PEN America Essay: Understanding the Threat

I wrote this essay for a conference hosted by PEN America on the chilling effects of surveillance. I was asked to address what questions researchers should focus on and I discussed the threat posed by stored data and the opportunity for researchers to create new transparency tools. It was originally published here, but you can also read it below!

How do we protect something we can barely see?

As much time as we spend discussing privacy, you would think it’d be easy to define. Yet the more we discuss it, the more it becomes apparent that our definitions of privacy vary widely. For some it means keeping only their deepest secrets safe, while for others any information collected about them without their consent is perceived as a violation. Despite these inconsistencies, most definitions of privacy depend on knowing and controlling what information is collected about us.

Most of the time users don’t realize how much information they are sharing, how it’s stored, or who has access to it. In the analog world, controlling one’s own information was relatively straightforward. Obvious physical and cost barriers limit how quickly and how far information about an individual can be shared. Its reach was our personal circle of friends or maybe a wider community if there were a diligent town gossip. But technology has expanded the reach of information significantly. Now, there are vast quantities of data collected about individual users daily, often stored indefinitely in data centers operated by private companies, and available to anyone that is granted (or can forcefully obtain) access. [Read more…]

PostTV: For NSA, Google cookies allow ‘laser-guided’ targeting

explains NSA cellphone collection

Intelligence agencies follow targets using cookies installed by Google, typically to track users for commercial advertising purposes, to follow suspects online and target them with malware. You can read more about this story here.

Questions on the Google AdID

I’ve received a few inquiries about the recent announcement of Google AdID. Because Google hasn’t released many details about the implementation, I am a bit reluctant to speculate too broadly. However, I thought it would be useful to present some thoughts on the potential reasons for this shift and its impact on consumer privacy.

Google’s proposed advertising ID seems to be motivated by the following factors:

  1. The increasing number of consumers blocking 3rd party cookies. Recent studies indicate that consumers are increasingly concerned about their privacy online and as many as 20% have blocked browser cookies.  I suspect this figure will rise as privacy issues continue to capture public attention.
  2. The trend of advertisers moving to non-cookie based identifiers (e.g. browser fingerprinting).
  3. To avoid missteps along the same lines of Apple/Safari.
  4. The increased pressure to offer advertisers ‘enhanced’ cross-device tracking capabilities like they already do with google analytics.
  5. The tension (and lack of progress) in the Do-Not-Track negotiations–specifically, the Digital Advertising Alliance’s (DAA) recent abandonment of the process. (Google is a member of the DAA.)

[Read more…]

How Protecting Your Privacy Could Make You the Bad Guy

pandora netherlands

There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA).

A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law.

However, I’d also like to make the case here that the CFAA is bad privacy policy for consumers, too. [Read more…]

Congressional Internet Caucus: Enabling Do Not Track Privacy- Is It Dead or Alive?

Washington DC | May 24, 2013

A panel of experts discussed the current state of “Do Not Track” efforts.  I focused on the technical difficulty of blocking tracking and ways to ensure consumers have a choice.  You can read more about my thoughts on DNT here.


I was on a similar panel two years ago where we discussed whether Congressional action was necessary to ensure consumers opt-out of tracking.

Watch the panel here. My remarks start at 14:30.

Why We Still Need DNT

[hulu thumbnail_frame=15]

Earlier this month, the World Wide Web Consortium (W3C) met face-to-face in California to discuss Do Not Track standards, and there’s a lot of concern about whether the group will to meet their self-imposed July deadline. Do Not Track has been getting attention from the media again after the recent re-introduction of the legislation, mostly focused on the controversy it provokes, whether it’s necessary given the upcoming browser modifications, or how unlikely it is to pass Congress. In fact, I will be participating in a panel hosted by the Congressional Internet Caucus titled “Enabling Do Not Track Privacy: Is It Dead or Alive?“, which will be broadcast on CSPAN today. (Watch it here.)

The conversation about tracking isn’t new. Exactly thirteen years ago the very same set of stakeholders were debating the very same set of issues: privacy, 3rd party cookies, and what tracking defaults should be. In fact, if you didn’t notice the date of the article (07/21/2000), you might confuse it for breaking news. Many of the players cited in that article are the same you’d see quoted today (here’s looking at you Microsoft, Doubleclick, Mozilla (Netscape), National Advertising Initiative, and EPIC), and we seem no closer to developing comprehensive standards for online tracking than we were 13 years ago. It can get discouraging. [Read more…]

W3C Workshop: Do Not Track and Beyond

UC Berkeley | November 26 – 27, 2012

This workshop served as a forum for the W3C membership and the public to discuss the Consortium’s next steps in the area of tracking protection and Web privacy. What have we learned from Do Not Track standardization and real-world implementations? Furthermore, undoubtedly support for privacy on the Web platform cannot end with Do Not Track: what should we look at next and beyond DNT?

I was a participant.

