The Limits of Harvesting Users Online

The state of New Jersey recently announced a $1 million settlement with E-Sports Entertainment, LLC over allegations that the company installed malware on its customers’ computers. The Attorney General claimed that E-Sports’ software allowed the company to use its customer’s computers to mine for Bitcoins without the user’s knowledge, generating thousands of dollars in Bitcoin value for E-Sports (and no value for the users) after numerous reports of unusually high CPU usage by their customers.  E-Sports released a statement apologizing and clarifying that this was the behavior of a rogue programmer. They also announced that they are donating the value of the bitcoins ($3,713) to the American Cancer Society plus doubling the donation from their own funds.

There were multiple components to the New Jersey case, including a privacy count regarding monitoring of users’ computer even when they were offline. However, the Bitcoin aspect of the complaint is extremely prescient, as there seems to be a burgeoning trend of government regulators looking more seriously at Bitcoin.

[Read more…]

CIR/NPR Collaboration – Your Data and Who Has Access to It

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Questions on the Google AdID

I’ve received a few inquiries about the recent announcement of Google AdID. Because Google hasn’t released many details about the implementation, I am a bit reluctant to speculate too broadly. However, I thought it would be useful to present some thoughts on the potential reasons for this shift and its impact on consumer privacy.

Google’s proposed advertising ID seems to be motivated by the following factors:

  1. The increasing number of consumers blocking 3rd party cookies. Recent studies indicate that consumers are increasingly concerned about their privacy online and as many as 20% have blocked browser cookies.  I suspect this figure will rise as privacy issues continue to capture public attention.
  2. The trend of advertisers moving to non-cookie based identifiers (e.g. browser fingerprinting).
  3. To avoid missteps along the same lines of Apple/Safari.
  4. The increased pressure to offer advertisers ‘enhanced’ cross-device tracking capabilities like they already do with google analytics.
  5. The tension (and lack of progress) in the Do-Not-Track negotiations–specifically, the Digital Advertising Alliance’s (DAA) recent abandonment of the process. (Google is a member of the DAA.)

[Read more…]

How Protecting Your Privacy Could Make You the Bad Guy

pandora netherlands

There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA).

A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law.

However, I’d also like to make the case here that the CFAA is bad privacy policy for consumers, too. [Read more…]

The Big Picture: Comprehensive Online Data Collection

Federal Trade Commission Workshop
Washington, DC | December 6, 2012

I participated in a workshop, organized by the Federal Trade Commission, designed to examine the practices and privacy implications of “comprehensive” data collection about consumers’ online activities.

This discussion highlighted the need for a comprehensive policy governing tracking behavior.

Video from session 2

For Your Eyes Only: Privacy, Empowerment and Technology in the Context of Social Networks

User Empowerment in Social Media Culture Conference
Brussels, Belgium | November 30, 2012

Privacy in social network is typically associated with the difficulty of configuring the settings so that the uploaded information does not become available to unintended audiences. There is however a wide range of security and privacy issues in these systems, as well as a diversity of technologies that have been proposed to improve the protection of their users. This panel tackled the question of what it means to protect security and privacy in social networks. Panelists discussed the different types of threats, assumptions, adversarial models, security and privacy objectives, available technologies to achieve these objectives, as well as the limitations of these technologies.

I was a panelist.

The End of Privacy?

Ford Foundation’s Wired for Change Conference
New York, NY | October 23, 2012

As part of Ford Foundation’s Wired for Change conference, noted consumer privacy experts and technologists Harvey Anderson, Brad Burnham, Kamala D. Harris, Jon Leibowitz and I considered how mining Big Data and safeguarding privacy can reasonably coexist, moderated by John Palfrey.

View complete video archive

Amsterdam Privacy Conference: Behavioural Targeting and Privacy

Amsterdam Privacy Conference
Amsterdam, The Netherlands | October 7-10, 2012

This interdisciplinary panel brought together leading scholars from Europe and the United States to present and discuss recent research on various aspects of behavioural targeting and privacy. Behavioural targeting is the monitoring of people’s online behaviour over time to use the collected information to target people with advertising matching their inferred interests. Using cookies or other tracking technologies, companies compile detailed profiles based on what internet users read, what videos they watch, what they search for etc. Profiles are enriched with up to date location data of users of mobile devices, data that people submit to websites themselves and other data that are gathered on and off line. As the internet plays an ever-larger role in our lives, the profiles will become ever more detailed. The constant stream of articles in the academic literature and popular press on behavioural targeting illustrates the relevance of the subject, which is high on the agenda of regulators in Europe and the United States.

I was a discussant at this event.

