PEN America Essay: Understanding the Threat

I wrote this essay for a conference hosted by PEN America on the chilling effects of surveillance. I was asked to address what questions researchers should focus on and I discussed the threat posed by stored data and the opportunity for researchers to create new transparency tools. It was originally published here, but you can also read it below!

How do we protect something we can barely see?

As much time as we spend discussing privacy, you would think it’d be easy to define. Yet the more we discuss it, the more it becomes apparent that our definitions of privacy vary widely. For some it means keeping only their deepest secrets safe, while for others any information collected about them without their consent is perceived as a violation. Despite these inconsistencies, most definitions of privacy depend on knowing and controlling what information is collected about us.

Most of the time users don’t realize how much information they are sharing, how it’s stored, or who has access to it. In the analog world, controlling one’s own information was relatively straightforward. Obvious physical and cost barriers limit how quickly and how far information about an individual can be shared. Its reach was our personal circle of friends or maybe a wider community if there were a diligent town gossip. But technology has expanded the reach of information significantly. Now, there are vast quantities of data collected about individual users daily, often stored indefinitely in data centers operated by private companies, and available to anyone that is granted (or can forcefully obtain) access. [Read more…]

PostTV: For NSA, Google cookies allow ‘laser-guided’ targeting

explains NSA cellphone collection

Intelligence agencies follow targets using cookies installed by Google, typically to track users for commercial advertising purposes, to follow suspects online and target them with malware. You can read more about this story here.

CIR/NPR Collaboration – Your Data and Who Has Access to It

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Questions on the Google AdID

I’ve received a few inquiries about the recent announcement of Google AdID. Because Google hasn’t released many details about the implementation, I am a bit reluctant to speculate too broadly. However, I thought it would be useful to present some thoughts on the potential reasons for this shift and its impact on consumer privacy.

Google’s proposed advertising ID seems to be motivated by the following factors:

  1. The increasing number of consumers blocking 3rd party cookies. Recent studies indicate that consumers are increasingly concerned about their privacy online and as many as 20% have blocked browser cookies.  I suspect this figure will rise as privacy issues continue to capture public attention.
  2. The trend of advertisers moving to non-cookie based identifiers (e.g. browser fingerprinting).
  3. To avoid missteps along the same lines of Apple/Safari.
  4. The increased pressure to offer advertisers ‘enhanced’ cross-device tracking capabilities like they already do with google analytics.
  5. The tension (and lack of progress) in the Do-Not-Track negotiations–specifically, the Digital Advertising Alliance’s (DAA) recent abandonment of the process. (Google is a member of the DAA.)

[Read more…]

Bits of Freedom: The Dutch Perspective

The Bits of Freedom Crew

I was recently invited to be a visiting fellow at Bits of Freedom in Amsterdam. This was a great opportunity to gain insight into the European privacy debate, not to mention escape the DC summer and visit an amazing city full of bicycles.

Bits of Freedom is a digital rights organization, not unlike the EFF in the United States. They are a mix of lawyers, activists, and tech folk who work at the intersection of technology and human rights. BoF focuses on issues such as transparency, active hacking, net neutrality, and the Transatlantic Trade and Investment Partnership. The staff employ a variety of tools to meet their goals including FOIA, government transparency reports, advocacy campaigns, and direct lobbying to, “influence legislation and self-regulation” both in the Netherlands and across the EU.

My visit focused on learning from the experts here as well as providing some of my own perspective. [Read more…]

How Protecting Your Privacy Could Make You the Bad Guy

pandora netherlands

There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA).

A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law.

However, I’d also like to make the case here that the CFAA is bad privacy policy for consumers, too. [Read more…]

The Stream

I was on Al Jazeera’s “The Stream” today discussing online privacy, the problems with notice, and the type of harms we experience with our data out there. This is probably one of the longer live TV appearances I’ve done but fortunately it turned out OK.

(And yes, the irony of being on a talk show about privacy when the host repeatedly encourages the audience to ‘Like’ her Facebook page is not lost on me 🙂 )

PRISM: Solving for X


Figure 1: PRISM

I thought it would be a fun exercise to describe PRISM  based on information publicly available through the press, private companies, and the DNI. Specifically, how would this system look if we took all the statements made at face value?  This might be a stretch, but it seems like a worthwhile exercise  — not unlike a multivariate equation when one or more of the variables are unknown.

While PRISM is potentially the least troubling with respect to its legality and the type/volume of information of the 4 programs we’ve learned about, it is also the most technically puzzling. There have been many theories on the architecture of PRISM and I’ve been inundated with requests to help press/advocates understand it — so here goes. [Read more…]

Congressional Internet Caucus: Enabling Do Not Track Privacy- Is It Dead or Alive?

