/
ThirdParty Web Tracking Policy and Technology Jonathan R ThirdParty Web Tracking Policy and Technology Jonathan R

ThirdParty Web Tracking Policy and Technology Jonathan R - PDF document

sherrill-nordquist
sherrill-nordquist . @sherrill-nordquist
Follow
1055 views
Uploaded On 2014-10-09

ThirdParty Web Tracking Policy and Technology Jonathan R - PPT Presentation

Mayer and John C Mitchell Stanford University Stanford CA jmayermitchell csstanfordedu Abstract In the early days of the web content was designed and hosted by a single person group or organization No longer Webpages are increasingly composed of ID: 4033

Mayer and John

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "ThirdParty Web Tracking Policy and Techn..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Figure1.Third-partyadvertising,social,andvideocontentontheNewYorkTimeswebsite.Analyticscontentisnotvisible. Webmeasurementprovidesobjective,reliableevidencethatbothfurtherspublicunderstandingandestablishesasoundbasisforpolicymaking.Second,webmeasurementisfast.Manyclaimsaboutspecictrackingpracticescanbesupportedorrebuttedwithmerehoursofwebmeasurementwork.4Webmeasurementfacilitateslongitudinalstudy.Oftentheverysamehardwareandsoftwarecanbereusedtocollectandanalyzedataevenyearsapart.Last,webmeasurementcanoftenbeautomated.Onceagenericmeasurementtoolhasbeenbuilt,itcanbetriviallyappliedtomillionsofwebsites.B.DesignPrinciplesPriorworkonthird-partywebtrackinghaslargelytakenoneofthreeapproachestomeasurement:monitornetworktrafc(e.g.[10],[11],[12],[13]),manuallyinspectbrowserstate(e.g.[8],[14]),ordevelopacustomtoolforaspecicmeasurementtask(e.g.[15],[16],[17]).WedevelopedFourthPartyaroundthreedesignprinciplesthatimproveontheseapproaches.4Forexample,whenanadvertisingnetworkcontestedourdiscoverythatitwas“historysnifng”[7],wewereabletosecureindependentconrmationfromtwootherresearchgroupsthesameday.WhenAyensonetal.[8],[9]contactedusonaweekdayafternoonaboutawebanalyticscompanyusingmultiple“supercookie”technologies(seeSectionVII-A),wewereabletoverifytheirndingsbyevening.1)General-purposeinstrumentation:Byimplementingcomprehensiveinstrumentationandloggingonlyonce,FourthPartyavoidstheneedformanypurpose-builttools,decreasesduplicationofeffort,andtrimsdevelopmenttime.2)Productionwebbrowser:Buildingonaproductionbrowserallowsreuseofexistingadd-ons,includingforautomation,andcloselyemulatesreal-worldbrowsing.3)Standardizedlogformat:Astandardized,easy-to-manipulatelogformatfacilitatesdatasharingandcutsbackonredundantdatagathering.C.ImplementationWeimplementedFourthPartyasanextensiontoMozillaFirefox.ItcurrentlyinstrumentsthebrowserAPIsforHTTPtrafc,DOMwindows,cookies,andresourceloads.Fourth-PartyalsoinstrumentsJavaScriptAPIcallsonthewindow,navigator,andscreenobjectsusinggetters,setters,andECMAScriptproxies[18].AlleventsareloggedtoaSQLitedatabase.OnmanypagesFourthPartydoesnotperceivablyslowdownFirefox;onhighlydynamicpages,itcanincreasepageloadtimebyroughly2-3x.Weplantomakesubstantialperformanceimprovementsinanupcomingrevision.D.AnalysiswithFourthPartyAnalyzingFourthPartydataisfast.AlloftheFourthPartyresultspresentedinthispaperweregeneratedwithPython TableITHIRDPARTIESRECEIVINGUSERNAMEANDIDON185POPULARSITES.Third-PartyPS+1WebsitesLeakingUsernameorID scorecardresearch.com81(44%)google-analytics.com78(42%)quantserve.com63(34%)doubleclick.net62(34%)facebook.com45(24%)TableIIPOPULARWEBSITESLEAKINGUSERNAMEANDID.First-PartyPS+1Third-PartyPS+1sReceivingUsernameorID