PEN America Essay: Understanding the Threat

I wrote this essay for a conference hosted by PEN America on the chilling effects of surveillance. I was asked to address what questions researchers should focus on and I discussed the threat posed by stored data and the opportunity for researchers to create new transparency tools. It was originally published here, but you can also read it below!

How do we protect something we can barely see?

As much time as we spend discussing privacy, you would think it’d be easy to define. Yet the more we discuss it, the more it becomes apparent that our definitions of privacy vary widely. For some it means keeping only their deepest secrets safe, while for others any information collected about them without their consent is perceived as a violation. Despite these inconsistencies, most definitions of privacy depend on knowing and controlling what information is collected about us.

Most of the time users don’t realize how much information they are sharing, how it’s stored, or who has access to it. In the analog world, controlling one’s own information was relatively straightforward. Obvious physical and cost barriers limit how quickly and how far information about an individual can be shared. Its reach was our personal circle of friends or maybe a wider community if there were a diligent town gossip. But technology has expanded the reach of information significantly. Now, there are vast quantities of data collected about individual users daily, often stored indefinitely in data centers operated by private companies, and available to anyone that is granted (or can forcefully obtain) access. [Read more…]

The Cost of Surveillance

actual numbers

Graph showing the difference in hourly cost between various location tracking techniques.

The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled “Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones.” In it, we discuss the drastic reduction in the cost of tracking an individual’s location and show how technology has greatly reduced the barriers to performing surveillance. We estimate the hourly cost of location tracking techniques used in landmark Supreme Court cases JonesKaro, and Knotts and use the opinions issued in those cases to propose an objective metric: if the cost of the surveillance using the new technique is an order of magnitude (ten times) less than the cost of the surveillance without using the new technique, then the new technique violates a reasonable expectation of privacy. For example, the graph above shows that tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him. [Read more…]

PostTV: Webcams can record secretly


In this video I demonstrate how the built-in MacBook camera may be turned on, even when the light is off, allowing someone to spy on users without being detected.  You can read more about this story here.

PostTV: For NSA, Google cookies allow ‘laser-guided’ targeting

explains NSA cellphone collection

Intelligence agencies follow targets using cookies installed by Google, typically to track users for commercial advertising purposes, to follow suspects online and target them with malware. You can read more about this story here.

PostTV: Reporter explains NSA collection of cellphone data

laser guided targeting

In this video I discuss the NSA’s ability to use massive numbers of cell location records to determine if anyone, including US citizens, are co-traveling with targets of surveillance. You can read more about this story here

The Limits of Harvesting Users Online

The state of New Jersey recently announced a $1 million settlement with E-Sports Entertainment, LLC over allegations that the company installed malware on its customers’ computers. The Attorney General claimed that E-Sports’ software allowed the company to use its customer’s computers to mine for Bitcoins without the user’s knowledge, generating thousands of dollars in Bitcoin value for E-Sports (and no value for the users) after numerous reports of unusually high CPU usage by their customers.  E-Sports released a statement apologizing and clarifying that this was the behavior of a rogue programmer. They also announced that they are donating the value of the bitcoins ($3,713) to the American Cancer Society plus doubling the donation from their own funds.

There were multiple components to the New Jersey case, including a privacy count regarding monitoring of users’ computer even when they were offline. However, the Bitcoin aspect of the complaint is extremely prescient, as there seems to be a burgeoning trend of government regulators looking more seriously at Bitcoin.

[Read more…]

Why Apple’s claim that it can’t intercept iMessages is largely semantics

This op-ed originally appeared in the Washington Post last Saturday in response to Apple’s claims about the security of iMessage.

A lively debate is brewing over the security of Apples iMessages. I was recently quoted on this issue, but Apple has since responded, and it seems important to clarify that the argument now seems to be largely a matter of semantics.
In case you missed it, a group of researchers at Quarklab recently analyzed the iMessage protocol, including the trust model and key exchange, and found some mistakes that leave iMessages open to attacks. I had also previously demonstrated that iCloud backups, including backed-up iMessages, could easily be accessed by Apple. This news is important because previous reports suggested that iMessage encryption was a major impediment to law enforcement, and Apple specifically described iMessage data as “protected by end-to-end encryption so no one but the sender and receiver can see or read them” in response to their reported participation in the NSA’s PRISM program.

