CIR/NPR Collaboration – Your Data and Who Has Access to It

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Questions on the Google AdID

I’ve received a few inquiries about the recent announcement of Google AdID. Because Google hasn’t released many details about the implementation, I am a bit reluctant to speculate too broadly. However, I thought it would be useful to present some thoughts on the potential reasons for this shift and its impact on consumer privacy.

Google’s proposed advertising ID seems to be motivated by the following factors:

  1. The increasing number of consumers blocking 3rd party cookies. Recent studies indicate that consumers are increasingly concerned about their privacy online and as many as 20% have blocked browser cookies.  I suspect this figure will rise as privacy issues continue to capture public attention.
  2. The trend of advertisers moving to non-cookie based identifiers (e.g. browser fingerprinting).
  3. To avoid missteps along the same lines of Apple/Safari.
  4. The increased pressure to offer advertisers ‘enhanced’ cross-device tracking capabilities like they already do with google analytics.
  5. The tension (and lack of progress) in the Do-Not-Track negotiations–specifically, the Digital Advertising Alliance’s (DAA) recent abandonment of the process. (Google is a member of the DAA.)

[Read more…]

How Protecting Your Privacy Could Make You the Bad Guy

pandora netherlands

There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA).

A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law.

However, I’d also like to make the case here that the CFAA is bad privacy policy for consumers, too. [Read more…]

Congressional Internet Caucus: Enabling Do Not Track Privacy- Is It Dead or Alive?

Washington DC | May 24, 2013

A panel of experts discussed the current state of “Do Not Track” efforts.  I focused on the technical difficulty of blocking tracking and ways to ensure consumers have a choice.  You can read more about my thoughts on DNT here.


I was on a similar panel two years ago where we discussed whether Congressional action was necessary to ensure consumers opt-out of tracking.

Watch the panel here. My remarks start at 14:30.

Why We Still Need DNT

[hulu thumbnail_frame=15]

Earlier this month, the World Wide Web Consortium (W3C) met face-to-face in California to discuss Do Not Track standards, and there’s a lot of concern about whether the group will to meet their self-imposed July deadline. Do Not Track has been getting attention from the media again after the recent re-introduction of the legislation, mostly focused on the controversy it provokes, whether it’s necessary given the upcoming browser modifications, or how unlikely it is to pass Congress. In fact, I will be participating in a panel hosted by the Congressional Internet Caucus titled “Enabling Do Not Track Privacy: Is It Dead or Alive?“, which will be broadcast on CSPAN today. (Watch it here.)

The conversation about tracking isn’t new. Exactly thirteen years ago the very same set of stakeholders were debating the very same set of issues: privacy, 3rd party cookies, and what tracking defaults should be. In fact, if you didn’t notice the date of the article (07/21/2000), you might confuse it for breaking news. Many of the players cited in that article are the same you’d see quoted today (here’s looking at you Microsoft, Doubleclick, Mozilla (Netscape), National Advertising Initiative, and EPIC), and we seem no closer to developing comprehensive standards for online tracking than we were 13 years ago. It can get discouraging. [Read more…]

Cookies from Nowhere


Google is tracking Safari users across the web even though when they attempt to block 3rd party cookies and have never visited This is a function of the anti phishing and malware lists used by both Safari, Firefox (and, of course, Chrome) that automatically update from Google in the background and places Google cookies.

This is a separate issue than the one uncovered Feb 17, 2012 surrounding Google circumvention of Safari’s default cookie blocking features. Essentially, even though Google has fixed the Doubleclick issue due to ‘social sync’, they are still able to track Safari users everywhere there is a +1 button on the web, even when users have 3rd party cookies blocked.

[Read more…]

Flash Cookies and Privacy II

A detailed technical followup to Flash Cookies and Privacy II, describing the mechanisms behind Hulu/KISSmetrics’ respawning practices

cookiemonsterdeleteI thought I’d take the time to elaborate a bit further regarding the technical mechanisms described in our Flash Cookies and Privacy II paper that generated a bit of buzz recently. For a bit of background, I, along with Chris Hoofnagle and Nathan Good, had the honor of supervising Mika Ayenson and Dietrich J. Wambach in replicating our previous 2009 study which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed ‘respawning’).

In our follow up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics.* Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed.

(*Hulu and KISSmetrics have both ceased respawning as of July 29th 2011)

[Read more…]

CyberJungle Radio: KISSMetrics WebTracking

The CyberJungle Radio Show | August 5, 2011

In 2011, I was a guest on CyberJungle Radio at SecurityBsides Las Vegas, the shadow conference to BlackHat Las Vegas. The CyberJungle got my take on the KISSMetrics web tracking spat.

Audio archive of interview.

Related Reading

Respawn Redux
Flash Cookies and Privacy II (2011)
Flash Cookies and Privacy (2009)

Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning


In August 2009, the research team published Flash Cookies and Privacy, a paper that demonstrated that popular websites were using Flash cookies to track users.  Some advertisers has adopted this technology because it allowed persistent tracking, even where users had taken steps to avoid web profiling. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users’ privacy-setting behaviors.

In this followup study, we reassess the flash cookies landscape and examine a new tracking vector, HTML5 local storage and cache cookies via eTags. [Read more…]

Flash Cookies and Privacy


In August 2009, I and other graduate students at the University of California, Berkeley – School of Law, Berkeley Center for Law & Technology published Flash Cookies and Privacy, a paper that examined of the use of ‘Flash cookies’ by popular websites.

Websites and Cookies

Advertisers are increasingly concerned about unique tracking of users online. Several studies have found that over 30% of users delete first party HTTP cookies once a month, thus leading to overestimation of the number of true unique visitors to websites, and attendant overpayment for advertising impressions.

Mindful of this problem, online advertising companies have attempted to increase the reliability of tracking methods. In 2005, United Virtualities (UV), an online advertising company, exclaimed, “All advertisers, websites and networks use [HTTP] cookies for targeted advertising, but cookies are under attack.” The company announced that it had, “developed a backup ID system for cookies set by web sites, ad networks and advertisers, but increasingly deleted by users. UV’s ‘Persistent Identification Element’ (PIE) is tagged to the user’s browser, providing each with a unique ID just like traditional cookie coding. However, PIEs cannot be deleted by any commercially available antispyware, mal-ware, or adware removal program. They will even function at the default security setting for Internet Explorer.”

United Virtualities’ PIE leveraged a feature in Adobe’s Flash MX: the “local shared object,” also known as the “Flash cookie.” [Read more…]