Washington DC | May 24, 2013

A panel of experts discussed the current state of “Do Not Track” efforts.  I focused on the technical difficulty of blocking tracking and ways to ensure consumers have a choice.  You can read more about my thoughts on DNT here.


I was on a similar panel two years ago where we discussed whether Congressional action was necessary to ensure consumers opt-out of tracking.

Watch the panel here. My remarks start at 14:30.

KALW’s Your Call: What do data brokers know about you?

KALW Radio | April 8, 2013

I discussed data brokering with host Rose Aguilar on “Your Call,” a public radio program from KALW San Francisco.  The program was part of Your Call’s “Agenda for a New Economy” series and focused on  companies that gather and sell  personal information to marketing firms. We discussed some of the surprising ways data has been used  and methods you can use to control what is shared about you.  

Listen to show

Security in Social Networks

For Your Eyes Only International Conference
Brussels, Belgium | November 30, 2012

The panelists presented and discussed proposals for mitigating select privacy problems in OSNs through technology itself. They looked at ways of concealing data from service providers, as well as third party trackers, and discussed mechanisms to improve the tedious task of managing disclosures through privacy settings. The panelists proposed ways in which they assess the limitations of these technologies and discuss ways in which technical measures need to be complemented with legal and organizational measures.

I was one of the presenters.

For Your Eyes Only – Security in Social Networks (Day2, Panel 4) from spion on Vimeo.

The End of Privacy?

Ford Foundation’s Wired for Change Conference
New York, NY | October 23, 2012

As part of Ford Foundation’s Wired for Change conference, noted consumer privacy experts and technologists Harvey Anderson, Brad Burnham, Kamala D. Harris, Jon Leibowitz and I considered how mining Big Data and safeguarding privacy can reasonably coexist, moderated by John Palfrey.

View complete video archive

Defcon: Can You Track Me Now? Government and Corporate Surveillance of Mobile Geo-Location Data

Defcon 20 Hacking Conference
Las Vegas, NV | July 26 – 29, 2012

In July 2012, I took part in a panel at the 20th annual Defcon Conference. I joined tech experts Christopher Soghoian from the Open Society Institute and Catherine Crump, staff attorney with the ACLU’s Project on Speech, Privacy, and Technology, for a briefing on the current technological and legal landscape of location data tracking. The panelists explored how consumer location tracking efforts weave a story about the systemic privacy vulnerabilities of smart phones and the legal ways in which law enforcement has been able to hitch a ride. The panel was moderated by the Director of the ACLU’s Project on Speech, Privacy, and Technology, Ben Wizner.

View video archive

Berkeley Law: Conference on Web Privacy Measurement

Berkeley Center for Law and Technology
Berkeley, CA | May 31 – June 1, 2012

As the Web continues to transition from a static collection of documents to an application platform, websites are learning more and more about users. Many forms of Web information sharing pose little privacy risk and provide tremendous benefit to both consumers and businesses. But some Web information practices pose significant privacy problems and have caused concern among consumers, policymakers, advocates, researchers, and others. Data collection is now far more complex than HTTP cookies, and the information available to websites can include a user’s name, contact details, sensitive personal information, and even real-time location. At present there are few restrictions on and scant transparency in Web information practices. There is a growing chasm between what society needs to know about Web tracking and what the privacy measurement community has been able to bring to light.

A number of practitioners, researchers, and advocates have begun to more formally study how websites collect, use, and share information about their users. The goal of the Conference on Web Privacy Measurement (WPM) is to advance the state of the art and foster a community on how to detect, quantify, and analyze Web information vectors across the desktop and mobile landscapes. Such vectors include browser tracking, such as cookies, flash cookies, the geolocation API, microphone API, and camera API; and server-side tracking, such as browser fingerprinting. We are also interested in the deployment of privacy-preserving technologies, such as HTTPS and proper deployment of P3P.

I served on the programming committee for this event, and led a discussion about tools for web privacy measurement.

MobileScope Takes WSJ Data-Transparency Prize

Wall Street Journal Live/Digits | April 17, 2012

Ashkan Soltani, the programmer who designed the MobileScope app and the technical adviser for WSJ’s What They Know series, discusses his privacy app, which won WSJ’s Transparency Weekend “Ready for Primetime” award.


MobileScope Takes WSJ Data-Transparency Prize by 5minTech

Learn more about Mobilescope.