Apple stands by its claim that its software can’t be intercepted and that it is not reading iMessages. In that article, Apple spokeswoman Trudy Muller said: “iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

But Apple’s response that it cannot intercept messages is a bit misleading.

Apple controls the entire stack: the phone operating system (iOS), iMessage application, the SSL certificates, and key exchange. Quarklab’s researchers demonstrated that if they could obtain (or fake) a trusted Apple SSL certificate AND man-in-the-middle the iMessage key exchange, they would be in a position to intercept or tamper with iMessage. Basically, that means iMessage could be vulnerable if an actor is able to convince the application that they are authorized to carry the data and to insert themselves between the users.
[Read more…]

CIR/NPR Collaboration – Your Data and Who Has Access to It

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Bits of Freedom: The Dutch Perspective

The Bits of Freedom Crew

I was recently invited to be a visiting fellow at Bits of Freedom in Amsterdam. This was a great opportunity to gain insight into the European privacy debate, not to mention escape the DC summer and visit an amazing city full of bicycles.

Bits of Freedom is a digital rights organization, not unlike the EFF in the United States. They are a mix of lawyers, activists, and tech folk who work at the intersection of technology and human rights. BoF focuses on issues such as transparency, active hacking, net neutrality, and the Transatlantic Trade and Investment Partnership. The staff employ a variety of tools to meet their goals including FOIA, government transparency reports, advocacy campaigns, and direct lobbying to, “influence legislation and self-regulation” both in the Netherlands and across the EU.

My visit focused on learning from the experts here as well as providing some of my own perspective. [Read more…]

How Protecting Your Privacy Could Make You the Bad Guy

pandora netherlands

There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA).

A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law.

However, I’d also like to make the case here that the CFAA is bad privacy policy for consumers, too. [Read more…]

Comments for the Privacy and Civil Liberties Oversight Board

I am speaking today at the PCLOB meeting on Sections 215 and 702 of the PATRIOT Act.  My panel begins at 12:30 and you can watch it live here.

I will be commenting on the role of technology in these programs, focused on how the limits of technology suggest that claims that surveillance programs can avoid targeting Americans are probably overstated. [Read more…]

The Stream

I was on Al Jazeera’s “The Stream” today discussing online privacy, the problems with notice, and the type of harms we experience with our data out there. This is probably one of the longer live TV appearances I’ve done but fortunately it turned out OK.

(And yes, the irony of being on a talk show about privacy when the host repeatedly encourages the audience to ‘Like’ her Facebook page is not lost on me 🙂 )

Computers Freedom and Privacy Conference

Washington DC | June 25, 2013

My panel focused on PRISM.  We discussed what the program might look like based on publicly available information as well as whether the intelligence gained through the program is worth the risk to American’s privacy.


You can watch the day’s events here. PRISM Panel begins around 2:10:00.

Privacy Law Scholars Conference

Berkeley, CA | June 6 – 7, 2013

I presented a paper I co-authored with Kevin Bankston on the cost of surveillance. Our research provides data on the decreasing cost to the government of surveilling its citizens as a result of new technology. We looked at the hourly cost of various methods of location surveillance to provide a mathematical foundation for a discussion on fourth amendment rights.

Why We Still Need DNT

[hulu thumbnail_frame=15]

Earlier this month, the World Wide Web Consortium (W3C) met face-to-face in California to discuss Do Not Track standards, and there’s a lot of concern about whether the group will to meet their self-imposed July deadline. Do Not Track has been getting attention from the media again after the recent re-introduction of the legislation, mostly focused on the controversy it provokes, whether it’s necessary given the upcoming browser modifications, or how unlikely it is to pass Congress. In fact, I will be participating in a panel hosted by the Congressional Internet Caucus titled “Enabling Do Not Track Privacy: Is It Dead or Alive?“, which will be broadcast on CSPAN today. (Watch it here.)

