OPEN Silicon Valley: Big Data –The Good, The Bad and the Ugly

OPEN Silicon Valley Forum
Mountain View, CA | June 2, 2012

Online privacy concerns have confounded many an entrepreneurs and taken some off-guard. The recent episodes of Path address book uploads, Apple UDID ban, Google privacy policy change, Safari cookie bypass, Facebook timeline launch, and Target predicting teenage girls’ pregnancies before their families do have all put online privacy front and center in the media, with federal regulators and legislators on the Hill taking note of every single move of these companies. While the concerns around social networks and mobile applications eroding our privacy, reputation, and trust are being voiced, it must be balanced with the reality that online information sharing using innovative technologies presents unprecedented opportunities for the community. Both these dimensions are often considered at odds with each other, leading many- especially the entrepreneurs- to question if online privacy issues can put a brake on the innovation engine fueled by big data technologies.

I was a panelist.

Berkeley Law: Conference on Web Privacy Measurement

Berkeley Center for Law and Technology
Berkeley, CA | May 31 – June 1, 2012

As the Web continues to transition from a static collection of documents to an application platform, websites are learning more and more about users. Many forms of Web information sharing pose little privacy risk and provide tremendous benefit to both consumers and businesses. But some Web information practices pose significant privacy problems and have caused concern among consumers, policymakers, advocates, researchers, and others. Data collection is now far more complex than HTTP cookies, and the information available to websites can include a user’s name, contact details, sensitive personal information, and even real-time location. At present there are few restrictions on and scant transparency in Web information practices. There is a growing chasm between what society needs to know about Web tracking and what the privacy measurement community has been able to bring to light.

A number of practitioners, researchers, and advocates have begun to more formally study how websites collect, use, and share information about their users. The goal of the Conference on Web Privacy Measurement (WPM) is to advance the state of the art and foster a community on how to detect, quantify, and analyze Web information vectors across the desktop and mobile landscapes. Such vectors include browser tracking, such as cookies, flash cookies, the geolocation API, microphone API, and camera API; and server-side tracking, such as browser fingerprinting. We are also interested in the deployment of privacy-preserving technologies, such as HTTPS and proper deployment of P3P.

I served on the programming committee for this event, and led a discussion about tools for web privacy measurement.

Freedom and Connectivity from Alexandria, Egypt to Zuccotti Park

Freedom to Connect F2C Conference
Washington, DC | May 21-22, 2012

I joined others for a discussion about the delicate balance between technology, free speech, privacy and human rights.

View video archive

Facebook and your Privacy: What Every Consumer Should Know in the Digital Age

Consumer Reports Roundtable
New York, NY | May 4, 2012

On May 4, 2012, I participated in a panel discussion about consumer privacy on Facebook, organized by Consumer Reports. The panel was part of a larger examination of the issue, which was featured in the June 2012 issue of their magazine. Included tips about Facebook privacy settings.

View video archive

TechCrunch TV: Ashkan Soltani On Mobile App Security

TechCrunch TV | May 3, 2012

TechCrunch TV had me on to discuss Path, Apple’s collection of location information, and the various other privacy issues with mobile devices.

techcrunchTV050312

Ashkan Soltani On Mobile App Security by 5minTech

Why You Should Treat Your iPhone Like a Toddler: The State of Mobile App Security Techcrunch, May 3, 2012

2012 State of the Mobile Net Conference

Advisory Committee to the Congressional Internet Caucus
Washington, DC | May 3, 2012

The 4th Annual State of the Mobile Net Conference featured debates about the most pressing issues facing the exploding mobile net. While App developers frenetically code away, Washington policymakers are looking more and more closely at the mobile net ecosystem. Indeed, Washington policymakers are eager to help the mobile net achieve its potential by freeing up spectrum, implementing consumer protections and considering privacy rules for the burgeoning app market. With the speed at which the mobile net is evolving, how can Washington policymakers provide the appropriate level of assistance?

I took part in a panel called Complex Devices / Complex Privacy Questions: Grappling With Privacy In the Mobile Space

View video archive

App Developer Privacy Summit

Palo Alto, CA | April 25, 2012

Mobile apps and the services they provide have been one of the most exciting areas of innovation in recent years. Many of these new services have been successful because they enable consumers to use data to connect, discover and accomplish in new ways, but the collection and use of consumer data in the complex mobile environment has caused a rise in privacy concerns. To maintain the consumer trust necessary to continue the pace of innovation, the key participants in the app ecosystem need to work together.

