4 results.
Recently I've had the opportunity to meet Marco Stronati, one of the developers of LocationGuard. In case if this is the first time you hear about this plugin, LocationGuard offers remedy for location privacy in browsers. By default, you have two choices when a website asks your position: either you allow and provide your exact location, or deny (also likely to render the given service useless). This plugin allows you to provide answers in between, only revealing your location roughly, and what makes it even more interesting is that this is not just another home-brew PET, but they have some nice work behind the tool. Finally, it comes with nice default configuration, but setting it otherwise is quite simple and probably easy to use even for non-tech users.
You can also set it to report a fixed location – which is also the feature that motivated the current post. This could be quite useful, and as I know it from Marco, there are some people who use it with a custom place of their own choice (*). However, there is an interesting caveat using a fixed location for more privacy. Basically, the problem is that the world is huge, thus it is very likely that most users will set their fixed location differently. This also means that websites who can access this information can also easily track these users, e.g., just by storing the hash of location coordinates in a tracking cookie.
We call this phenomena the anonymity paradox. This unfortunately happens quite often, when someone is trying to use a privacy-enhancing solution in a unique setting. While this person might have anonymity in theory, but the uniqueness also allows linkability of her actions. This is why TOR developers highly discourage altering their browser, and also why some privacy-conscious users were more trackable in the Panopticlick experiment than others. To simply put, this is like visiting a bank office in a dark suit and wearing a ski mask. You will be anonymous for sure, but also easily trackable, as you'll likely find it out.
Bottom line: you should use the default fixed location, or consider using a custom fixed position until there is a fixed variaty of choices in LocationGuard. For example, as IP addresses reveal the country and city, I think country-level choices of fixed positions would be enough for most users. If you feel that is still too much, then you should use TOR Browser (when it gets fixed), and no LocationGuard. (As far as I know TOR Browser disables location requests by default.)
I am thankful to Luca Melis reviewing a draft version of this post.
This post originally appeared in the professional blog of Gábor Gulyás.
(*) Note: as they don't collect data, they don't have statistics on this. This is just from other forms of feedback.
We have discussed in our previous posts that companies track their users and the traffic on their website. Also there are companies offering solutions to track visitors. So the question is how much would you charge for a list of all the sites you visited in the past two weeks? At a first glance, this might seem a simple question. We have some surprising data for you!
In recent years the majority of websites adopted a business model in which you get a seemingly free service, but in exchange you give up your privacy. The model works simply: while you enjoy surfing freely, you are also being monitored and profiled in order to get advertisements and prices tailored to your interests. For example Orbitz steered Mac users to pricier hotels, this can also happen with you in other contexts, according how the advertisers estimate your affordability.
Auctions, where you are the product
When you open a website which has advertisements slots, there is the chance that your browsing history will be sold at an auction for advertisers, and your device will be involved in a real-time bidding (RTB) procedure. Do you remember our question in the previous section?
Have you considered your price?
Well, just to help positioning yourself, it is estimated that most of us would trade our privacy only in exchange of 7 EURs on average. Sounds nice, right? Unfortunately, this is just an unreal dream: our browsing history is being sold typicallyfor less than 0.0005 USD, as French researchers revealed in their recent study.
Who is making business and how?
When you open a website that has its incomes from advertisements (for instance nytimes.com), a slot on their site can invoke an auction. Next, an ad exchange (e.g., DoubleClick or Facebook) will offer bidders to propose a price for placing their advertisements. The ad exchange identifies you with a tracking cookie (on nytimes.com), and distributes your browsing history among bidders, who will then have a chance to merge it with what they already know about you (tracked with another cookie). Thereafter, bidders have all the information to consider a price tag for you, and the bidder offering the highest price gets the chance to display the actual advertisement. This is a well-designed system, right? Also note that even loosing parties get a copy of your browsing history.