The conversation about tracking isn’t new. Exactly thirteen years ago the very same set of stakeholders were debating the very same set of issues: privacy, 3rd party cookies, and what tracking defaults should be. In fact, if you didn’t notice the date of the article (07/21/2000), you might confuse it for breaking news. Many of the players cited in that article are the same you’d see quoted today (here’s looking at you Microsoft, Doubleclick, Mozilla (Netscape), National Advertising Initiative, and EPIC), and we seem no closer to developing comprehensive standards for online tracking than we were 13 years ago. It can get discouraging. [Read more…]

ACM Conference on Security and Privacy in Wireless and Mobile Networks

Budapest, Hungary | April 17-19, 2013

WiSec presents high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications.

I gave a plenary talk about mobile threats to privacy. My presentation covered common threats to mobile privacy and security, focusing on what information is stored on your smartphone and what information is shared – intentionally and unintentionally – with cloud providers and third parties. I reviewed common security problems and pitfalls, as well as the privacy risks consumers assume by operating smartphones powered by a burgeoning advertising industry.

FinCapDev: Privacy, Security and Mobile App Development

I hosted a webinar with Manas Mohapatra, the Director of Mobile Policy for the Federal Trade Commission’s Mobile Technology Unit, for the FinCapDev Finalists.  We discussed security and privacy issues related to mobile app development.

Webinar is archived here.

KALW’s Your Call: What do data brokers know about you?

KALW Radio | April 8, 2013

I discussed data brokering with host Rose Aguilar on “Your Call,” a public radio program from KALW San Francisco.  The program was part of Your Call’s “Agenda for a New Economy” series and focused on  companies that gather and sell  personal information to marketing firms. We discussed some of the surprising ways data has been used  and methods you can use to control what is shared about you.  

Listen to show

The Technology of Privacy Conference

Silicon Flatirons, Center for Law, Technology, and Entrepreneurship
at the University of Colorado
Boulder, CO | January 11, 2013

I joined a discussion about the Threats and Benefits of New Technologies at the Fifth Annual Silicon Flatirons conference on privacy. Academics, policymakers, privacy advocates, and practitioners came together to discuss the changes in the state of the art of privacy and technology, and focus on what it means for policymaking and legal practice in particular. My presentation discussed the need for both technical and policy solutions to privacy problems.  (Our panel starts at 57:00)

View video archives here.

The Big Picture: Comprehensive Online Data Collection

Federal Trade Commission Workshop
Washington, DC | December 6, 2012

I participated in a workshop, organized by the Federal Trade Commission, designed to examine the practices and privacy implications of “comprehensive” data collection about consumers’ online activities.

This discussion highlighted the need for a comprehensive policy governing tracking behavior.

Video from session 2

For Your Eyes Only: Privacy, Empowerment and Technology in the Context of Social Networks

User Empowerment in Social Media Culture Conference
Brussels, Belgium | November 30, 2012

Privacy in social network is typically associated with the difficulty of configuring the settings so that the uploaded information does not become available to unintended audiences. There is however a wide range of security and privacy issues in these systems, as well as a diversity of technologies that have been proposed to improve the protection of their users. This panel tackled the question of what it means to protect security and privacy in social networks. Panelists discussed the different types of threats, assumptions, adversarial models, security and privacy objectives, available technologies to achieve these objectives, as well as the limitations of these technologies.

I was a panelist.

Security in Social Networks

For Your Eyes Only International Conference
Brussels, Belgium | November 30, 2012

The panelists presented and discussed proposals for mitigating select privacy problems in OSNs through technology itself. They looked at ways of concealing data from service providers, as well as third party trackers, and discussed mechanisms to improve the tedious task of managing disclosures through privacy settings. The panelists proposed ways in which they assess the limitations of these technologies and discuss ways in which technical measures need to be complemented with legal and organizational measures.

I was one of the presenters.

For Your Eyes Only – Security in Social Networks (Day2, Panel 4) from spion on Vimeo.

The End of Privacy?

Ford Foundation’s Wired for Change Conference
New York, NY | October 23, 2012

As part of Ford Foundation’s Wired for Change conference, noted consumer privacy experts and technologists Harvey Anderson, Brad Burnham, Kamala D. Harris, Jon Leibowitz and I considered how mining Big Data and safeguarding privacy can reasonably coexist, moderated by John Palfrey.

