Announcing Floodwatch


Most web users are now pretty aware that their browsing and searching habits are constantly tracked. This tracking data is captured by advertising companies that then feed our information into ever-growing profiles that presume to know our age, gender, income strata, as well as our preferences and shopping habits. It’s exactly these profiles that generates the ads that to follow you from website to website, to remind you that, “Hey, you were shopping for sneakers, right?”.

But you are not your browser history. Far too often, your browsing patterns can lead to inaccurate assumptions about your preferences and personal characteristics. These inaccuracies are melded into your internet persona, which then influences what ads you see or how much you’re charged for an item. [Read more…]

Security at the Mercy of Advertising


Yahoo’s latest move is yet another example of the tension between end-user security and the online advertising ecosystem.

Last year, Yahoo announced plans to enable encryption by default as a direct response to a story that Barton Gellman and I wrote about the NSA’s collection of millions of address books globally.  One of the slides we referenced in that story indicated that the NSA was collecting substantially more addresses from Yahoo than the other providers (444,743 from Yahoo vs. 105,068 from Hotmail or 33,697 from Gmail). These figures make sense given that, at the time, Yahoo was still not using default encryption for their front-end webmail users, let alone their back end email delivery (something I’ve written about previously).

Today, Yahoo announced they’ve made progress on their encryption plans with the help of former iSec Partner’s cofounder, and information security guru, Alex Stamos.  As Alex’s first post as Yahoo CISO indicates: [Read more…]

The Limits of Harvesting Users Online

The state of New Jersey recently announced a $1 million settlement with E-Sports Entertainment, LLC over allegations that the company installed malware on its customers’ computers. The Attorney General claimed that E-Sports’ software allowed the company to use its customer’s computers to mine for Bitcoins without the user’s knowledge, generating thousands of dollars in Bitcoin value for E-Sports (and no value for the users) after numerous reports of unusually high CPU usage by their customers.  E-Sports released a statement apologizing and clarifying that this was the behavior of a rogue programmer. They also announced that they are donating the value of the bitcoins ($3,713) to the American Cancer Society plus doubling the donation from their own funds.

There were multiple components to the New Jersey case, including a privacy count regarding monitoring of users’ computer even when they were offline. However, the Bitcoin aspect of the complaint is extremely prescient, as there seems to be a burgeoning trend of government regulators looking more seriously at Bitcoin.

[Read more…]

CIR/NPR Collaboration – Your Data and Who Has Access to It

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Questions on the Google AdID

I’ve received a few inquiries about the recent announcement of Google AdID. Because Google hasn’t released many details about the implementation, I am a bit reluctant to speculate too broadly. However, I thought it would be useful to present some thoughts on the potential reasons for this shift and its impact on consumer privacy.

Google’s proposed advertising ID seems to be motivated by the following factors:

  1. The increasing number of consumers blocking 3rd party cookies. Recent studies indicate that consumers are increasingly concerned about their privacy online and as many as 20% have blocked browser cookies.  I suspect this figure will rise as privacy issues continue to capture public attention.
  2. The trend of advertisers moving to non-cookie based identifiers (e.g. browser fingerprinting).
  3. To avoid missteps along the same lines of Apple/Safari.
  4. The increased pressure to offer advertisers ‘enhanced’ cross-device tracking capabilities like they already do with google analytics.
  5. The tension (and lack of progress) in the Do-Not-Track negotiations–specifically, the Digital Advertising Alliance’s (DAA) recent abandonment of the process. (Google is a member of the DAA.)

[Read more…]

Congressional Internet Caucus: Enabling Do Not Track Privacy- Is It Dead or Alive?

Washington DC | May 24, 2013

A panel of experts discussed the current state of “Do Not Track” efforts.  I focused on the technical difficulty of blocking tracking and ways to ensure consumers have a choice.  You can read more about my thoughts on DNT here.


I was on a similar panel two years ago where we discussed whether Congressional action was necessary to ensure consumers opt-out of tracking.

Watch the panel here. My remarks start at 14:30.

Amsterdam Privacy Conference: Behavioural Targeting and Privacy

Amsterdam Privacy Conference
Amsterdam, The Netherlands | October 7-10, 2012

This interdisciplinary panel brought together leading scholars from Europe and the United States to present and discuss recent research on various aspects of behavioural targeting and privacy. Behavioural targeting is the monitoring of people’s online behaviour over time to use the collected information to target people with advertising matching their inferred interests. Using cookies or other tracking technologies, companies compile detailed profiles based on what internet users read, what videos they watch, what they search for etc. Profiles are enriched with up to date location data of users of mobile devices, data that people submit to websites themselves and other data that are gathered on and off line. As the internet plays an ever-larger role in our lives, the profiles will become ever more detailed. The constant stream of articles in the academic literature and popular press on behavioural targeting illustrates the relevance of the subject, which is high on the agenda of regulators in Europe and the United States.

I was a discussant at this event.

OPEN Silicon Valley: Big Data –The Good, The Bad and the Ugly

OPEN Silicon Valley Forum
Mountain View, CA | June 2, 2012

Online privacy concerns have confounded many an entrepreneurs and taken some off-guard. The recent episodes of Path address book uploads, Apple UDID ban, Google privacy policy change, Safari cookie bypass, Facebook timeline launch, and Target predicting teenage girls’ pregnancies before their families do have all put online privacy front and center in the media, with federal regulators and legislators on the Hill taking note of every single move of these companies. While the concerns around social networks and mobile applications eroding our privacy, reputation, and trust are being voiced, it must be balanced with the reality that online information sharing using innovative technologies presents unprecedented opportunities for the community. Both these dimensions are often considered at odds with each other, leading many- especially the entrepreneurs- to question if online privacy issues can put a brake on the innovation engine fueled by big data technologies.

I was a panelist.

Future of Privacy Forum Presents – Personal Information: The Benefits and Risks of De-Identification

Future of Privacy Forum
National Press Club, Washington, DC | December 5, 2011

On December 5, 2011, leading academics, advocates, Chief Privacy Officers, legal experts and policymakers gathered to discuss and debate the benefits and risks of de-identification and the definition of personal information. I joined the event to talk about advertising and marketing uses and concerns.

View video archive

Berkeley Law: Browser Privacy Mechanisms Roundtable

Berkeley Law
Berkeley, CA | February 9, 2011

I gave a tutorial on the state of online tracking. 

Audio archive. Transcript.

The Federal Trade Commission preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called generally for privacy by design, and specifically for a do not track (DNT) system to allow consumers to better control online collection of information.  This is a challenging task, because many web interactions require a transfer of information that could be conceived of as “tracking.”  The major developers of browsers have all announced implementations of do not track systems recently.  The conceptions of DNT have different needs for implementing regulation and have different implications for businesses and consumers.  This roundtable explored the contours of the regulations needed to effectuate do not track, the technical options to implement it, and the political and economic implications of do not track systems.