To better understand their respective roles in this new ecosystem, platforms, app developers, carriers, consumers and policymakers are gathering to address current and pressing consumer privacy issues. The Application Developers Alliance and the Future of Privacy Forum, along with the Stanford Law School Center for Internet and Society, hosted the App Developer Privacy Summit on April 25, 2012.

I was one of the panelists/presenters.

Go to 2 hours, 32 minutes for details.

MobileScope Takes WSJ Data-Transparency Prize

Wall Street Journal Live/Digits | April 17, 2012

Ashkan Soltani, the programmer who designed the MobileScope app and the technical adviser for WSJ’s What They Know series, discusses his privacy app, which won WSJ’s Transparency Weekend “Ready for Primetime” award.

WSJDigitsMobilescopewins

MobileScope Takes WSJ Data-Transparency Prize by 5minTech

Learn more about Mobilescope.

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

NYU Law School, New York, NY | April 13, 2013

People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy hosted a technology and policy dialogue about the new world of mobile and location privacy.  They brought together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I gave a technical demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

New York University School of Law
New York, NY | April 13, 2012

The age of ubiquitous computing is here. People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. On Friday, April 13, 2012, New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy will hosted a technology and policy dialogue about the new world of mobile and location privacy. The gathering aimed to bring together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I did a technology demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

Doing Data Journalism: It’s Not Just Numbers

Columbia Journalism School
New York, NY | March 28, 2012

Data journalism is quickly becoming one of the hottest topics in the industry – but what exactly is it, and what tools, teams and techniques are necessary for doing it well?

On March 28th, 2012 the Tow Center for Digital Journalism hosted several of data journalism’s most prominent innovators and practitioners for a discussion about the possibilities and pitfalls of this evolving field. I was one of the panelists.

RSA: Mobile Devices: A Privacy & Security Check-In Panel

RSA Conference
San Francisco, CA | Feb 27 – March 2, 2012

I was a panelist at RSA this year.

Topic: The use of mobile devices can raise an avalanche of privacy and security issues. Our diverse panel of privacy gurus will provide practical suggestions to address some significant privacy and security concerns arising from the use of mobile devices, including: (1) BYOD – bringing your own device to work; (2) location-based technology; (3) privacy disclosures and choice; and (4) the development and use of applications.

Cookies from Nowhere

gingerbread_man

Google is tracking Safari users across the web even though when they attempt to block 3rd party cookies and have never visited Google.com. This is a function of the anti phishing and malware lists used by both Safari, Firefox (and, of course, Chrome) that automatically update from Google in the background and places Google cookies.

This is a separate issue than the one uncovered Feb 17, 2012 surrounding Google circumvention of Safari’s default cookie blocking features. Essentially, even though Google has fixed the Doubleclick issue due to ‘social sync’, they are still able to track Safari users everywhere there is a +1 button on the web, even when users have 3rd party cookies blocked.

[Read more…]

The Global Internet and the Free Flow of Information

Media Access Project Forum
Washington, DC | February 7, 2012

On February 7, 2012, I joined other experts for a discussion about freedom of expression issues, cyber security issues and surveillance tech issues in the context of how they affect online users’ free speech rights.

View video archive

Analysis of Carrier IQ Software

Log Pile by Lars Hammer on Flickr http://flic.kr/p/a4XR3b

Log Pile by Lars Hammer on Flickr http://flic.kr/p/a4XR3b

There has been some confusion and multiple conflicting statements about the Carrier IQ issues that were highlighted in Trevor Ekharts’s initial video some weeks ago.  I will attempt to hopefully clarify some of that confusion and show that, despite statements to the contrary, there is capture and transmission of sensitive information to 3rd parties resulting from misconfigured Carrier IQ software. [Read more…]

Future of Privacy Forum Presents – Personal Information: The Benefits and Risks of De-Identification

Future of Privacy Forum
National Press Club, Washington, DC | December 5, 2011

On December 5, 2011, leading academics, advocates, Chief Privacy Officers, legal experts and policymakers gathered to discuss and debate the benefits and risks of de-identification and the definition of personal information. I joined the event to talk about advertising and marketing uses and concerns.

