Chrome for iOS compared with Chrome for OS X, as well, and I think the reason in both instances is Apple’s imposition on its own WebKit technology on iOS browsers. Using Maxthon Cloud Browser for iOS is not terribly different from the standard iOS Safari experience in terms of speed, but the iOS version of Maxthon has an absolutely maddening bug that sporadically turns the screen brightness on my iPad 2 down to minimum, obliging a trip to the iOS Settings to restore it. I suspect that Maxthon for iOS’s Brightness Control feature that purportedly lets you adjust screen brightness from within the browser, and/or Night Mode that adjusts screen brightness in low light situations are responsible for this behavior.
    [Show full text]
  • Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros
    ARXIV.ORG DIGITAL LIBRARY 1 Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros Abstract—This articles surveys the existing literature on the of ads [1], [2], price discrimination [3], [4], assessing our methods currently used by web services to track the user online as health and mental condition [5], [6], or assessing financial well as their purposes, implications, and possible user’s defenses. credibility [7]–[9]. Apart from that, the data can be accessed A significant majority of reviewed articles and web resources are from years 2012 – 2014. Privacy seems to be the Achilles’ by government agencies and identity thieves. Some affiliate heel of today’s web. Web services make continuous efforts to programs (e.g., pay-per-sale [10]) require tracking to follow obtain as much information as they can about the things we the user from the website where the advertisement is placed search, the sites we visit, the people with who we contact, to the website where the actual purchase is made [11]. and the products we buy. Tracking is usually performed for Personal information in the web can be voluntarily given commercial purposes. We present 5 main groups of methods used for user tracking, which are based on sessions, client by the user (e.g., by filling web forms) or it can be collected storage, client cache, fingerprinting, or yet other approaches. indirectly without their knowledge through the analysis of the A special focus is placed on mechanisms that use web caches, IP headers, HTTP requests, queries in search engines, or even operational caches, and fingerprinting, as they are usually very by using JavaScript and Flash programs embedded in web rich in terms of using various creative methodologies.
    [Show full text]
  • Adchoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements
    AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements Saranga Komanduri, Richard Shay, Greg Norcie, and Lorrie Faith Cranor March 30, 2011 CMU-CyLab-11-005 CyLab Carnegie Mellon University Pittsburgh, PA 15213 AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements Saranga Komanduri, Richard Shay, Greg Norcie, and Lorrie Faith Cranor Carnegie Mellon University, Pittsburgh, PA sarangak,rshay,ganorcie,[email protected] Abstract. Online behavioral advertisers track users across websites, often without users' knowledge. Over the last twelve years, the online behavioral advertising industry has responded to the resulting privacy concerns and pressure from the FTC by creating private self-regulatory bodies. These include the Network Advertising Initiative (NAI) and an umbrella organization known as the Digital Advertising Alliance (DAA). In this paper, we enumerate the notice and choice requirements the DAA and NAI place on their members and check for compliance with those requirements by examining members' privacy policies and reviewing ads on the top 100 websites. We also test DAA and NAI opt-out mechanisms and categorize how their members define opting out. Our results show that most members are in compliance with some of the notice and choice requirements, but there are numerous instances of non-compliance. Most examples of non-compliance are related to the \enhanced notice" require- ment, which requires advertisers to mark behavioral ads with a link to further information and a means of opting out. Keywords: Online behavioral advertising; privacy; consumer choice; notice; public policy 1 Introduction The Federal Trade Commission (FTC) defines online behavioral advertising (OBA) as \the practice of tracking consumers' activities online to target adver- tising" [12].
    [Show full text]
  • Web-Browsing History
    Mag. iur. Dr. techn. Michael Sonntag Web-browsing history Institute for Information Processing and Microprocessor Technology (FIM) Johannes Kepler University Linz, Austria E-Mail: [email protected] http://www.fim.uni-linz.ac.at/staff/sonntag.htm © Michael Sonntag 2013 Agenda The elements of web-browsing history and intentionality HTTP – Hypertext Transfer Protocol Cookies Internet Explorer File locations The index.dat file format Example Date/Time formats Firefox File locations Cookies, history, cache Webmail reconstruction example Michael Sonntag Web-browsing history 2 The elements of web-browsing history History The list of URLs visited (at which time, …) Provides general information on time and location of activity » URL's may also contain information: GET requests – Example: Google searches Cookies Which websites were visited when + additional information May allow determining whether the user was logged in Can survive much longer than the history » Depends on the expiry date of the Cookie and the configuration Cache The content of the pages visited » Incomplete: E.g. ad's will rarely be cached (No-cache headers) Provides the full content of what was seen, e.g. Webmail » More exactly: What was delivered by the server Michael Sonntag Web-browsing history 3 Web-browsing history: Intentionality Did the user visit the webpage intentionally? In general: If it's in the cache/history/cookie file: Yes See also: Bookmarks! BUT: What about pop-ups? » E.g.: Pornography ads (no one sees them intentionally )! Password protected pages? » But images/JavaScript can easily supply passwords as well when opening a file! Investigation of other files, trying it out, content inspection … needed to verify, whether a page that was visited, was actually intended to be visited (“intentionality”) Usually this should not be a problem: » Logging in to the mail » Visiting a website after entering log-ins Michael Sonntag » Downloading files Web-browsing history 4 Web browsing procedure 1.