rottentomatoes.com83cafemom.com59lyricsmode.com54ivillage.com53livejournal.com53wouldbetouseasingleURLforallusersviewingtheirownprole,e.g.http://example.com/self/,andtoneverincludetheusernameoruserIDinthepagetitle.Severalofthesiteswecontactedwerewillingtoimplementthesexes,butmanymorepreferredthefunctionality,con-venience,andaestheticofausernameoruserIDinURLs.Itseemsquitelikelythepracticewillpersistindenitelyamongeventhemostpopularsites.Wealsoobservedotherformsofidentifyinginformationleak.Forexample:ViewingalocaladontheHomeDepotwebsitesenttheuser'srstnameandemailaddressto13companies.EnteringthewrongpasswordontheWallStreetJournalwebsitesenttheuser'semailaddressto7companies.Changingusersettingsonthevideo-sharingsiteMeta-cafesentrstname,lastname,birthday,emailaddress,physicaladdress,andphonenumbersto2companies.Inallofthesecasestheidentifyinginformationwasincludedasaparameterinarst-partyURL.ThebetterpracticeistosendidentifyinginformationaspartofaPOSTrequestbodysoitwillnotinadvertentlyleaktothirdparties.4)Thethirdpartyusesasecurityexploit:Athirdpartymayexploitacross-sitesecurityvulnerabilityonarst-partywebsitetolearntheuser'sidentity.Narayananhasshownhowinadequateframebustingcanfacilitateidentifyingauser[27].HuangandJacksonmorerecentlydemonstratedpracticaluseridenticationthroughFacebookandTwittersharingwidgetclickjacking[28].5)Re-identication:Thethirdpartycouldmatchpseudonymousbrowsinghistoriesagainstidentieddatasetstore-identifythem,muchlikeNarayananandShmatikovdidwiththeNetixPrizedataset[29]andtheFlickrandTwittersocialgraphs[30],andAcquistietal.didmorerecentlywithpersonalphotosonadatingsite[31].Athirdpartymight,forexample,comparebrowsingactivitytothetimesandlocationsoflinkspubliclysharedbyTwitterusers.C.PossibleHarmsTheriskofharmtoconsumersfromwebtrackingarisesfrommyriadpotentialscenarios.Eachparticularscenariomayhavealowprobabilityofoccurring.Butthechanceofsomescenariosoccurringissubstantial,especiallywhenconsideredovertimeandacrossmanycompanies.Whenconsideringharmfulwebtrackingscenarios,wendithelpfultofocusonfourvariables.First,anactorthatcausesharmtoaconsumer.Theactormight,forexample,beanauthorizedemployee,maliciousemployee,competitor,acquirer,hacker,orgovernmentagency.Second,ameansofaccessthatenablestheactortousetrackingdata.Thedatamightbevoluntarilytransferred,sold,stolen,misplaced,oraccidentallydistributed.Third,anactionthatharmstheconsumer.Theactioncouldbe,forexample,publication,alessfavorableoffer,denialofabenet,orterminationofemployment.Last,aparticularharmthatisinicted.Theharmmightbephysical,psychological,oreconomic.Thecountlesscombinationsofthesevariablesresultincountlesspossiblebadoutcomesforconsumers.Toex-emplifyourthinking,hereisonecommonlyconsideredscenario:Ahacker(actor)breaksintoatrackingcompany(meansofaccess)andpublishesitstrackinginformation(action),causingsomeembarrassingfactabouttheconsumertobecomeknownandinictingemotionaldistress(harm).9Risksassociatedwiththird-partytrackingareheightenedbythelackofmarketpressuretoexercisegoodsecurityandprivacypractices.Ifarst-partywebsiteisuntrustworthy,usersmaydeclinetovisitit.But,sinceusersareunawareoftheveryexistenceofmanythird-partywebsites,theycannotrewardresponsiblesitesandpenalizeirresponsiblesites.10D.UserPreferencesUsersurveyshaveconsistentlyshownoppositiontothirdpartiescollectingandusingbrowsingactivity.A2009rep-resentativeU.S.phonesurveybyTurowetal.