TowardsPrivacy‐FriendlyOnlineAdver5sing

JulienFreudiger,NevenaVratonjic,andJean‐PierreHubauxMay2009,W2SP

Onlineadver5singisatcenterofInterneteconomy–  Immediateandpersonalized

– EnablesBehavioraltarge5ng

InternetEconomy

2Source:Interac5veAdver5singBureauInternetAdver5singrevenuereport,2008

Benefits

•  Forusers– Relevanceofads– Sponsoredservices

•  Forwebsites– Generateprofitfromads– Newbusinessmodels

3

•  Trackuserac5vi5esonline–  Interests(visitedwebsites,searchterms)

– Conversa5ons(email)– Friends(socialnetworks)

•  Privacyfootprint(KrishnamurthyandWills)

– 72%ofwebserversshareatleastoneadver5ser– 3third‐partydomainscontactedonaverageperaccessedwebsite

PrivacyConcerns

4

Privacy/traceabilityTrade‐off

5

Traceability

Privacy

0 1

1Trade‐off

Allowall

Blockall

Provideawaytocontrolamountofinforma8onshared

Outline

1.  OnlineAdver5sing– PrivacyImplica5ons– Exis5ngSolu5ons

2.  ProposedSolu5on– PrivacyfriendlyCookiemanagement– Usercentric

3.  PreliminaryEvalua5on– FirefoxExtension

6

OnlineAdver5sing

7

u s1

s2

d1

HiddenserversD

UsersU

VisibleserversS

Associatedwebsites

u‐>s1: www.ny5mes.com u‐>s2: www.google.coms1‐>u: index.htmlu‐>d1: ads.com,TP‐cookied1‐>u: ads

s1‐>u: index.htmlu‐>d1: ads.com,TP‐cookied1‐>u: ads

B.KrishnamurthyandC.E.Wills.Genera5ngaprivacyfootprintontheInternet.IMC2006

Traceability

•  TP‐Cookiesenable– Spa8altracking:Trackoverdifferentdomains

– Temporaltracking:Iden5fysubsequentvisits

•  Referrerrevealsvisitedwebsite

•  Exampleofdatacollectedbyadver5sers:–  10h00:www.ny5mes.com,cookie

–  10h02:www.ny5mes.com,cookie–  11h00:www.facebook.com/friends,cookie

8

Exis5ngSolu5ons

•  Allornothing– Blockrequeststoadver5sers– BlockTP‐cookies– Allowall

•  Sameoriginpolicy– “Onlytheserverthatsetsacookiecanaccessit”– Preventslossofdataconfiden5alityorintegrity– Buttoopermissivewithrespecttoonlinetracking

9

Outline

1.  OnlineAdver5sing– PrivacyImplica5ons– Exis5ngSolu5ons

2.  ProposedSolu5on– PrivacyfriendlyCookiemanagement– Usercentric

3.  PreliminaryEvalua5on– FirefoxExtension

10

ProposedSolu5on

•  Trade‐offprivacyandtraceability– Limitspa5alandtemporaltracking

– User‐centricsolu5on

•  Definepoliciesforuseofcookies– Userprivacypreferences– Useradver5sementpreferences– Visitedwebsite

11

KeyIdea

•  Maintainacollec5onofcookiesinparallel– Sentcookiedependsonthevisitedwebsiteandadver5ser

12

Domain Cookie

ads.com c1

Domain Website Cookie

ads.com ny5mes.com c1

ads.com google.com c2

KeyTechnique

•  Toobtainanewcookie– Donotsendexis5ngcookiesinHTMLheader

– Serverassignsanewcookie

•  Privacy‐Friendlycookiemanagement– Alternateamongcookiesincollec5on

13

Approach1

14

u s1

s2

d1

u‐>d1: ads.com,www.ny5mes.com,c1

u‐>d1: ads.com,www.ny5mes.com/technology,c1

u‐>d1: ads.com,www.google.com,c2

LimituseofTP‐cookiesperdomainUseforalimitednumberof8mes

becauseny5mes!=google

Approach2

15

LimituseofTP‐cookiesperwebsitecategoryandwithincategoriesUseforalimitednumberof8mes