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

New York University School of Law
New York, NY | April 13, 2012

The age of ubiquitous computing is here. People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. On Friday, April 13, 2012, New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy will hosted a technology and policy dialogue about the new world of mobile and location privacy. The gathering aimed to bring together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I did a technology demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

Cookies from Nowhere


Google is tracking Safari users across the web even though when they attempt to block 3rd party cookies and have never visited This is a function of the anti phishing and malware lists used by both Safari, Firefox (and, of course, Chrome) that automatically update from Google in the background and places Google cookies.

This is a separate issue than the one uncovered Feb 17, 2012 surrounding Google circumvention of Safari’s default cookie blocking features. Essentially, even though Google has fixed the Doubleclick issue due to ‘social sync’, they are still able to track Safari users everywhere there is a +1 button on the web, even when users have 3rd party cookies blocked.

[Read more…]

The Global Internet and the Free Flow of Information

Media Access Project Forum
Washington, DC | February 7, 2012

On February 7, 2012, I joined other experts for a discussion about freedom of expression issues, cyber security issues and surveillance tech issues in the context of how they affect online users’ free speech rights.

View video archive

Analysis of Carrier IQ Software

Log Pile by Lars Hammer on Flickr

Log Pile by Lars Hammer on Flickr

There has been some confusion and multiple conflicting statements about the Carrier IQ issues that were highlighted in Trevor Ekharts’s initial video some weeks ago.  I will attempt to hopefully clarify some of that confusion and show that, despite statements to the contrary, there is capture and transmission of sensitive information to 3rd parties resulting from misconfigured Carrier IQ software. [Read more…]

Future of Privacy Forum Presents – Personal Information: The Benefits and Risks of De-Identification

Future of Privacy Forum
National Press Club, Washington, DC | December 5, 2011

On December 5, 2011, leading academics, advocates, Chief Privacy Officers, legal experts and policymakers gathered to discuss and debate the benefits and risks of de-identification and the definition of personal information. I joined the event to talk about advertising and marketing uses and concerns.

View video archive

When Zombies Attack – a Tracking Love Story

OWASP AppSec USA 2011 Conference
Minneapolis, MN | September 20 – 23, 2011

In this talk,  Gerrit Padgham and I talked about the current state of online tracking and highlight current practices such as “cookie respawning” and non-cookie based tracking that popular websites and mobile applications engage in. We discussed theories on why the platforms we use do not adequately protect users from these threats and highlight the proposed solutions, such as additional transparency tools and Do-Not-Track that are intended to help mitigate these issues. We also demonstrated MobileScope, a technical solution we have been developing to give the end user ultimate visibility into the traffic their device is sending. Finally, we discussed open questions surrounding the ability to adequately assess risk drawing from behavioral economics and risk management theories for cues as to potential outcomes in this space.

When Zombies Attack: A Tracking Love Story with Ashkan Soltani & Gerrit Padgham from OWASP on Vimeo.

Additional video archives on YouTube.

PDF of slides

CyberJungle Radio: KISSMetrics WebTracking

The CyberJungle Radio Show | August 5, 2011

In 2011, I was a guest on CyberJungle Radio at SecurityBsides Las Vegas, the shadow conference to BlackHat Las Vegas. The CyberJungle got my take on the KISSMetrics web tracking spat.

Audio archive of interview.

Related Reading

Respawn Redux
Flash Cookies and Privacy II (2011)
Flash Cookies and Privacy (2009)

Berkeley Law: Online Tracking Protection and Browsers

Berkeley Law
Brussels, Belgium | June 22, 2011

While US regulators and legislators consider a “do not track” mechanism to allow more effective control of online collection of information, European regulators have moved aggressively to give consumers more control over there mere placement of cookies through the E-Privacy directive.  Many questions surround the confluence of US and European developments, including the scope of do not track, the implications of different implementations of do not track, the economic implications of greater consumer control over tracking, and how do not track will be applied in European markets.  BCLT and the University of Amsterdam’s Institute for Information Law hosted a workshop to explore the law and technology of online tracking and mechanisms for consumer control of tracking June 22-23 in Brussels, Belgium.  Participants included FTC Commissioner Julie Brill, Vice-President of the European Commission and Commissioner for the Digital Agenda Neelie Kroes, The Office of Science and Technology Policy CTO Daniel Weitzner, DG Society Director Robert Madelin, and technologist Ashkan Soltani.  

I presented a tutorial on the state of online tracking that covered online tracking technologies and business models, including demand side platforms.

Pii2011: Privacy Identity Information Conference

Santa Clara, CA | May 19-20, 2011

Privacy Identity Innovation is the only tech conference focused on exploring how to protect sensitive information while enabling new technologies and business models. Over 250 attendees from around the world participated in the second Privacy Identity Innovation conference, which took place May 19-20, 2011 at the Santa Clara Marriott hotel in Silicon Valley.