View complete video archive

Hidden in Plain Sight

How online privacy tools are changing Internet security and driving the (probably quixotic) quest for anonymity in the digital age. By Chris Clayton Delta Sky Magazine | October 22, 2012

[…] Most people have a difficult time with far-off risk,” says Ashkan Soltani, a former technologist with the Federal Trade Commission’s privacy division who’s currently a privacy/security researcher and consultant. “That’s why we passed seat belt laws. The likelihood of you getting in a car accident is low, but the harm that you might experience in that accident is potentially high. It’s the same online. We’re bad at figuring out how our data could be used against us in the future, so we don’t care.” […]

Soltani is more optimistic. He sees a future where governments pass stronger digital privacy laws and geeks build easier-to-use privacy controls that work seamlessly with the slobbering puppy version of the Internet we all love. In the meantime, he’s doing his best to educate as many people as possible on the virtues of proper digital hygiene, whether that means using anonymity tools or simply being more aware of the fact that you leave a data trail wherever you go these days.[…]

PDF of article

Amsterdam Privacy Conference: Behavioural Targeting and Privacy

Amsterdam Privacy Conference
Amsterdam, The Netherlands | October 7-10, 2012

This interdisciplinary panel brought together leading scholars from Europe and the United States to present and discuss recent research on various aspects of behavioural targeting and privacy. Behavioural targeting is the monitoring of people’s online behaviour over time to use the collected information to target people with advertising matching their inferred interests. Using cookies or other tracking technologies, companies compile detailed profiles based on what internet users read, what videos they watch, what they search for etc. Profiles are enriched with up to date location data of users of mobile devices, data that people submit to websites themselves and other data that are gathered on and off line. As the internet plays an ever-larger role in our lives, the profiles will become ever more detailed. The constant stream of articles in the academic literature and popular press on behavioural targeting illustrates the relevance of the subject, which is high on the agenda of regulators in Europe and the United States.

I was a discussant at this event.

Data Days: Data Conference and Pioneers

Berlin, Germany | October 1 and 2, 2012

I was a keynote speaker and panelist at an advertising technology conference in Berlin speaking generally about the problems and opportunities in “big data”.

User data is essentially the raw resource in this industry.  Yet this information doesn’t simply magically appear but is typically collected from users.  These raw materials can essentially be broken up into: 

  1. Information knowingly shared publicly with a site or service.
  2. Information shared via a site/service but intended for another recipient (i.e webmail).
  3. Information collected without the user even being aware.

I highlight how this third category seems to be where most of the privacy tensions stem from, how this data is actually not that useful, and how there’s a huge opportunity in trying to engage the user into providing higher quality ‘consensual’ data (which I dubbed ‘fair trade data’).  Thoughts?


The Kojo Nnamdi Show: Using Facial Recognition Software

The Kojo Nnamdi Show at WAMU
Washington, DC | August 22, 2012

I discussed facial recognition software with Laura Donohue, a law professor at Georgetown University, on The Kojo Nnamdi Show.  We discussed how the technology works and the implications of its increasing quality and availability.  


There’s been a lot of attention around the Israeli facial recognition startup  They, amongst other things, make a mobile app called “KLIK” which lets users tag their friend’s faces in real-time, as they walk down the street. Just today, they announced that they’re being acquired by Facebook for $100M.

A few weeks ago, I noticed a different kind of excitement surrounding the startup. I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts (KLIK relies on Facebook to use the app). essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables ‘face prints’), even if that information isn’t public.

[Read more…]

OPEN Silicon Valley: Big Data –The Good, The Bad and the Ugly

OPEN Silicon Valley Forum
Mountain View, CA | June 2, 2012

Online privacy concerns have confounded many an entrepreneurs and taken some off-guard. The recent episodes of Path address book uploads, Apple UDID ban, Google privacy policy change, Safari cookie bypass, Facebook timeline launch, and Target predicting teenage girls’ pregnancies before their families do have all put online privacy front and center in the media, with federal regulators and legislators on the Hill taking note of every single move of these companies. While the concerns around social networks and mobile applications eroding our privacy, reputation, and trust are being voiced, it must be balanced with the reality that online information sharing using innovative technologies presents unprecedented opportunities for the community. Both these dimensions are often considered at odds with each other, leading many- especially the entrepreneurs- to question if online privacy issues can put a brake on the innovation engine fueled by big data technologies.

I was a panelist.