View video archive

Mobile, Telcos and the Future of Freedom of Speech

Silicon Valley Human Rights Conference
San Francisco, CA | October 25-26, 2011

I was a panelist at the first annual Human Rights Conference – or RightsCon.

Panelists on Mobile, Telcos and the Future of Freedom of Speech talked about the nascent connection between commerce, politics, human rights and information, especially with burgeoning uprisings in the Middle East and beyond.  With the reality of competitive pressures within the industry and the network monopoly of many governments, we looked at some of the industry practices and approaches that are needed to ensure telecoms are not hijacked for repression and abuse. The panelists discussed the realities of operating with infrastructure in country, the business models available to ensure control of the network; and the privacy and mobile security needs of human rights advocates.

The event was livestreamed but there is no video archive.

When Zombies Attack – a Tracking Love Story

OWASP AppSec USA 2011 Conference
Minneapolis, MN | September 20 – 23, 2011

In this talk,  Gerrit Padgham and I talked about the current state of online tracking and highlight current practices such as “cookie respawning” and non-cookie based tracking that popular websites and mobile applications engage in. We discussed theories on why the platforms we use do not adequately protect users from these threats and highlight the proposed solutions, such as additional transparency tools and Do-Not-Track that are intended to help mitigate these issues. We also demonstrated MobileScope, a technical solution we have been developing to give the end user ultimate visibility into the traffic their device is sending. Finally, we discussed open questions surrounding the ability to adequately assess risk drawing from behavioral economics and risk management theories for cues as to potential outcomes in this space.

When Zombies Attack: A Tracking Love Story with Ashkan Soltani & Gerrit Padgham from OWASP on Vimeo.

Additional video archives on YouTube.

PDF of slides

Flash Cookies and Privacy II

A detailed technical followup to Flash Cookies and Privacy II, describing the mechanisms behind Hulu/KISSmetrics’ respawning practices

cookiemonsterdeleteI thought I’d take the time to elaborate a bit further regarding the technical mechanisms described in our Flash Cookies and Privacy II paper that generated a bit of buzz recently. For a bit of background, I, along with Chris Hoofnagle and Nathan Good, had the honor of supervising Mika Ayenson and Dietrich J. Wambach in replicating our previous 2009 study which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed ‘respawning’).

In our follow up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics.* Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed.

(*Hulu and KISSmetrics have both ceased respawning as of July 29th 2011)

[Read more…]

CyberJungle Radio: KISSMetrics WebTracking

The CyberJungle Radio Show | August 5, 2011

In 2011, I was a guest on CyberJungle Radio at SecurityBsides Las Vegas, the shadow conference to BlackHat Las Vegas. The CyberJungle got my take on the KISSMetrics web tracking spat.

Audio archive of interview.

Related Reading

Respawn Redux
Flash Cookies and Privacy II (2011)
Flash Cookies and Privacy (2009)

Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning

KISSmetricspersistentracking_large

In August 2009, the research team published Flash Cookies and Privacy, a paper that demonstrated that popular websites were using Flash cookies to track users.  Some advertisers has adopted this technology because it allowed persistent tracking, even where users had taken steps to avoid web profiling. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users’ privacy-setting behaviors.

In this followup study, we reassess the flash cookies landscape and examine a new tracking vector, HTML5 local storage and cache cookies via eTags. [Read more…]

Berkeley Law: Online Tracking Protection and Browsers

Berkeley Law
Brussels, Belgium | June 22, 2011

While US regulators and legislators consider a “do not track” mechanism to allow more effective control of online collection of information, European regulators have moved aggressively to give consumers more control over there mere placement of cookies through the E-Privacy directive.  Many questions surround the confluence of US and European developments, including the scope of do not track, the implications of different implementations of do not track, the economic implications of greater consumer control over tracking, and how do not track will be applied in European markets.  BCLT and the University of Amsterdam’s Institute for Information Law hosted a workshop to explore the law and technology of online tracking and mechanisms for consumer control of tracking June 22-23 in Brussels, Belgium.  Participants included FTC Commissioner Julie Brill, Vice-President of the European Commission and Commissioner for the Digital Agenda Neelie Kroes, The Office of Science and Technology Policy CTO Daniel Weitzner, DG Society Director Robert Madelin, and technologist Ashkan Soltani.  