[33]foundthat87%ofrespondentswouldnotwantadvertisingbasedontracking.Inanunrepresentative2010surveyofAmazonMechanicalTurkusersbyMcDonaldandCranor[34],only45%ofrespondentswantedtobeshownanyadsthathadbeentailoredtotheirinterests.ADecember2010USAToday/Galluppoll[35]reported67%ofrespondentsthoughtbehavioraltargetingshouldbeoutrightillegal.Inamid-2011representativeU.S.onlinesurveybyTRUSTeandHarrisInteractive[36],85%ofrespondentssaidtheywouldnotconsenttotrackingforadtargeting,and78%saidtheywouldnotconsenttotrackingforwebsiteanalytics.9Therehasnotyetbeenareporteddatabreachthatinvolvedreleaseofthird-partywebtrackingdata.(Currentdatabreachnoticationlawsmaynotextendtothird-partywebtrackinginformation.)Hackershavebeguntotargetmarketingcompanies;oneofthelargestdatabreachesof2011wasatEpsilon,anemailmarketingcompany[32].10Publisherscouldsomewhatstandinforusersbydemandinggoodcorporatepractices,buttheyhaveinlargemeasuredeclinedtodoso. Inearly2012theWhiteHousereleasedalong-awaitedonlineprivacyreportfromapolicycollaborationwiththeDepartmentofCommerce[50].ThereportcallsforbaselineprivacylegislationandCommerce-mediatedmulti-stakeholdercodesofconductthatareratiedandenforcedbytheFTC.TheWhiteHouseandCommerceDepartmenthavenotindicatedtheirproposalswouldaltertheFTC'spresentleadershiponwebtrackingissues,andtheChairmanoftheFTChassuggestedhesharesthatview[51].B.EuropeanUnionThe2002ePrivacyDirective,2002/58/EC,mandatedthatwebsitesenableuserstooptoutofhavinginformationstoredintheirbrowser,exceptas“strictlynecessary”toprovideservice“explicitlyrequested”bytheuser.Inpracticethedirectivehashadlittleeffect;memberstateshavenottakenanymeasurestoenforcecompliance,andinmanycasestheyhavetreatedbrowsercookiesettingsasadequateimplementation(see[52]).A2009amendmenttotheePrivacyDirective,2009/136/EC,replacedtheopt-outrulewithanopt-inconsentrule(see[53],[54],[55]).Memberstateimplementationsinitiallysplit.Somestatessuggestedexistingbrowsercookiesettingswouldremainadequate,onthelegaltheorythattheyconvey“implicitconsent.”Themajorityview,andthedevelopingconsensus,isthatthedirectiverequiresexplicit,afrmativeconsentforeachthirdparty,andthatDoNotTrack(seeSectionIX-C)couldsatisfytheconsentrequirementofthedirective.ThisviewhasbeenendorsedbyleadersinboththeEuropeanCommission[56],[57],[58],theEU'sexecutivebranch,andtheArticle29WorkingParty[53],[52],[38],adataprotectionadvisorybody.EUandstateauthoritieshaveyettoenforcecompliancewiththeamendedePrivacyDirective.InFebruary2012theEuropeanCommissionproposedanewsetofrevisionstoEUdataprotectionlaw[59].Recommendedprovisionswouldclarifythatconsentmustbeexplicit,unambiguouslyextendthereachofregulationstonon-EUcompaniesthattrackEUresidents,andimposeastringentpenaltystructurereachingupto2%ofrevenue.C.OnlineAdvertisingSelf-RegulationTheonlineadvertisingindustryhaslargelyharmonizedself-regulatoryeffortsintheU.S.(theNetworkAdvertisingInitiative,NAI[60]andtheDigitalAdvertisingAlliance,DAA[61])andtheEU(theInteractiveAdvertisingBureauEurope,IABEurope[62]).Allthreeprogramsimposethesameconsumerchoicerequirement:participatingcompaniesmustallowuserstooptoutofbehavioraladvertising,thatis,adtargetingbasedontracking.Notethatthisisachoiceaboutoneparticularuseofdata;collectionandotherusesofthird-partytrackingdataareunaffected.14Participationinself-regulationhasuctuatedwithwaxingandwaninggovernmentscrutiny[65].Atpresentmostofthelargestonlineadvertisingandanalyticscompaniesparticipate,andmostofthesmalleronesdonot.Socialnetworksandcontentprovidersarealmostentirelyabsent.TheDAAannouncedinlate2011[63]thatitwouldattempttoexpanditsprogramtonon-advertisingbusinessesandthatitwouldbroadenitsconsumerchoicerequirementtonearlyallusesofthird-partydataforper-device15person-alization.MostofthelargestsocialnetworksandcontentproviderswerenotstakeholdersintheDAA'sprogramexpansionandhavenotsignaledacceptance.Therehasbeenscantindustryenforcementagainstbusi-nessesthatviolateself-regulatoryprinciples.Inlate2011theBetterBusinessBureauannounceditsrst“decisions”againstcompaniesthathaddefectiveopt-outcookiemecha-nisms(seeSectionIX-A);thecompaniesxedtheiropt-outcookies,butwerenototherwisepenalized[66].TheNAIhasreleasedanannual“ComplianceReport”since2009[67],[68],[69].Onlyonecompanyhasbeenpenalizedfornon-compliance;itisrequiredtoundergoanannualindependentprivacyauditforthreeyears.V.BUSINESSMODELSANDTRENDSThereare,broadly,sixcommonbusinessmodelsforthird-partywebsites:advertisingcompanies,analyticsservices,socialnetworks,contentproviders,frontendservices,andhostingplatforms.Thistaxonomyisintendedtoassistre-searchersinmodelingthird-partybusinesses;inpractice,manyservicescutacrossbusinessmodels,andnewbusinessmodelsarefrequentlyattempted.A.AdvertisingCompaniesWhilepricingmodelsinonlineadvertisingconvergedbytheearly2000sonasmallsetofauctionalgorithms(see[70],[71]),marketplacestructuresvary.Therearethreemainmodels:directbuy,adnetworks,andadexchanges.1)DirectBuy:Intheoldestmodelofonlineadvertising,advertisers(andagencies)cutdealsdirectlywithrst-partywebsites(“publishers”).Thisapproachfellintodisfavorformostwebsitesinthelate1990sthrough2000s,butremainsthedominantmodelforsearchengineandsocialnetworkadvertising.Directbuyhas,oflate,experiencedarenais-sanceamongcontentpublishersowingtothedevelopmentof“privateadvertisingexchanges,”real-timeadvertisingauc-tionsrunbypublishers.Manyimplementationsofdirectbuy14Theprogramsimposesimilarbaselinerequirements.Allthreemandateamodestdegreeofnoticeandtransparencyaboutbehavioraladvertising,reasonablesecurityprecautionsforbehavioraladvertisingdata,anduserconsentforbehavioraladvertisinguseofnarrowclassesofsensitiveinformation.Allthreealsoprohibitbehavioraltargetingspecicallydirectedtowardschildren.ArecentrevisionoftheDAAprinciples[63],[64]prohibitscertainparticularlysensitiveusesofinformation.15TheDAAhasleftthedooropentoper-usercontenttailoring,suchaspersonalizedsocialnetworkingwidgets[64]. VI.ECONOMICSOFTHIRD-PARTYWEBTRACKINGProponentsofwebtrackingoftenmaketheeconomicclaimthatitisneededtosubsidizewebservicesthroughadvertising(e.g.[75],[76],[77],[78]).Webelievetheclaimissubjecttodebate[79],andcentralquestionsremainopen:Whichsegmentsoftheonlineadvertisingmarketde-pendonthird-partytracking,andhowisitused?Itappearsthatonlyasmallshareofonlineadvertisingisbehaviorallytargeted[79].Theextenttowhichadvertisingreliesonotherusesoftrackingisunclear.Whatmarginaltradeoffsdoadvertisersfaceforeachuseoftrackinginformation?Iftracking-basedadver-tisingbecomeslessfeasibleormorecostly,advertiserswillreallocatetheirexpenditures.17Howtheychoosetoreallocatewilldependontheeffectivenessandcostofthenext-bestalternativestotracking-basedadvertis-ing.Notethateffectivenessandcostpointinoppositedirections—anadvertisermay,forexample,investmoreinanadvertisingapproachthatisper-adslightlylesseffectivebutalsoper-adsignicantlylessexpensive.18Towhatextentcanprivacy-preservingtechnologiesreplacecurrentusesoftracking?Anumberofdesignshavebeenadvancedthat,whilenotperfectsubstitutes,wouldenablemuchoftheadvertisingfunctionalitythattrackingsupports(seeSectionVIII-A).Limitationsontrackingcouldincentivizeadvertisingcompaniestode-velopandimplementprivacy-preservingtechnologies.Whatproportionofuserswouldconsenttotrackingorpayifrequiredtoaccessaservice?Ifdiminishedtracking-basedadvertisingdoesimpactpublishers,theycouldrequirevisitorstoeitherpayorconsenttotrack-ing.Someproportionofuserswouldchooseeitheroptionratherthanforgotheservice.Giventhepublicattentiontothird-partywebtracking,thereissurprisinglyscantresearchonthesecentralissues.A2009industry-sponsoredpaperbyBeales[80]hasbeenwidelycited(e.g.[50])forthepropositionthatbehavioraltargetingbringsinsubstantiallymorevaluethanotherformsofadtargeting.Beales'sstudyfoundthatbehaviorallytar-getedadvertisingwasroughlytwiceasexpensiveandtwiceaseffectiveasuntargeted(“runofnetwork”)advertising.Thereareatleastthreeproblemswiththemethodologyusedinthestudy.First,thepaperreliesondatafromasmall,unrepresentativesampleofadvertisingnetworks.Somestatisticsrelyondatafromfewerthanvecompanies.Theparticipatingcompaniesself-selectedandwereawareofthepurposeofthestudy.Second,thepapercomparesbehavioraladvertisingtountargetedadvertising.Asnotedearlier,therelevantcomparisonistothenext-bestalternative17Ineconomicterms:therearecross-demandelasticitiesbetweentrackingandnon-trackingformsofadvertising.18Advertisingauctionmechanismsfurthercomplicatetheinquiry,sincetheylimitthesurplusthatadvertiserscancapturefrombetteradtargeting.(e.g.contextualtargeting).Third,thestudyconcludesthatbehavioraladvertisingbringsvaluetopublishersthroughincreasedeffectivenessandprice.But,asnotedearlier,increasedpricedecreasesthemarginalvalueofbehavioraladvertisingtoadvertisers.Proponentsofthird-partywebtrackinghavealsofre-quentlyciteda2011paperbyGoldfarbandTucker[81],[82]reportinga65%decreaseinEUadvertisingeffectivenessafterthe2002ePrivacyDirectivewastransposedbymemberstates.WendfourawsintheGoldfarbandTuckerstudy.First,theanalysisreliesexclusivelyonself-reporteddatafromonecompany'ssurveysofwebusers.Thepaperdoesnotexplainhowthedatawascollected,letalonedemonstratehowitisvalidandreliable.Infact,thesurveydataappearstohaveanumberofoddities.Itsuggests,forexample,thataftertheEUePrivacyDirectivenon-EUadvertisingwastwiceaseffectiveonEUviewersasonnon-EUviewers.Second,theGoldfarbandTuckerdataisnotcontrolledfortypesofadtargeting.Behavioraladvertisingmayonlyaccountforaslightshareoftheadvertisinginthestudy.Third,theGoldfarbandTuckerstudyappearstoincor-rectlyassumethatthe2002EUePrivacyDirectivesigni-cantlyalteredonlineadvertisingbehaviorinEurope.Infact,advertisingpracticesintheEUwerelargelyunaffectedbytheePrivacyDirective(seeSectionIV-C).Fourth,thestudyseemstooverlookchangesintheonlineadvertisingmarket.Behavioraladvertisingwasscarcein2001andaverysmallshareofonlineadvertisingin2008[79].Thesametimeperiodyieldedsignicantadvancesincontextualanddemographicadtargeting.IftheEUlawnegativelyaffectedbehavioraladvertising,weshouldexpectanacross-the-boardperformanceliftforEUandnon-EUads,withaslightlygreaterriseinnon-EUperformance.Instead,theauthorspredictanddemonstrateasignicantdecreaseinEUperformanceandnear-constantnon-EUperformance.Analstudy,byYanetal.