Berkeley Law: Conference on Web Privacy Measurement

Berkeley Center for Law and Technology
Berkeley, CA | May 31 – June 1, 2012

As the Web continues to transition from a static collection of documents to an application platform, websites are learning more and more about users. Many forms of Web information sharing pose little privacy risk and provide tremendous benefit to both consumers and businesses. But some Web information practices pose significant privacy problems and have caused concern among consumers, policymakers, advocates, researchers, and others. Data collection is now far more complex than HTTP cookies, and the information available to websites can include a user’s name, contact details, sensitive personal information, and even real-time location. At present there are few restrictions on and scant transparency in Web information practices. There is a growing chasm between what society needs to know about Web tracking and what the privacy measurement community has been able to bring to light.

A number of practitioners, researchers, and advocates have begun to more formally study how websites collect, use, and share information about their users. The goal of the Conference on Web Privacy Measurement (WPM) is to advance the state of the art and foster a community on how to detect, quantify, and analyze Web information vectors across the desktop and mobile landscapes. Such vectors include browser tracking, such as cookies, flash cookies, the geolocation API, microphone API, and camera API; and server-side tracking, such as browser fingerprinting. We are also interested in the deployment of privacy-preserving technologies, such as HTTPS and proper deployment of P3P.

I served on the programming committee for this event, and led a discussion about tools for web privacy measurement.

Freedom and Connectivity from Alexandria, Egypt to Zuccotti Park

Freedom to Connect F2C Conference
Washington, DC | May 21-22, 2012

I joined others for a discussion about the delicate balance between technology, free speech, privacy and human rights.

View video archive

Facebook and your Privacy: What Every Consumer Should Know in the Digital Age

Consumer Reports Roundtable
New York, NY | May 4, 2012

On May 4, 2012, I participated in a panel discussion about consumer privacy on Facebook, organized by Consumer Reports. The panel was part of a larger examination of the issue, which was featured in the June 2012 issue of their magazine. Included tips about Facebook privacy settings.

View video archive

TechCrunch TV: Ashkan Soltani On Mobile App Security

TechCrunch TV | May 3, 2012

TechCrunch TV had me on to discuss Path, Apple’s collection of location information, and the various other privacy issues with mobile devices.


Ashkan Soltani On Mobile App Security by 5minTech

Why You Should Treat Your iPhone Like a Toddler: The State of Mobile App Security Techcrunch, May 3, 2012

2012 State of the Mobile Net Conference

Advisory Committee to the Congressional Internet Caucus
Washington, DC | May 3, 2012

The 4th Annual State of the Mobile Net Conference featured debates about the most pressing issues facing the exploding mobile net. While App developers frenetically code away, Washington policymakers are looking more and more closely at the mobile net ecosystem. Indeed, Washington policymakers are eager to help the mobile net achieve its potential by freeing up spectrum, implementing consumer protections and considering privacy rules for the burgeoning app market. With the speed at which the mobile net is evolving, how can Washington policymakers provide the appropriate level of assistance?

I took part in a panel called Complex Devices / Complex Privacy Questions: Grappling With Privacy In the Mobile Space

View video archive

App Developer Privacy Summit

Palo Alto, CA | April 25, 2012

Mobile apps and the services they provide have been one of the most exciting areas of innovation in recent years. Many of these new services have been successful because they enable consumers to use data to connect, discover and accomplish in new ways, but the collection and use of consumer data in the complex mobile environment has caused a rise in privacy concerns. To maintain the consumer trust necessary to continue the pace of innovation, the key participants in the app ecosystem need to work together.

To better understand their respective roles in this new ecosystem, platforms, app developers, carriers, consumers and policymakers are gathering to address current and pressing consumer privacy issues. The Application Developers Alliance and the Future of Privacy Forum, along with the Stanford Law School Center for Internet and Society, hosted the App Developer Privacy Summit on April 25, 2012.

I was one of the panelists/presenters.

Go to 2 hours, 32 minutes for details.

MobileScope Takes WSJ Data-Transparency Prize

Wall Street Journal Live/Digits | April 17, 2012

Ashkan Soltani, the programmer who designed the MobileScope app and the technical adviser for WSJ’s What They Know series, discusses his privacy app, which won WSJ’s Transparency Weekend “Ready for Primetime” award.


MobileScope Takes WSJ Data-Transparency Prize by 5minTech

Learn more about Mobilescope.