I presented a tutorial on the state of online tracking that covered online tracking technologies and business models, including demand side platforms.

Pii2011: Privacy Identity Information Conference

Santa Clara, CA | May 19-20, 2011

Privacy Identity Innovation is the only tech conference focused on exploring how to protect sensitive information while enabling new technologies and business models. Over 250 attendees from around the world participated in the second Privacy Identity Innovation conference, which took place May 19-20, 2011 at the Santa Clara Marriott hotel in Silicon Valley.

On May 19, I participated in a roundtable discussion called Pii and Location: Can You Find Me Now?

pii2011: pii and Location: Can You Find Me Now? from Marc Licciardi on Vimeo.

Listen to audio archive

On May 20, I was part of a panel discussion on Simplifying Privacy Notice.

pii2011: Simplifying Privacy Notice from Marc Licciardi on Vimeo.

Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy

Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law
Washington, DC | May 10, 2011

On May 10, 2011, I testified in front of the Senate Judiciary Committee on Privacy Technology and the Law regarding mobile privacy. The other witnesses included representatives from Apple, Google, Center for Democracy and Technology, and the Association for Competitive Technology.

Read prepared testimony.

USA Today live blogged the hearing.

senate testimony
Video archives on CSPAN include my delivered testimony, answers to questions about what “location” means, and a question from Senator Franken about the most serious threat regarding mobile devices and privacy. View CSPAN footage of entire hearing

[Read more…]

WC3 Workshop on Web Tracking and User Privacy

Center for Information and Technology at Princeton University
Princeton, NJ | April 28-29, 2011

This workshop served to establish a common view on possible Recommendation-track work in the Web privacy and tracking protection space at W3C, and on the coordination needs for such work.

The workshop was expected to attract a broad set of stakeholders, including implementers from the mobile and desktop space, large and small content delivery providers, advertisement networks, search engines, policy and privacy experts, experts in consumer protection, and other parties with an interest in Web tracking technologies, including the developers and operators of Services on the Web that make use of tracking technologies for purposes other than to behavioral advertising.

In the position paper I submitted, I proposed potential alternative approaches to framing tracking that enables companies to engage in measurable online advertisement while providing the most important privacy protections articulated by advocates. This approach focuses primarily on the active removal of persistent identifiers that are used to correlate browsing activity over multiple sessions or multiple websites.

Enabling Online Privacy With Do Not Track: By Congress, Corporations or Code?

Congressional Internet Caucus Advisory Committee
Washington, DC | April 5, 2011

The online privacy Do Not Track proposal (DNT), modeled after the popular “Do Not Call” concept, has captured the imagination of those who wish to protect consumer privacy in Congress, in industry and among privacy advocates and consumers alike. Consumer privacy advocates have proposed it, the Chairman of the Federal Trade Commission has endorsed it, and Members of Congress have drafted legislation to enact it. Yet remarkably, there is no broad consensus on *what* DNT is or even on *who” should be responsible for making it a reality.

I joined other experts for a panel regarding the potential implementation of Do Not Track. Others included representatives from Microsoft, the Digital Advertising Alliance, the Federal Trade Commission, and the Internet Caucus Advisory Committee.

Listen to audio archive

W3C Position Paper for Workshop on Web Tracking

I prepared a short position paper for the first W3C Workshop on Web Tracking and User Privacy on March 24, 2011.

I argue that the current proposals for allowing users to opt-out of tracking (which amount to either “do not collect/retain” or “do not use to target ads”) are not workable. I propose a third option focused primarily on the active removal of persistent identifiers that are used to correlate browsing activity over multiple sessions or multiple websites, allowing collecting data in de-identified form.

Read the paper here.

The State of Online Consumer Privacy

Senate Commerce Committee
Washington, DC | March 16, 2011

On March 16, 2011,  I appeared as a witness at the Senate Commerce Committee’s hearing on consumer privacy. Other witnesses included representatives from the Federal Trade Commission, the US Department of Commerce, Microsoft, Intuit, Group M Interaction, and the ACLU.

Read prepared testimony. 

Blog coverage of hearing.

Key quotes from hearing.

testify2

CSPAN archives include my delivered testimony, and a question from Senator Kerry regarding first party versus third party data collection. View entire hearing here.