OPEN Silicon Valley: Big Data –The Good, The Bad and the Ugly

OPEN Silicon Valley Forum
Mountain View, CA | June 2, 2012

Online privacy concerns have confounded many an entrepreneurs and taken some off-guard. The recent episodes of Path address book uploads, Apple UDID ban, Google privacy policy change, Safari cookie bypass, Facebook timeline launch, and Target predicting teenage girls’ pregnancies before their families do have all put online privacy front and center in the media, with federal regulators and legislators on the Hill taking note of every single move of these companies. While the concerns around social networks and mobile applications eroding our privacy, reputation, and trust are being voiced, it must be balanced with the reality that online information sharing using innovative technologies presents unprecedented opportunities for the community. Both these dimensions are often considered at odds with each other, leading many- especially the entrepreneurs- to question if online privacy issues can put a brake on the innovation engine fueled by big data technologies.

I was a panelist.

Berkeley Law: Conference on Web Privacy Measurement

Berkeley Center for Law and Technology
Berkeley, CA | May 31 – June 1, 2012

As the Web continues to transition from a static collection of documents to an application platform, websites are learning more and more about users. Many forms of Web information sharing pose little privacy risk and provide tremendous benefit to both consumers and businesses. But some Web information practices pose significant privacy problems and have caused concern among consumers, policymakers, advocates, researchers, and others. Data collection is now far more complex than HTTP cookies, and the information available to websites can include a user’s name, contact details, sensitive personal information, and even real-time location. At present there are few restrictions on and scant transparency in Web information practices. There is a growing chasm between what society needs to know about Web tracking and what the privacy measurement community has been able to bring to light.

A number of practitioners, researchers, and advocates have begun to more formally study how websites collect, use, and share information about their users. The goal of the Conference on Web Privacy Measurement (WPM) is to advance the state of the art and foster a community on how to detect, quantify, and analyze Web information vectors across the desktop and mobile landscapes. Such vectors include browser tracking, such as cookies, flash cookies, the geolocation API, microphone API, and camera API; and server-side tracking, such as browser fingerprinting. We are also interested in the deployment of privacy-preserving technologies, such as HTTPS and proper deployment of P3P.

I served on the programming committee for this event, and led a discussion about tools for web privacy measurement.

Facebook and your Privacy: What Every Consumer Should Know in the Digital Age

Consumer Reports Roundtable
New York, NY | May 4, 2012

On May 4, 2012, I participated in a panel discussion about consumer privacy on Facebook, organized by Consumer Reports. The panel was part of a larger examination of the issue, which was featured in the June 2012 issue of their magazine. Included tips about Facebook privacy settings.

View video archive

TechCrunch TV: Ashkan Soltani On Mobile App Security

TechCrunch TV | May 3, 2012

TechCrunch TV had me on to discuss Path, Apple’s collection of location information, and the various other privacy issues with mobile devices.


Ashkan Soltani On Mobile App Security by 5minTech

Why You Should Treat Your iPhone Like a Toddler: The State of Mobile App Security Techcrunch, May 3, 2012

2012 State of the Mobile Net Conference

Advisory Committee to the Congressional Internet Caucus
Washington, DC | May 3, 2012

The 4th Annual State of the Mobile Net Conference featured debates about the most pressing issues facing the exploding mobile net. While App developers frenetically code away, Washington policymakers are looking more and more closely at the mobile net ecosystem. Indeed, Washington policymakers are eager to help the mobile net achieve its potential by freeing up spectrum, implementing consumer protections and considering privacy rules for the burgeoning app market. With the speed at which the mobile net is evolving, how can Washington policymakers provide the appropriate level of assistance?

I took part in a panel called Complex Devices / Complex Privacy Questions: Grappling With Privacy In the Mobile Space

View video archive

App Developer Privacy Summit

Palo Alto, CA | April 25, 2012

Mobile apps and the services they provide have been one of the most exciting areas of innovation in recent years. Many of these new services have been successful because they enable consumers to use data to connect, discover and accomplish in new ways, but the collection and use of consumer data in the complex mobile environment has caused a rise in privacy concerns. To maintain the consumer trust necessary to continue the pace of innovation, the key participants in the app ecosystem need to work together.

To better understand their respective roles in this new ecosystem, platforms, app developers, carriers, consumers and policymakers are gathering to address current and pressing consumer privacy issues. The Application Developers Alliance and the Future of Privacy Forum, along with the Stanford Law School Center for Internet and Society, hosted the App Developer Privacy Summit on April 25, 2012.

I was one of the panelists/presenters.

Go to 2 hours, 32 minutes for details.

MobileScope Takes WSJ Data-Transparency Prize

Wall Street Journal Live/Digits | April 17, 2012

Ashkan Soltani, the programmer who designed the MobileScope app and the technical adviser for WSJ’s What They Know series, discusses his privacy app, which won WSJ’s Transparency Weekend “Ready for Primetime” award.