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

NYU Law School, New York, NY | April 13, 2013

People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy hosted a technology and policy dialogue about the new world of mobile and location privacy.  They brought together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I gave a technical demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

New York University School of Law
New York, NY | April 13, 2012

The age of ubiquitous computing is here. People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. On Friday, April 13, 2012, New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy will hosted a technology and policy dialogue about the new world of mobile and location privacy. The gathering aimed to bring together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I did a technology demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

Cookies from Nowhere


Google is tracking Safari users across the web even though when they attempt to block 3rd party cookies and have never visited This is a function of the anti phishing and malware lists used by both Safari, Firefox (and, of course, Chrome) that automatically update from Google in the background and places Google cookies.

This is a separate issue than the one uncovered Feb 17, 2012 surrounding Google circumvention of Safari’s default cookie blocking features. Essentially, even though Google has fixed the Doubleclick issue due to ‘social sync’, they are still able to track Safari users everywhere there is a +1 button on the web, even when users have 3rd party cookies blocked.

[Read more…]

Future of Privacy Forum Presents – Personal Information: The Benefits and Risks of De-Identification

Future of Privacy Forum
National Press Club, Washington, DC | December 5, 2011

On December 5, 2011, leading academics, advocates, Chief Privacy Officers, legal experts and policymakers gathered to discuss and debate the benefits and risks of de-identification and the definition of personal information. I joined the event to talk about advertising and marketing uses and concerns.

View video archive

Mobile, Telcos and the Future of Freedom of Speech

Silicon Valley Human Rights Conference
San Francisco, CA | October 25-26, 2011

I was a panelist at the first annual Human Rights Conference – or RightsCon.

Panelists on Mobile, Telcos and the Future of Freedom of Speech talked about the nascent connection between commerce, politics, human rights and information, especially with burgeoning uprisings in the Middle East and beyond.  With the reality of competitive pressures within the industry and the network monopoly of many governments, we looked at some of the industry practices and approaches that are needed to ensure telecoms are not hijacked for repression and abuse. The panelists discussed the realities of operating with infrastructure in country, the business models available to ensure control of the network; and the privacy and mobile security needs of human rights advocates.

The event was livestreamed but there is no video archive.

Flash Cookies and Privacy II

A detailed technical followup to Flash Cookies and Privacy II, describing the mechanisms behind Hulu/KISSmetrics’ respawning practices

cookiemonsterdeleteI thought I’d take the time to elaborate a bit further regarding the technical mechanisms described in our Flash Cookies and Privacy II paper that generated a bit of buzz recently. For a bit of background, I, along with Chris Hoofnagle and Nathan Good, had the honor of supervising Mika Ayenson and Dietrich J. Wambach in replicating our previous 2009 study which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed ‘respawning’).

In our follow up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics.* Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed.

(*Hulu and KISSmetrics have both ceased respawning as of July 29th 2011)

[Read more…]

CyberJungle Radio: KISSMetrics WebTracking

The CyberJungle Radio Show | August 5, 2011

In 2011, I was a guest on CyberJungle Radio at SecurityBsides Las Vegas, the shadow conference to BlackHat Las Vegas. The CyberJungle got my take on the KISSMetrics web tracking spat.

Audio archive of interview.

Related Reading

Respawn Redux
Flash Cookies and Privacy II (2011)
Flash Cookies and Privacy (2009)

Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning


In August 2009, the research team published Flash Cookies and Privacy, a paper that demonstrated that popular websites were using Flash cookies to track users.  Some advertisers has adopted this technology because it allowed persistent tracking, even where users had taken steps to avoid web profiling. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users’ privacy-setting behaviors.

In this followup study, we reassess the flash cookies landscape and examine a new tracking vector, HTML5 local storage and cache cookies via eTags. [Read more…]

Berkeley Law: Online Tracking Protection and Browsers

Berkeley Law
Brussels, Belgium | June 22, 2011

While US regulators and legislators consider a “do not track” mechanism to allow more effective control of online collection of information, European regulators have moved aggressively to give consumers more control over there mere placement of cookies through the E-Privacy directive.  Many questions surround the confluence of US and European developments, including the scope of do not track, the implications of different implementations of do not track, the economic implications of greater consumer control over tracking, and how do not track will be applied in European markets.  BCLT and the University of Amsterdam’s Institute for Information Law hosted a workshop to explore the law and technology of online tracking and mechanisms for consumer control of tracking June 22-23 in Brussels, Belgium.  Participants included FTC Commissioner Julie Brill, Vice-President of the European Commission and Commissioner for the Digital Agenda Neelie Kroes, The Office of Science and Technology Policy CTO Daniel Weitzner, DG Society Director Robert Madelin, and technologist Ashkan Soltani.  