Berkeley Law: Browser Privacy Mechanisms Roundtable

Berkeley Law
Berkeley, CA | February 9, 2011

I gave a tutorial on the state of online tracking. 

Audio archive. Transcript.

The Federal Trade Commission preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called generally for privacy by design, and specifically for a do not track (DNT) system to allow consumers to better control online collection of information.  This is a challenging task, because many web interactions require a transfer of information that could be conceived of as “tracking.”  The major developers of browsers have all announced implementations of do not track systems recently.  The conceptions of DNT have different needs for implementing regulation and have different implications for businesses and consumers.  This roundtable explored the contours of the regulations needed to effectuate do not track, the technical options to implement it, and the political and economic implications of do not track systems.

 

Flash Cookies and Privacy

flashcookies1.fig3

In August 2009, I and other graduate students at the University of California, Berkeley – School of Law, Berkeley Center for Law & Technology published Flash Cookies and Privacy, a paper that examined of the use of ‘Flash cookies’ by popular websites.

Websites and Cookies

Advertisers are increasingly concerned about unique tracking of users online. Several studies have found that over 30% of users delete first party HTTP cookies once a month, thus leading to overestimation of the number of true unique visitors to websites, and attendant overpayment for advertising impressions.

Mindful of this problem, online advertising companies have attempted to increase the reliability of tracking methods. In 2005, United Virtualities (UV), an online advertising company, exclaimed, “All advertisers, websites and networks use [HTTP] cookies for targeted advertising, but cookies are under attack.” The company announced that it had, “developed a backup ID system for cookies set by web sites, ad networks and advertisers, but increasingly deleted by users. UV’s ‘Persistent Identification Element’ (PIE) is tagged to the user’s browser, providing each with a unique ID just like traditional cookie coding. However, PIEs cannot be deleted by any commercially available antispyware, mal-ware, or adware removal program. They will even function at the default security setting for Internet Explorer.”

United Virtualities’ PIE leveraged a feature in Adobe’s Flash MX: the “local shared object,” also known as the “Flash cookie.” [Read more…]

Digital Shadow

digital_shadow

In 2008, I collaborated on a project called “Digital Shadow”.

As we go about our daily lives in the physical world, we are increasingly followed by a digital shadow, the record of our online actions and identities.  At times we can control the shadow – carefully crafting a personal profile on a social network site, for example, or maintaining a personal homepage or blog. In other contexts, we may be surprised, disturbed, or even put at risk by the breadth and detail of our digital personas.

Our project, Digital Shadow, proposes an interface that could help users explore these issues by extending the metaphor of the digital shadow into the physical world, using an interactive floor projection to display a “shadow” of personal information around users in the interaction space. The interface could be used to facilitate interaction between users in a professional or social setting, where each user had full control over their profile information; we are also interested in a more experimental mode, in which the interface could display an automatically retrieved set of public information from web searches and social network sites, asking users to consider the extent and ramifications of their digital shadow.

User Scenario

Tim is a college student who’s interested in multimedia/art exhibits.  He discovers an upcoming digital faire and decides to attend the reception.  There is no sign-up or RSVP so Tim just attends.

Upon entering the exhibit, Tim is identified and begins to see information about him, such as web posts, blogs, flickr images, and other digital artifacts projected on the floor around him, following him around the room.  As he interacts with other people in this space, he begins to feel slightly ‘exposed’ by the amount of information he is presenting to others.  Old flamewars and flickr posts he was involved in from when he was in highschool suddenly appear, and he begins to try and sweep them away with his foot.

Implementation

Our Digital Shadow has 4 main components:

  • a method for identifying a participant
  • a mechanism for tracking a participant and their gestures
  • some form of data-mining/research participants
  • a form of visualization

We are currently exploring methods of identifying the users such as

  • requiring them to ‘sign up’ to participate
  • having an ‘operator’ add a participant when they enter the room
  • using a student’s

Once a participant has been ‘identified’, we plan to track their movement in the space using either

  • visual tracking in software/Processing using a webcam
  • using markers, such as color-specific stickers or LEDs to track a user
  • using infra-red cameras to detect objects/distance

The core of the system will consist of an internet enabled computer connected to a projector.  This will do all the computation, tracking, data-mining (internet/flickr/etc), and visualization (in Processing).