[83],hasbeenwidelymiscitedbysupportersofthird-partytracking.Inthatpaper,theauthorspersuasivelydemonstratethatidealbehavioraltargetingcouldsubstantiallyimprovetheeffectivenessofrst-partyadvertisingontheBingsearchengine.Thepaperdoesnotexaminebehavioraladvertisinginpracticeorthird-partybehavioraladvertising.THIRD-PARTYWEBTRACKINGTECHNOLOGYVII.TRACKINGTECHNOLOGIESWhilethedebatessurroundingwebtrackingtendtofocusonHTTPcookies,therearemyriadstateful(“supercookie”)andstateless(“ngerprinting”)technologiesthatcanbeusedtopseudonymouslycorrelatewebactivities.1919Anoteonjargon:whenanon-cookietrackingtechnologyisusedtorecreateadeletedtrackingcookie,itisdubbeda“zombiecookie.” LikePrivad,Adnostic[100]usesclient-basedfunction-alitytoperformadselection,butiteliminatesanonymizingproxiesatthecostoflesspreciseadtargeting.Adnosticalsosimpliescost-per-clickbillingbyallowingtheadvertisingnetworktolearnofauser'sadclicks.Cost-per-impressionbillingwouldstillrequirealow-performancetrustedinter-mediarysoastonotrevealtheuser'sadimpressions.Asimplemented,Adnosticrequiresabrowserextension,whichisapracticalbarriertomorewidespreadadoption.RePriv[101],byFredriksonandLivshits,isaveriablepolicyarchitecturethatenablesuserstoselectivelygrantpermissionforgeneratingandsharingclient-sidedatastoresthatenablewebsitepersonalization.TheRePrivmodelholdspromiseasageneral-purposeplatformforbuildingprivacy-preservingadvertisinglikePrivadandAdnostic.But,likeAdnostic,RePrivwouldhavetobetranslatedfromitscurrentimplementationasasingle-platformbrowserextensionintoexistingwebtechnologiesfornear-termdeployment.BilenkoandRichardson[102]proposeanapproachforkeyword-basedsearchadvertisingthatprovidesprivacyagainstaweakerthreatmodel.Thesearchadvertisingcom-panyistrustedtotemporarilycomputeonuserproledata,butthenstorethedatainthebrowseranddeleteitscopy.Theauthorsrantheiralgorithmagainst60daysofBingsearchadvertisinglogsandachievedalmostallthebenetofcur-rentserver-sidebehavioraltargeting.Specically,theyreportcapturingover95%oftheincreaseinclick-throughrates,generatingapproximately4%greaterrevenuethansearchadvertisingwithoutbehavioraltargeting.Weareskepticalthatthetemporarydata-usemodelislikelytobeadopted;webservicesingeneral,andonlineadvertisingcompaniesinparticular,havehistoricallybeenloathtovoluntarilydiscardlogs.Themodelalsointroducestheriskofinadvertentorsurreptitiouscollectionofthird-partytrackingdata.B.AnalyticsSomeanalyticsserviceshavetakentechnicalandlegalprecautionstosilotrackingdataforeachrst-partywebsite.Severalfreeandpaidservices,includingGoogleAnalyt-icsandAdobeSiteCatalyst(formerlyOmniture),usethesame-originpolicytorestrictthescopeofpseudonymousidentierstoarst-partywebsite.Googleusesarst-partycookietoachievethis;Adobeoffersthechoiceofacookiescopedtoarst-partysubdomainCNAMEdtoAdobe(e.g.metrics.apple.com)oracookiescopedtoauniqueAdobesubdomain(e.g.paypal.112.2o7.net).GoogleAnalyticsoffersanopt-infeaturetowebsitesthatpreventsloggingthelastoctetofauser'sIPaddress(anonymizeIp).20ThisprivacyoptiondoesnotseemtoreducethebenetoftheservicesinceGoogleAnalyticsdoesnotreportIPaddresses,andgeolocation(theonlyreportedmeasurementthatreliesonIPaddresses)isunlikelytovary20Itisunclearhowmuchprivacyisaffordedbythismeasure[97].muchbythelastoctet.Wenonethelessfoundbarelyanyuseoftheoption:inanAugust2011crawloftheAlexatop10,000globalwebsites,anonymizeIpwassetononly63of4861(1.3%)reportstoGoogleAnalytics.Paidanalyticsservicesusuallypromisebycontracttomakenouseofthedatatheycollectexceptasdirectedbytheirclients,andtheyimposeinternalbusinesscontrolstoensureeachclient'sdataremainssegregated.Adobe,forexample,makestheseguarantees[103]:“AlthoughthedatageneratedbyAdobe'sproductsresidesonAdobe'sservers,eachcustomerownsthedatageneratedbytheuseofitssite.Bycontract,Adobehasnorighttoaccessorusethisdata.Inaddition