Price-tag sensitivity
Olejnik created tools with his collaborators to detect RTB and analyze winner prices. It may be impossible to get a global overview, as in many cases the winner prices are encrypted. Their analysis is based on the rest. It turns out that different visitor properties steer prices significantly. Location is one of the strongest factors, e.g., a profile located in the US had a price of 0.00069 USD, much higher than others located in France (0.00036 USD) or in Japan (0.00024 USD). They also discovered, that profiles are worth more in the morning. For instance, in their investigation a US profile was worth 0.00075 USD in the morning and 0.00062 USD in the evening. Not surprisingly, browsing history also altered prices significantly. New profiles with no records are worth the least, while others with interesting history of visiting webshops (e.g., jewelry site) are worth more.
What can I do about this?
Using ad-blocks is only a partial solution. Use web bug killer instead. Web bugs are small programs advertisers use to detect user presence and to monitor activities. If you are a Firefox or a Ghostery user, you could use for instance Ghostery.
This post originally appeared in the Tresorit Blog.
In the last ten years online advertising has grown tremendously, especially personalized advertisements concerning user behavior, called behavioral advertising. According to the estimation of the Interactive Adtvertising Bureau just in the United States internet advertising revenues reached $36.6 billion in 2012. In parallel, a myriad of techniques emerged allowing to detect the identity of surfing webizens in order to profile their preferences and interests. The simplest and yet most widespread identification method uses web bugs and tracking cookies, when a tracker service places unnoticeable small detectors on several websites allowing him to store and read identifiers from the computers of the visitors. Application of cookies allows servers to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website to the next.
Owing to the large scale deployment of web bugs, user consciousness has also risen: many users set their browsers to reject cookies or quickly extinguish them. Other trends like the expansion of smart phones phones, which are taking an increasing part of the Web usage, also caused problem for marketers, since smart phones do not use cookies.
These changes are forcing trackers to develop novel techniques, such as fingerprinting, i.e. when characteristic attributes are used for identification rather than storing identifiers on user-side. In the academic era, the Panopticlick project was the first in 2010 to show that by using Flash or Java plugins browsers can be precisely fingerprinted. Later in 2011, Hungarian researchers pointed out that plugins are not even necessary for tracking, as font list can be detected from the browser directly, and the list is browser-independent for both Windows and Mac OSes (you can test the underlying principles on your own computers).
The tracking market also went along a similar direction quite rapidly. In the beginning of 2012, one of the leading fingerprint-based trackers advertised itself for the European market with device fingerprinting, emphasizing that their method is compatible with local law making the use of tracking cookies difficult (as it doesn’t need cookies at all). Today, leading fingerprinting companies offer services that go even beyond device fingerprinting: they recognize and connect devices that are likely to belong the same person, such as smart phones, tablets and laptops.
A recent paper that appeared at the IEEE Symposium on Security & Privacy reveals more details on the penetration and functionality of these companies. One of the most interesting finding is a rather low utilization rate on top sites, namely 0.4% in the Alexa top 10,000. However, the authors still found thousands of less relevant sites utilizing fingerprinting techniques, from which most were categorized as malicious, or spam (though one could expect regular business sites to do so).
Regarding their functionality, they found that tracker services use Flash and JavaScript for font detection, plus use Flash for additional tasks, such as obtaining system information, multi-screen resolution, or even for circumventing proxy protection in order to reveal the real IP address of the visitor. Some trackers go even further, using custom DLLs to gather more information from the registry (being a bit spyware-like), while others encrypt client identifiers to put themselves into a central, unavoidable position.
While fingerprinting is not widely adopted yet, and serious development is missing for protective technologies, the cat-and-mouse game seems to have begun in the area: tracking companies will likely outrun protective technologies as they get to the current level of the state-of-the-art fingerprinting techniques. Researchers predict that in the near future a shift is expected from the tech-based fingerprinting to biometric fingerprinting, opening new challenges for the privacy-enhancing research community.
This post originally appeared in the Tresorit Blog.