INTERNET PRIVACY

Daniel Coloma

"I have nothing to hide... so I don't care about my privacy"

HAVE YOU EVER SAID...

HAVE YOU EVER WONDERED...

HAVE YOU EVER WONDERED...

Why elpais.com is showing me an ad about the Lego game I wanted to give to my son for Christmas?

... I never read any news about Lego in elpais.com and I already bought it!

... THE ANSWER IS ON YOUR PERSONAL DATA

HAVE YOU EVER WONDERED...

Why booking.com is offering me this rate for this hotel?

... and my friend Peter is getting a cheaper rate for exactly the same hotel, same room, same dates!

... THE ANSWER IS ON YOUR PERSONAL DATA

AN EXAMPLE OF WHAT HAPPENS BEHIND THE CURTAINS

ONLINE ADVERTISING

WHO DECIDES WHICH ADS SHOULD BE SHOWN TO YOU?

THE PUBLISHERS?

THE ADS TO BE SHOWN ARE USUALLY DECIDED BY SOME OTHER COMPANIES CALLED AD-EXCHANGE BROKERS

NOT REALLY

HOW DO THE BROKERS DECIDE WHICH ADs YOU SHould BE SHOWN?

AD-EXCHANGE BROKERS RUN AUCTIONS

WHO ARE THE BIDDERS?

THE ADVERTISERS (AND NOT DIRECTLY)

BUT WHAT IS THE GOOD BEING AUCTIONED?

THE SPACE IN THE NEWS WEB SITE?

THEY BID FOR THE USERS WATCHING THE AD!

THEY BID FOR YOU!

BUT IN THE SAME WAY YOU WOULDN'T BID FOR AN ANONYMOUS PAINTING

THEY WOULDN'T BID FOR ANONYMOUS USERS

SO THEY NEED TO KNOW WHO ARE YOU

WHO ARE YOU IS NOT YOUR NAME

A BIG SET OF DATA ABOUT YOU, TOGETHER WITH GOOD ALGORITHMS MAY PROVIDE AN EXCELLENT PICTURE OF YOU

SO THEY PROFILE YOU

1. HOW THEY COLLECT INFORMATION FROM YOU?

2. WHAT TYPE OF INFORMATION IS COLLECTED

3. WHO IS COLLECTING THAT INFORMATION AND HOW IT'S EXCHANGED ACROSS COMPANIES

4. WHY DO THEY IT? I.E. HOW THAT INFORMATION IS USED... AND HOW DOES IT AFFECT YOU

WHAT ARE WE GOING TO LEARN TODAY?

1. HOW INFORMATION ABOUT ME IS COLLECTED?

Before creating a Facebook account Peter wants to check Facebook Privacy Policy. So he goes to Google and looks for "facebook data policy", THE FIRST SUGGESTED ENTRY IS:  https://www.facebook.com/policy.php

A simple story...

He opens THE link (https://www.facebook.com/policy.php) READS FACEBOOK POLICY and HE decides NOT TO CREATE an account

A simple story...

Later on he wants to check some information about cancer (HIS FATHER HAS JUST BEEN DIAGNOSED CANCER) in a health forum and he opens: http://salud.ccm.net/forum/cancer-8

A simple story...

A simple story...

Peter THINKS Facebook doesn't know anything about him... is he right?

No, he is not! FACEBOOK IS PROFILING HIM

When Peter visited Facebook policy page, Facebook "took the opportunity" to set some cookies in his computer

• A random identifier of the browser is created and stored in a cookie that is scoped to the Facebook root domain: I.e. the cookie will be sent every time a resource is retrieved from Facebook.com.

• The cookies contain additional info such as first and last Facebook visited pages, etc.

• Facebook has started to profile Peter

When later on he read the health forum, a Facebook plugin was loaded. As the plugin is hosted in Facebook domains, the cookies are sent back to Facebook.

• The profile is enriched:

  • The URL I just visited is added to my browsing history.

  • The referrer URL too (how did I find this forum).

  • If a "Like" button is present, the page I would like in case I press it.

Maria WAS so worried about her privacy that never visited a Facebook page...

BUT She is pregnant and visited prenatal.com

GUESS WHAT? Facebook is profiling her!

​MARIA STARTS BEING PROFILED

When Maria visited Prenatal Web page, it loaded resources from pixel.facebook.com. Facebook "took the opportunity" to set some cookies in his computer in response

When later on she visits any Web Site that loads resources from a Facebook domain, the cookies will be sent back to Facebook

HER PROFILE IS CONTINUOUSLY ENRICHED

But I heard I can opt-out!

http://www.youronlinechoices.eu/

WHat do you think it happens afterwards?