•  Categoriesdefinetypeofwebsite–  ny5mes.com=>news–  Readilyavailable(e.g.,Alexa)

•  Spa5altrackingthresholdLs–  Limitsspa5altrackingacrosswebsiteswithincategories

Approach2

16

u s1

s2

d1

u‐>d1: ads.com,www.swissinfo.ch,c1

u‐>d1: ads.com,www.ny5mes.com,c1

u‐>d1: ads.com,www.google.com,c3u‐>d1: ads.com,mail.google.com,c4

u‐>d1: ads.com,www.l.com,c2

s3

s4

Category

News

News

News

Search

Email

Because3>LS

Becausesearch!=news

Becauseemail!=searchandemail!=news

Ls=2

Approach3

17

LimituseofTP‐cookiesbasedonURLsanduserpreferencesUseforalimitednumberof8mes

•  URLs– Leakinforma5onthroughreferrer

– google.com/search?q=julien

•  Preferencesonwebsitecategories– Privacy:Whatusersdonotwanttoshare– Adver5sing:Whatuserswanttoget

SenngupPreferences

18

Relyononlinesocialcommuni5es

GoogleAdpreferencemanager

Approach3

19

u‐>d1: ads.com,www.google.com,c1

u‐>d1: ads.com,www.google.com/search?q=computers,c1

u‐>d1: ads.com,www.facebook.com/search?q=nevena,c2

u‐>d1: ads.com,www.facebook.com,c1

URLs(w1)

UserPrivacyPref.(w2)

0.1 0

0.9 0

0.1 1

1 1

!

bi!H(B)

w1(bi) · w2(bi) < Ls

Because0.1+1>Ls

Ls=1

Outline

1.  OnlineAdver5sing– PrivacyImplica5ons– Exis5ngSolu5ons

2.  ProposedSolu5on– PrivacyfriendlyCookiemanagement– Usercentric

3.  PreliminaryEvalua5on– FirefoxExtension

20

Implementa5on

•  Firefoxextension:PrivaCookie–  Proofofconceptcode– Getitonhpp://icapeople.epfl.ch/freudiger

•  TPcookiedetec5on–  Compareorigina5ngURLwithcurrentURL

•  Localcookietable–  Linkcookieswithhiddenserverthatcauseditsassignmentandvisibleserverhos5ngads

–  (Cookie,visibleserver,hiddenserver)

21

Study

•  Chose10pagesfromeachofthetop20domains

•  Firefoxextensionpagestats– Runsbrowserinbatchmodewithlistofwebsites– Atotalof200pages

22

Numberofhiddenserversforeachofthetop20domains

23

Numberofvisibleserversforeachhiddenserver

24

PrivaCookie

HiddenServer

VisibleServersYahoo Ebay AOL IMDB Orkut Msn Myspace HI5 Blogspot Rapidshare

doubleclick

quantaserve

atmdt

adver5sing

yieldmanager

25

Top10associatedvisibleserversconnectedwiththemostpopularadver5sers

Extensioncaused81addi5onalcookiesassignments

c1 c1,1 c1 c1,2 c1 c1,3 c1 c1,4 c1 c1,5 c1 c1,6 c1 c1,7 c1 c1,8

TrackingCountermeasures

•  TrackbasedonIP-  Anonymizer/Tor

•  Trackwith– Cachecookies– Browserhistory– Plugins(e.g.,Flashcookies)– Proposedpoliciesalsoapplytothosecases

•  Coopera5vetracking?26

Conclusion

•  Weproposeasolu5onfortrading‐offprivacy&traceability–  Protectsuserprivacy–  Allowsfortargetedonlineadver5sing–  Nochangesrequiredfromadver5sers–  Putsusersincontrol

•  Keyidea:Maintainsacollec5onofcookiesinparallel•  FutureWork:–  Implementapproach2&3–  ImplementJavascriptsupport–  Considerotherparametersinapproach3

27

URLWeight

•  ParseURLforn‐grams– “search”– “id”– “username”

•  Canbedoneautoma5callybeforevisi5ngURL

28