    [Show full text]
  • Online Tracking: Can the Free Market Create Choice Where None Exists?
    ONLINE TRACKING: CAN THE FREE MARKET CREATE CHOICE WHERE NONE EXISTS? Benjamin Strauss* INTRODUCTION Our online privacy is compromised every time we surf the World Wide Web. The individual privacy of online users is quickly eroded by hackers, Internet advertisers, and other online entities. Behavioral advertisers are tracking our every move, cataloguing our user data, and selling it to the highest bidder. Advertisers use that information to infer users’ most sensitive interests to inundate them with ads specifically targeted to their web browsing history. Consumers are often presented with boilerplate privacy policies that they must consent to prior to using a web service or mobile application (app). Consumers have no means to fight back. They can either consent to data collection, or forego using the online service. As we live more and more of our lives online, this is nothing more than a Hobson’s choice. In Part I of this Note, I hope to shed light on the many privacy problems faced by users each time they browse the web. I then turn to current strategies aimed at combatting these global problems. In Part II, I highlight international approaches taken to protect online privacy. First, I detail the European Union’s approach to combatting many of these problems. The European Union has the most comprehensive online privacy regime, and can serve as a useful guide to our legislature in the future. I also highlight China’s approach to online privacy and its recent attempts to establish baseline Internet security standards. In Part III, I turn to the United States’ futile endeavor to protect online privacy.
    [Show full text]
  • The Web's Security Model
    The Web’s Security Model Philippe De Ryck @PhilippeDeRyck https://www.websec.be 2 The Agenda for Today § The Same-Origin Policy § Setting a baseline with very relevant 20 year old technology § Third-Party Content Integration § Frame and script-based integration § Session Management § Cookies and the unavoidable CSRF attacks § Accessing Cross-Origin APIs § Extending the SOP with server-driven policies § Conclusion 3 About Me – Philippe De Ryck § Postdoctoral Researcher @ DistriNet (KU Leuven) § PhD on client-side Web security § Expert in the broad field of Web security § Main author of the Primer on Client-Side Web Security § Running the Web Security training program § Dissemination of knowledge and research results § Public training courses and targeted in-house training § Target audiences include industry and researchers @PhilippeDeRyck https://www.websec.be 4 The Same-Origin Policy 5 Same-Origin Policy § Separation based on origin § Default security policy enforced by the browser § Restricts the interactions between contexts of different origins § Protects applications from unintended interactions § First appeared in browsers in 1995, and still going strong ORIGIN SAME-ORIGIN POLICY The triple <scheme, host, port> Content retrieved from one derived from the document’s URL. origin can freely interact with For http://example.org/forum/, the other content from that origin, origin is <http, example.org, 80> but interactions with content from other origins are restricted 6 Examples of the Same-Origin Policy http://example.com SAME-ORIGIN POLICY http://example.com Content retrieved from one origin can freely interact with other content from that origin, but interactions with content http://forum.example.com from other origins are restricted http://private.example.com 7 Domains vs Subdomains § Subdomains § E.g.
    [Show full text]
  • Energy-Efficient Video Processing for Virtual Reality
    Energy-Efficient Video Processing for Virtual Reality Yue Leng∗ Chi-Chun Chen∗ Qiuyue Sun UIUC University of Rochester University of Rochester yueleng2@illinois:edu cchen120@ur:rochester:edu qsun15@u:rochester:edu Jian Huang Yuhao Zhu UIUC University of Rochester jianh@illinois:edu yzhu@rochester:edu Abstract ACM Reference Format: Yue Leng, Chi-Chun Chen, Qiuyue Sun, Jian Huang, and Yuhao Zhu. 2019. Virtual reality (VR) has huge potential to enable radically new Energy-Efficient Video Processing for Virtual Reality. In The 46th Annual applications, behind which spherical panoramic video processing is International Symposium on Computer Architecture (ISCA ’19), June 22–26, one of the backbone techniques. However, current VR systems reuse 2019, Phoenix, AZ, USA. ACM, New York, NY, USA, 13 pages. https://doi:org/ the techniques designed for processing conventional planar videos, 10:1145/3307650:3322264 resulting in significant energy inefficiencies. Our characterizations show that operations that are unique to processing 360° VR content 1 Introduction constitute 40% of the total processing energy consumption. We present EVR, an end-to-end system for energy-efficient VR Virtual Reality (VR) has profound social impact in transformative video processing. EVR recognizes that the major contributor to ways. For instance, immersive VR experience is shown to reduce the VR tax is the projective transformation (PT) operations. EVR patient pain [8] more effectively than traditional medical treatments, mitigates the overhead of PT through two key techniques: semantic- and is seen as a promising solution to the opioid epidemic [15]. aware streaming (SAS) on the server and hardware-accelerated One of the key use-cases of VR is 360° video processing.
    [Show full text]