,Adobedoesnotallowuseofthedataforanypurposeotherthanthoseoftheowner(webpublisher);thatis,Adobesiloseachcustomer'sdataforusebythatcustomer.”IX.USERCHOICEMECHANISMSThreetechnicalsolutionshavebeenadvancedforgivinguserscontroloverthird-partywebtracking:opt-outcookies,blocking,andDoNotTrack.A.Opt-OutCookiesandtheAdChoicesIconUserchoiceincurrentonlineadvertisingself-regulationisimplementedwithopt-outcookies.Thereareseveralprob-lemswiththisapproach.First,itrequiresmanualupdating.Tooptoutofnewthirdparties,auserhastoinstallnewcookies.Second,cookiesexpire,soauserhastoperiodicallyrenewopt-outcookies.Third,usersmaycleartheircookies,inadvertentlyremovingtheiropt-outpreferences.Fourth,opt-outcookiesarefragile;itiseasyforathirdpartytoimproperlysetordeleteanopt-outcookie.Fifth,opt-outcookiesscalepoorly;eachthird-partyPS+1requiresanetworkroundtrip,resultinginasluggishuserexperiencewhenchangingmanypreferences.Browserextensionsforpersistingopt-outcookies,suchasTACOorGoogleKeepMyOptOuts,largelymitigatetheseissuesatthecostofusability.Manyonlineadvertisingcompanieshavebeguntoinsertan“AdChoices”icon(13x13px)andtext(10pt)intodisplayads(Figure2(b))toincreaseuserawarenessofbehavioraltargetingandexistingself-regulatorychoicemechanisms.Clickingtheiconprovidesadditionalinformationabouthowtheadwastargetedand,inmanycases,alinktolandingpagewheretheusercansetopt-outcookies.Severalstudieshavecalledintoquestiontheusabilityoftheself-regulatoryopt-outmodel.BeforethedeploymentoftheAdChoicesiconanindustry-fundedpolicygroupconductedalarge-audienceusabilitysurvey[106].Itfoundthata31x31pxiconwith18ptfont(Figure3(a))wasnotveryeffectiveatconveyinginformationaboutbehavioraltargetingpractices(“substantialrepetitionandconsumereducationmaybeneededtoimprove[the [5]W.Enck,P.Gilbert,B.Chun,L.P.Cox,J.Jung,P.Mc-Daniel,andA.N.Sheth,“TaintDroid:Aninformation-owtrackingsystemforrealtimeprivacymonitoringonsmartphones,”inProceedingsofthe9thUSENIXSymposiumonOperatingSystemsDesignandImplementation,October2010.[6]S.ThurmandY.I.Kane,“Yourappsarewatchingyou,”TheWallStreetJournal,December2010.[7]J.Mayer.(2011,July)Trackingthetrackers:Tocatchahistorythief.[Online].Available:http://cyberlaw.stanford.edu/node/6695[8]M.Ayenson,D.J.Wambach,A.Soltani,N.Good,andC.J.Hoofnagle,“FlashcookiesandprivacyII:NowwithHTML5andETagrespawning,”July2011.[9]A.Soltani.(2011,August)Respawnredux.[Online].Available:http://ashkansoltani.org/docs/respawn redux.html[10]B.KrishnamurthyandC.Wills,“Privacyleakagevs.pro-tectionmeasures:thegrowingdisconnect,”inProceedingsoftheWeb2.0SecurityandPrivacyWorkshop,May2011.[11]——,“Ontheleakageofpersonallyidentiableinformationviaonlinesocialnetworks,”inProceedingsoftheACMWorkshoponOnlineSocialNetworks,August2009.[12]B.KrishnamurthyandC.E.Wills,“Privacydiffusionontheweb:Alongitudinalperspective,”inProceedingsofthe18thConferenceontheWorldWideWeb,April2009.[13]——,“GeneratingaprivacyfootprintontheInternet,”inProceedingsofthe6thACMConferenceonInternetMeasurement,October2006.[14]A.Soltani,S.Canty,Q.Mayo,L.Thoma,andC.J.Hoof-nagle,“Flashcookiesandprivacy,”August2009.[15]F.Roesner,T.Kohno,andD.Wetherall,“Detectinganddefendingagainstthird-partytrackingontheweb,”inPro-ceedingsofthe9thUSENIXSymposiumonNetworkedSystemsDesignandImplementation,April2012.[16]P.G.Leon,L.F.Cranor,A.M.McDonald,andR.McGuire,“Tokenattempt:ThemisrepresentationofwebsiteprivacypoliciesthroughthemisuseofP3Pcompactpolicytokens,”inProceedingsofthe2010WorkshoponPrivacyintheElectronicSociety,October2010.