CLIK HERE

A new (opt-out) cookie is set!

• FACEBOOK PLACED A COOKIE NAMED “OO” WITH THE VALUE “1”. “OO” PRESUMABLY STANDS FOR “OPT-OUT”.

• THE OTHER COOKIES WERE NOT REMOVED BY FACEBOOK DURING OR AFTER THE OPT-OUT

• ALL THE COOKIES ARE SENT BACK TO FACEBOOK ANY TIME A FACEBOOK RESOURCE IS LOADED

REMEMBER: THIS IS JUST FOR NON-FACEBOOK USERS

I DON'T HAVE TIME TO TALK ABOUT WHAT HAPPENS TO FACEBOOK USERS

So... what if I disable cookies or remove them?

Very smart...

But do you think you are smarter than the trackers?

When tracking companies detected that many users blocked cookies they thought in alternatives

ALTERNATIVE 1 - "FLASH COOKIES"

A more resilient technology for tracking than HTTP cookies where less user control.

"RESPAWNING": KEEPING COOKIES ALIVE

Browser

cookies

Flash cookies

An exact copy of browser cookies is kept in -sync in Flash Cookies. Every time a cookie is added to the browser, a copy is created in the Flash Cookies repository

"RESPAWNING": ALWAyS KEEP ONE COPY

REMOVE COOKIES?

Browser

cookies

Flash cookies

Flash cookies

Browser

cookies

Even if the user removes the cookies from his browser, a copy still exists in the Flash Cookies repository

Browser

cookies

Flash cookies

Flash cookies

Browser

cookies

When cookie removal is detected they ARE re-built using THE exact copy that is available in the Flash cookies

Flash cookies

Browser

cookies

"RESPAWNING": A ZOMBIE COOKIE

REMOVE COOKIES?

RESPAWN!

ALTERNATIVE 2 - "EVERCOOKIES"

Make use AT THE SAME TIME of all the technologies AVAILABLE to store information in YOUR browser: HTTP cookies, IndexedDB, Local Storage, etc.

FIGHTING WITH A 9 HEAD HYDRA

The only way to complete remove an "evercookie" is doing it in all the places at the same time

Browser cookies

An exact copy of browser cookies is kept in-sync in different storage locations

Flash cookies

IndexedDB

Local Storage

Etags

"RESPAWNING" IMPROVED!

IF JUST A SINGLE ONE REMAINS, IT CAN BE USED TO RESPAWN THE REST

Etags

ALL THESE TECHNIQUES HAVE 1 THING IN COMMON

They store information in your computer:

STATEFUL TECHNIQUES

The tracker workaround are STATELESS TECHNIQUES

don't require storing anything in your computer

 "fingerprinting"

Look for ways to uniquely identify your browser

Canvas Fingerprinting

The web page renders an image in a hidden Canvas. If the image is defined in a smart way, its hash is unique per device/browser

Font Fingerprinting

Show (IN A HIDDEN) CANVAS TEXT IN MULTIPLE FONTS AND measuring the onscreen dimensions of font glyphs. FONT GLYPHS ARE AFFECTED By some manY FACTORS THAT THEY ARE A UNIQUE WAY TO IDENTIFY YOUR BROWSER.

Audio CONTEXT Fingerprinting

The web page CREATES An auDIO CONTEXT AND REQUEST THE PROCESSING OF A SILENT SIGNAL. THE HASH OF THE PROCESSED SIGNAL IS UNIQUE PER BROWSER/DEVICE

WebRTC Fingerprinting

A JAVASCrIPT WEB APPLICATION CAN USE WEBRTC TO access THE ICE CANDIDATES FOR COMMUNIcATION, THE ICE CANDIDATES INCLUDE THE USER'S LOCAL IP ADDRESS. THIS CAN BE DONE WITHOUT EXPLIcIT USER PERMISSION.

You are being profiled no matter what!

if you are going

to track me, please...

use cookies

AND

INFORM ME!

2 - WHAT INFORMATION IS BEING COLLECTED ABOUT ME?