MobileScope Takes WSJ Data-Transparency Prize by 5minTech

Learn more about Mobilescope.

Future of Privacy Forum Presents – Personal Information: The Benefits and Risks of De-Identification

Future of Privacy Forum
National Press Club, Washington, DC | December 5, 2011

On December 5, 2011, leading academics, advocates, Chief Privacy Officers, legal experts and policymakers gathered to discuss and debate the benefits and risks of de-identification and the definition of personal information. I joined the event to talk about advertising and marketing uses and concerns.

View video archive

Berkeley Law: Online Tracking Protection and Browsers

Berkeley Law
Brussels, Belgium | June 22, 2011

While US regulators and legislators consider a “do not track” mechanism to allow more effective control of online collection of information, European regulators have moved aggressively to give consumers more control over there mere placement of cookies through the E-Privacy directive.  Many questions surround the confluence of US and European developments, including the scope of do not track, the implications of different implementations of do not track, the economic implications of greater consumer control over tracking, and how do not track will be applied in European markets.  BCLT and the University of Amsterdam’s Institute for Information Law hosted a workshop to explore the law and technology of online tracking and mechanisms for consumer control of tracking June 22-23 in Brussels, Belgium.  Participants included FTC Commissioner Julie Brill, Vice-President of the European Commission and Commissioner for the Digital Agenda Neelie Kroes, The Office of Science and Technology Policy CTO Daniel Weitzner, DG Society Director Robert Madelin, and technologist Ashkan Soltani.  

I presented a tutorial on the state of online tracking that covered online tracking technologies and business models, including demand side platforms.

WC3 Workshop on Web Tracking and User Privacy

Center for Information and Technology at Princeton University
Princeton, NJ | April 28-29, 2011

This workshop served to establish a common view on possible Recommendation-track work in the Web privacy and tracking protection space at W3C, and on the coordination needs for such work.

The workshop was expected to attract a broad set of stakeholders, including implementers from the mobile and desktop space, large and small content delivery providers, advertisement networks, search engines, policy and privacy experts, experts in consumer protection, and other parties with an interest in Web tracking technologies, including the developers and operators of Services on the Web that make use of tracking technologies for purposes other than to behavioral advertising.

In the position paper I submitted, I proposed potential alternative approaches to framing tracking that enables companies to engage in measurable online advertisement while providing the most important privacy protections articulated by advocates. This approach focuses primarily on the active removal of persistent identifiers that are used to correlate browsing activity over multiple sessions or multiple websites.

Enabling Online Privacy With Do Not Track: By Congress, Corporations or Code?

Congressional Internet Caucus Advisory Committee
Washington, DC | April 5, 2011

The online privacy Do Not Track proposal (DNT), modeled after the popular “Do Not Call” concept, has captured the imagination of those who wish to protect consumer privacy in Congress, in industry and among privacy advocates and consumers alike. Consumer privacy advocates have proposed it, the Chairman of the Federal Trade Commission has endorsed it, and Members of Congress have drafted legislation to enact it. Yet remarkably, there is no broad consensus on *what* DNT is or even on *who” should be responsible for making it a reality.

I joined other experts for a panel regarding the potential implementation of Do Not Track. Others included representatives from Microsoft, the Digital Advertising Alliance, the Federal Trade Commission, and the Internet Caucus Advisory Committee.

Listen to audio archive

The State of Online Consumer Privacy

Senate Commerce Committee
Washington, DC | March 16, 2011

On March 16, 2011,  I appeared as a witness at the Senate Commerce Committee’s hearing on consumer privacy. Other witnesses included representatives from the Federal Trade Commission, the US Department of Commerce, Microsoft, Intuit, Group M Interaction, and the ACLU.

Read prepared testimony. 

Blog coverage of hearing.

Key quotes from hearing.


CSPAN archives include my delivered testimony, and a question from Senator Kerry regarding first party versus third party data collection. View entire hearing here.

Berkeley Law: Browser Privacy Mechanisms Roundtable

Berkeley Law
Berkeley, CA | February 9, 2011

I gave a tutorial on the state of online tracking. 

Audio archive. Transcript.

The Federal Trade Commission preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called generally for privacy by design, and specifically for a do not track (DNT) system to allow consumers to better control online collection of information.  This is a challenging task, because many web interactions require a transfer of information that could be conceived of as “tracking.”  The major developers of browsers have all announced implementations of do not track systems recently.  The conceptions of DNT have different needs for implementing regulation and have different implications for businesses and consumers.  This roundtable explored the contours of the regulations needed to effectuate do not track, the technical options to implement it, and the political and economic implications of do not track systems.