When Zombies Attack – a Tracking Love Story

OWASP AppSec USA 2011 Conference
Minneapolis, MN | September 20 – 23, 2011

In this talk,  Gerrit Padgham and I talked about the current state of online tracking and highlight current practices such as “cookie respawning” and non-cookie based tracking that popular websites and mobile applications engage in. We discussed theories on why the platforms we use do not adequately protect users from these threats and highlight the proposed solutions, such as additional transparency tools and Do-Not-Track that are intended to help mitigate these issues. We also demonstrated MobileScope, a technical solution we have been developing to give the end user ultimate visibility into the traffic their device is sending. Finally, we discussed open questions surrounding the ability to adequately assess risk drawing from behavioral economics and risk management theories for cues as to potential outcomes in this space.

When Zombies Attack: A Tracking Love Story with Ashkan Soltani & Gerrit Padgham from OWASP on Vimeo.

Additional video archives on YouTube.

PDF of slides

Berkeley Law: Online Tracking Protection and Browsers

Berkeley Law
Brussels, Belgium | June 22, 2011

While US regulators and legislators consider a “do not track” mechanism to allow more effective control of online collection of information, European regulators have moved aggressively to give consumers more control over there mere placement of cookies through the E-Privacy directive.  Many questions surround the confluence of US and European developments, including the scope of do not track, the implications of different implementations of do not track, the economic implications of greater consumer control over tracking, and how do not track will be applied in European markets.  BCLT and the University of Amsterdam’s Institute for Information Law hosted a workshop to explore the law and technology of online tracking and mechanisms for consumer control of tracking June 22-23 in Brussels, Belgium.  Participants included FTC Commissioner Julie Brill, Vice-President of the European Commission and Commissioner for the Digital Agenda Neelie Kroes, The Office of Science and Technology Policy CTO Daniel Weitzner, DG Society Director Robert Madelin, and technologist Ashkan Soltani.  

I presented a tutorial on the state of online tracking that covered online tracking technologies and business models, including demand side platforms.

WC3 Workshop on Web Tracking and User Privacy

Center for Information and Technology at Princeton University
Princeton, NJ | April 28-29, 2011

This workshop served to establish a common view on possible Recommendation-track work in the Web privacy and tracking protection space at W3C, and on the coordination needs for such work.

The workshop was expected to attract a broad set of stakeholders, including implementers from the mobile and desktop space, large and small content delivery providers, advertisement networks, search engines, policy and privacy experts, experts in consumer protection, and other parties with an interest in Web tracking technologies, including the developers and operators of Services on the Web that make use of tracking technologies for purposes other than to behavioral advertising.

In the position paper I submitted, I proposed potential alternative approaches to framing tracking that enables companies to engage in measurable online advertisement while providing the most important privacy protections articulated by advocates. This approach focuses primarily on the active removal of persistent identifiers that are used to correlate browsing activity over multiple sessions or multiple websites.

Enabling Online Privacy With Do Not Track: By Congress, Corporations or Code?

Congressional Internet Caucus Advisory Committee
Washington, DC | April 5, 2011

The online privacy Do Not Track proposal (DNT), modeled after the popular “Do Not Call” concept, has captured the imagination of those who wish to protect consumer privacy in Congress, in industry and among privacy advocates and consumers alike. Consumer privacy advocates have proposed it, the Chairman of the Federal Trade Commission has endorsed it, and Members of Congress have drafted legislation to enact it. Yet remarkably, there is no broad consensus on *what* DNT is or even on *who” should be responsible for making it a reality.

I joined other experts for a panel regarding the potential implementation of Do Not Track. Others included representatives from Microsoft, the Digital Advertising Alliance, the Federal Trade Commission, and the Internet Caucus Advisory Committee.

Listen to audio archive

W3C Position Paper for Workshop on Web Tracking

I prepared a short position paper for the first W3C Workshop on Web Tracking and User Privacy on March 24, 2011.

I argue that the current proposals for allowing users to opt-out of tracking (which amount to either “do not collect/retain” or “do not use to target ads”) are not workable. I propose a third option focused primarily on the active removal of persistent identifiers that are used to correlate browsing activity over multiple sessions or multiple websites, allowing collecting data in de-identified form.

Read the paper here.

The State of Online Consumer Privacy

Senate Commerce Committee
Washington, DC | March 16, 2011

On March 16, 2011,  I appeared as a witness at the Senate Commerce Committee’s hearing on consumer privacy. Other witnesses included representatives from the Federal Trade Commission, the US Department of Commerce, Microsoft, Intuit, Group M Interaction, and the ACLU.

Read prepared testimony. 

Blog coverage of hearing.

Key quotes from hearing.


CSPAN archives include my delivered testimony, and a question from Senator Kerry regarding first party versus third party data collection. View entire hearing here.

Berkeley Law: Browser Privacy Mechanisms Roundtable

Berkeley Law
Berkeley, CA | February 9, 2011

I gave a tutorial on the state of online tracking. 

Audio archive. Transcript.

The Federal Trade Commission preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called generally for privacy by design, and specifically for a do not track (DNT) system to allow consumers to better control online collection of information.  This is a challenging task, because many web interactions require a transfer of information that could be conceived of as “tracking.”  The major developers of browsers have all announced implementations of do not track systems recently.  The conceptions of DNT have different needs for implementing regulation and have different implications for businesses and consumers.  This roundtable explored the contours of the regulations needed to effectuate do not track, the technical options to implement it, and the political and economic implications of do not track systems.