On May 19, I participated in a roundtable discussion called Pii and Location: Can You Find Me Now?

pii2011: pii and Location: Can You Find Me Now? from Marc Licciardi on Vimeo.

Listen to audio archive

On May 20, I was part of a panel discussion on Simplifying Privacy Notice.

pii2011: Simplifying Privacy Notice from Marc Licciardi on Vimeo.

Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy

Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law
Washington, DC | May 10, 2011

On May 10, 2011, I testified in front of the Senate Judiciary Committee on Privacy Technology and the Law regarding mobile privacy. The other witnesses included representatives from Apple, Google, Center for Democracy and Technology, and the Association for Competitive Technology.

Read prepared testimony.

USA Today live blogged the hearing.

senate testimony
Video archives on CSPAN include my delivered testimony, answers to questions about what “location” means, and a question from Senator Franken about the most serious threat regarding mobile devices and privacy. View CSPAN footage of entire hearing

[Read more…]

WC3 Workshop on Web Tracking and User Privacy

Center for Information and Technology at Princeton University
Princeton, NJ | April 28-29, 2011

This workshop served to establish a common view on possible Recommendation-track work in the Web privacy and tracking protection space at W3C, and on the coordination needs for such work.

The workshop was expected to attract a broad set of stakeholders, including implementers from the mobile and desktop space, large and small content delivery providers, advertisement networks, search engines, policy and privacy experts, experts in consumer protection, and other parties with an interest in Web tracking technologies, including the developers and operators of Services on the Web that make use of tracking technologies for purposes other than to behavioral advertising.

In the position paper I submitted, I proposed potential alternative approaches to framing tracking that enables companies to engage in measurable online advertisement while providing the most important privacy protections articulated by advocates. This approach focuses primarily on the active removal of persistent identifiers that are used to correlate browsing activity over multiple sessions or multiple websites.

The State of Online Consumer Privacy

Senate Commerce Committee
Washington, DC | March 16, 2011

On March 16, 2011,  I appeared as a witness at the Senate Commerce Committee’s hearing on consumer privacy. Other witnesses included representatives from the Federal Trade Commission, the US Department of Commerce, Microsoft, Intuit, Group M Interaction, and the ACLU.

Read prepared testimony. 

Blog coverage of hearing.

Key quotes from hearing.


CSPAN archives include my delivered testimony, and a question from Senator Kerry regarding first party versus third party data collection. View entire hearing here.

Berkeley Law: Browser Privacy Mechanisms Roundtable

Berkeley Law
Berkeley, CA | February 9, 2011

I gave a tutorial on the state of online tracking. 

Audio archive. Transcript.

The Federal Trade Commission preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called generally for privacy by design, and specifically for a do not track (DNT) system to allow consumers to better control online collection of information.  This is a challenging task, because many web interactions require a transfer of information that could be conceived of as “tracking.”  The major developers of browsers have all announced implementations of do not track systems recently.  The conceptions of DNT have different needs for implementing regulation and have different implications for businesses and consumers.  This roundtable explored the contours of the regulations needed to effectuate do not track, the technical options to implement it, and the political and economic implications of do not track systems.


Flash Cookies and Privacy


In August 2009, I and other graduate students at the University of California, Berkeley – School of Law, Berkeley Center for Law & Technology published Flash Cookies and Privacy, a paper that examined of the use of ‘Flash cookies’ by popular websites.

Websites and Cookies

Advertisers are increasingly concerned about unique tracking of users online. Several studies have found that over 30% of users delete first party HTTP cookies once a month, thus leading to overestimation of the number of true unique visitors to websites, and attendant overpayment for advertising impressions.

Mindful of this problem, online advertising companies have attempted to increase the reliability of tracking methods. In 2005, United Virtualities (UV), an online advertising company, exclaimed, “All advertisers, websites and networks use [HTTP] cookies for targeted advertising, but cookies are under attack.” The company announced that it had, “developed a backup ID system for cookies set by web sites, ad networks and advertisers, but increasingly deleted by users. UV’s ‘Persistent Identification Element’ (PIE) is tagged to the user’s browser, providing each with a unique ID just like traditional cookie coding. However, PIEs cannot be deleted by any commercially available antispyware, mal-ware, or adware removal program. They will even function at the default security setting for Internet Explorer.”

United Virtualities’ PIE leveraged a feature in Adobe’s Flash MX: the “local shared object,” also known as the “Flash cookie.” [Read more…]