I presented a tutorial on the state of online tracking that covered online tracking technologies and business models, including demand side platforms.

Pii2011: Privacy Identity Information Conference

Santa Clara, CA | May 19-20, 2011

Privacy Identity Innovation is the only tech conference focused on exploring how to protect sensitive information while enabling new technologies and business models. Over 250 attendees from around the world participated in the second Privacy Identity Innovation conference, which took place May 19-20, 2011 at the Santa Clara Marriott hotel in Silicon Valley.

On May 19, I participated in a roundtable discussion called Pii and Location: Can You Find Me Now?

pii2011: pii and Location: Can You Find Me Now? from Marc Licciardi on Vimeo.

Listen to audio archive

On May 20, I was part of a panel discussion on Simplifying Privacy Notice.

pii2011: Simplifying Privacy Notice from Marc Licciardi on Vimeo.

Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy

Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law
Washington, DC | May 10, 2011

On May 10, 2011, I testified in front of the Senate Judiciary Committee on Privacy Technology and the Law regarding mobile privacy. The other witnesses included representatives from Apple, Google, Center for Democracy and Technology, and the Association for Competitive Technology.

Read prepared testimony.

USA Today live blogged the hearing.

senate testimony
Video archives on CSPAN include my delivered testimony, answers to questions about what “location” means, and a question from Senator Franken about the most serious threat regarding mobile devices and privacy. View CSPAN footage of entire hearing

[Read more…]

WC3 Workshop on Web Tracking and User Privacy

Center for Information and Technology at Princeton University
Princeton, NJ | April 28-29, 2011

This workshop served to establish a common view on possible Recommendation-track work in the Web privacy and tracking protection space at W3C, and on the coordination needs for such work.

The workshop was expected to attract a broad set of stakeholders, including implementers from the mobile and desktop space, large and small content delivery providers, advertisement networks, search engines, policy and privacy experts, experts in consumer protection, and other parties with an interest in Web tracking technologies, including the developers and operators of Services on the Web that make use of tracking technologies for purposes other than to behavioral advertising.

In the position paper I submitted, I proposed potential alternative approaches to framing tracking that enables companies to engage in measurable online advertisement while providing the most important privacy protections articulated by advocates. This approach focuses primarily on the active removal of persistent identifiers that are used to correlate browsing activity over multiple sessions or multiple websites.

Enabling Online Privacy With Do Not Track: By Congress, Corporations or Code?

Congressional Internet Caucus Advisory Committee
Washington, DC | April 5, 2011

The online privacy Do Not Track proposal (DNT), modeled after the popular “Do Not Call” concept, has captured the imagination of those who wish to protect consumer privacy in Congress, in industry and among privacy advocates and consumers alike. Consumer privacy advocates have proposed it, the Chairman of the Federal Trade Commission has endorsed it, and Members of Congress have drafted legislation to enact it. Yet remarkably, there is no broad consensus on *what* DNT is or even on *who” should be responsible for making it a reality.

I joined other experts for a panel regarding the potential implementation of Do Not Track. Others included representatives from Microsoft, the Digital Advertising Alliance, the Federal Trade Commission, and the Internet Caucus Advisory Committee.

Listen to audio archive

The State of Online Consumer Privacy

Senate Commerce Committee
Washington, DC | March 16, 2011

On March 16, 2011,  I appeared as a witness at the Senate Commerce Committee’s hearing on consumer privacy. Other witnesses included representatives from the Federal Trade Commission, the US Department of Commerce, Microsoft, Intuit, Group M Interaction, and the ACLU.

Read prepared testimony. 

Blog coverage of hearing.

Key quotes from hearing.


CSPAN archives include my delivered testimony, and a question from Senator Kerry regarding first party versus third party data collection. View entire hearing here.