LOCATION DATA

WiFi

GPS

CARRIER

IP ADDRESS

TECHNICAL DATA

Operating System

Web Browser

Screen Resolution

Hardware Manufacturer

Installed Plugins

BEHAVIOURAL DATA

Browsing History

Ads Seen / Clicked

Search Queries

Purchasing History

Social Media

Referrals

Browsing Habits

DEMOGRAPHIC DATA

ADDRESS

ZIP CODE

NAME

AGE

GENDER

BUT THOSE ARE JUST SOME INGREDIENTS

THEY CAN INFERE A LOT MORE ABOUT YOU BY COMBINING THEM ON A SMART WAY

LEVEL OF INCOMES

ETHNIC INFORMATION

HEALTH SITUATION

POLiTICAL TENDENCIES

THE WHOLE SYSTEM IS DESIGNED IN A WAY FOR INFORMATION TO BE SHARED CROSS-SITE

ALL THE TRACKERS ARE CONTINUOUSLY ENRICHING THEIR PROFILES

3 - WHO IS COLLECTING THAT INFORMATION AND HOW DOES IT FLOW?

www.newspaper.com

WHAT YOU PERCEIVE WHEN VISITING A NEWS WEB SITE

IN 200 MSECS HE GETS THE INFORMATION FROM THE WEB SITE, SOME ADS APPEAR MIXED WITH THE CONTENT

BUT WHAT IS GOING ON DURING THAT TIME?

www.newspaper.com

You visit a news site

1

1 - YOU tYPE THE URL OF YOUR FAVOURITE NEWS SITE

Apart from rendering the news Website, your browser sends an "ad-tag" to an  AD-EXCHANGE the publisher has an agreement with

2

2 - tHE WEBSITE IS RENDERED + YOUR BROWSER SENDS AND "AD-TAG"

AD-EXCHANGES are kind of marketplaces for Advertisements. They sell the empty space on sites on behalf of publishers

The AD-EXCHANGE knows that there is ad-space for a bid... but most importantly, it can now retrieve your cookies. The cookies contain the ID the ad-exchange assigned to you the first time you "visited" it and extra-info: Profile

3

3 - AD-EXCHANGE RETRIEVES COOKIES FROM YOUR COMPUTER AND CHECKS WHO ARE YOU

The AD-EXCHANGE sends an "ad-call" to DEMAND-SIDE-PLATFORMS: "You have an opportunity to advertise to a user with this Profile and ID"

4

4 - THE AD-EXCHANGE LOOK FOR POTENTIAL ADVERTISERS FOR YOUR PROFILE

DEMAND-SIDE-PLATFORMS are mediators between the advertisers and the ad-exchanges. They receive campaigns from advertisers and the criteria for looking for impressions.

All DEMAND-SIDE-PLATFORM  candidates retrieve their cookies from your computer so they can also complete the profile they have about you and link it to your ID

5

5 - THE DEMAND-SIDE-PLATFORMS READ THEIR COOKIES FROM YOUR COMPUTER

DEMAND-SIDE-PLATFORMS request extra information about you to one or more DATA-BROKERS

6

6 - THE DEMAND-SIDE-PLATFORMS LOOK FOR EXTRA INFORMATION FROM DATA BROKERS

DATA-BROKERS are companies that sell user profiles and market analysis. They use their knowledge to put users in buckets such as "urban and eco-friendly"

DEMAND-SIDE-PLATFORMS Perform cookie-matching with all the info they have about you and decide how much they can bid. They correlate their ID/Profile with the Ad-Exchange ID/Profile and the extra info got  from Data Brokers.

7

$0.1

$0.09

$0.09

7 - USE ALL THE INFORMATION ABOUT YOU To decide HOW MUCH THEY CAN OFFER

The AD-EXCHANGE checks all the offers from the DEMAND-SIDE-PLATFORMS and assigns the space to the one with the highest bid

8

$0.1

8 - AD-EXCHANGE ASSIGNS THE SPACE TO THE HIGHEST BID

www.newspaper.com

The winner DEMAND-SIDE-PLATFORM  places one ad from their advertisers at www.newspaper.com

9

$0.1

9 - THE WINNER DEMAND-SIDE-PLATFORM PLACES AN AD ON YOUR BROWSER

www.newspaper.com

The ad-exchange sends an "ad-call": "You have an opportunity to advertise to a user with Profile and ID"

Apart from rendering the Website, your browser sends an "ad-tag" to the ad-exchange

The AD-EXCHANGE knows that there is ad-space for a bid... but most importantly, it can now retrieve your cookies. The cookies contain the ID the ad-exchange assigned to you the first time you "visited" it and extra-info: Profile

You visit a news site

1

2

3

4

All DEMAND-SIDE-PLATFORM candidates retrieve their cookies from your computer

Request extra information about you to DATA-BROKERS

5

6

Perform cookie-matching with all the info they have about you and decide how much they can bid

7

The AD-EXCHANGE checks all the offer and assigns the space to the Demand-Side-Platform with the highest bid

8

The winner Demand-Side-Platform places one ad from their advertisers at www.newspaper.com

9

$0.1

$0.09

$0.09

THE WHOLE "SIMPLIFIED" FLOW

IN THE WHOLE PROCESS MANY COMPANIES GET INFORMATION ABOUT YOU BY RETRIEVING THEIR COOKIES AND EXCHANGING AND MATCHING INFORMATION

MANY COMPANIES ARE LOOKING AT EVERYTHING YOU DO

IN EVERYTHING YOU DO ONLINE

«A site is not one company any more. A site is tens of hundreds of companies all knowing where you are and what you’re looking at.»

 NUMBER OF THIRD PARTIES ON TOP-6 NORWEGIAN NEWS SITES

IF A USER VISITS JUST THOSE 6 WEB SITES... 

... WOULD COLLECT INFORMATION ABOUT HIM

11 AD-EXCHANGES

12 DEMAND-SIDE-PLATFORMS

12 DATA MANAGEMENT PLATFORMS

8 DATA BROKERS

13 DATA ANALYTICS COMPANIES

AND THIS IS JUST A SIMPLIFIED VIEW

• Changing Ecosystem

• Boundaries are unclear

• Many companies play in different categories 

... LET'S HAVE A LOOK AT THE EVOLUTION

2011 - 150 Companies

marketing technology landscape

2012 - 350 Companies

marketing technology landscape

2014 - 1000 Companies

marketing technology landscape

2016 - 3500 Companies

marketing technology landscape

 4 - WHY DO THEY COLLECT THAT INFORMAtion? HOW DO THEY USE IT?

THE INFORMATION IS MOSTLY USED TO TAKE DECISIONS

BUT ALL THOSE DECISIONS ARE DONE IN A OBSCURE WAY: RISKS LINKED TO THE LACK OF TRANSPARENCY

RISK OF WRONG DECISIONS

EXAMPLE: DENY/ALLOW MEDICAL INSURANCE

What if the data you have about me is wrong?

RISK OF MANIPULATION

EXAMPLE: SHOW AN AD

What if the ad does not only show content they think is relevant to me, but also shows to me in a way that exploits "my vulnerabilities" (impulsive, cautious, etc.)

RISK OF HIDDEN DISCRIMINATION

EXAMPLE: CREDIT RATING

Algorithms taking decisions are written and maintained by people and as such, they can reinforce human prejudices. For instance, it was found that Google displayed ads about high-income jobs to men more often than to women.

RISK OF PRICE DISCRIMINATION

EXAMPLE: QUOTATIONS

Can I get a higher price just because I use a MAC or because my incomes are higher?

RISK OF FILTERING BUBBLE

EXAMPLE: INTERNET SEARCHES

What if the search results filter results not aligned with my viewpoints? This would isolate me in my ideological bubble

ARE YOU SURE THEY CAN KNOW THAT MUCH ABOUT ME?

LET'S HAVE A LOOK AT HOW FACEBOOK LET ADVERTISERS TARGET USERS

HAVE YOU TOLD THIS TO FACEBOOK?

AND THIS?

IS IT SCARY?

IT COULD BE WORSE

CONCLUSIONS

No Industry in the world knows more about you than the ad industry:

DATA RACE

ASYMMETRIC RACE

What they know about me

What I know about them

It AFFECTS EVERYONE but very FEW PEOPLE have any INSIGHT about it

As there is no transparency, companies do not need to compete in provider consumer privacy-friendly services

The LACK OF TRANSPARENCY is extremely DANGEROUS: manipulation, wrong decisions, discrimination, re-identification can be done in the dark

BUT THINGS CAN CHANGE!

BUT FOR THINGS TO CHANGE, YOU NEED TO ACT!

I AM GOING TO ASK YOU THREE THINGS

1 - DO CARE ABOUT YOUR PRIVACY

2 - DEMAND SERVICES TO BE MORE TRANSPARENT

3 - EDUCATE YOUR FRIENDS, KIDS, ETC. ABOUT WHAT IS GOING ON

THANKS