[17]D.Jang,R.Jhala,S.Lerner,andH.Shacham,“Anempiricalstudyofprivacy-violatinginformationowsinJavaScriptwebapplications,”inProceedingsofthe2006ACMConfer-enceonComputerandCommunicationsSecurity,October2010.[18]ECMA.Harmonyproxies.[Online].Available:http://wiki.ecmascript.org/doku.php?id=harmony:proxies[19]J.Mayer.(2011,October)Trackingthetrackers:Whereeverybodyknowsyourusername.[Online].Available:http://cyberlaw.stanford.edu/node/6740[20]A.Narayanan.(2011,July)Thereisnosuchthingasanonymousonlinetracking.[Online].Available:http://cyberlaw.stanford.edu/node/6701[21]Datalogix.Datalogixprivacypolicy.[Online].Available:http://datalogix.com/privacy/[22]D.Perito,C.Castelluccia,M.A.Kaafar,andP.Manilsr,“Howuniqueandtraceableareusernames?”inProceedingsofthe2011PrivacyEnhancingTechnologiesSymposium,2011.[23]D.Irani,S.Webb,C.Pu,andK.Li,“Personal-informationleakagefrommultipleonlinesocialnetworks,”IEEEInter-netComputing,May2011.[24]D.Irani,S.Webb,K.Li,andC.Pu,“Largeonlinesocialfootprints-anemergingthreat,”inProceedingsofthe2009InternationalConferenceonComputationalScienceandEngineering,August2009.[25]A.Narayanan.(2008,November)Lendingclub.com:Ade-anonymizationwalkthrough.[Online].Available:http://33bits.org/2008/11/12/57/[26]MozillaFoundation.Publicsufxlist.[Online].Available:http://publicsufx.org/[27]A.Narayanan.(2010)HowGoogleDocsleaksyouridentity.[Online].Available:http://33bits.org/2010/02/22/google-docs-leaks-identity/[28]L.-S.HuangandC.Jackson,“Clickjackingattacksunre-solved,”July2011.[29]A.NarayananandV.Shmatikov,“Robustde-anonymizationoflargedatasets,”inProceedingsofthe2008IEEESympo-siumonSecurityandPrivacy,May2008.[30]——,“De-anonymizingsocialnetworks,”inProceedingsofthe2009IEEESymposiumonSecurityandPrivacy,May2009.[31]A.Acquisti,R.Gross,andF.Stutzman,“FacesofFace-book,”inBlackHat2011,August2011.[32]Epsilon.(2011,April)Epsilonnotiesclientsofunauthorizedentryintoemailsystem.[Online].Avail-able:http://epsilon.com/news-events/press-releases/2011/epsilon-noties-clients-unauthorized-entry-email-system[33]J.Turow,J.King,C.J.Hoofnagle,A.Bleakley,andM.Hennessy,“Americansrejecttailoredadvertisingandthreeactivitiesthatenableit,”September2009.[34]A.M.McDonaldandL.F.Cranor,“Beliefsandbehaviors:Internetusers'understandingofbehavioraladvertising,”inProceedingsofthe2010ResearchConferenceonCommu-nication,InformationandInternetPolicy,October2010.[35]Gallup.(2010,December)USAToday/Galluppoll.[Online].Available:http://gallup.com/poll/File/145334/Internet Ads Dec 21 2010.pdf[36]TRUSTeandHarrisInteractive.(2011,July)Privacyandonlinebehavioraladvertising.[Online].Available:http://truste.com/ad-privacy/TRUSTe-2011-Consumer-Behavioral-Advertising-Survey-Results.pdf[37]PewResearchCenter.(2012,March)Searchengineuse2012.[Online].Available:http://pewinternet.org/Reports/2012/Search-Engine-Use-2012.aspx[38]Article29DataProtectionWorkingParty.(2012,March)Lettertotheonlineadvertisingindustry.[Online].Available:http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/les/2012/20120301 reply to iab easa en.pdf[39]DigitalAdvertisingAlliance.(2012,February)DAApositiononbrowserbasedchoicemechanism.[Online].Available:http://aboutads.info/resource/download/DAA Committment.pdf[40]S.Stamm.(2011,November)Whywewon'tenableDNTbydefault.[Online].Available:http://blog.mozilla.com/privacy/2011/11/09/dnt-cannot-be-default/[41]T.Lowenthal.(2011,November)Deeperdiscus- Internetasweknowit,”U.S.News,January2011,opinion.[77]B.Kunz,“The$8billionDoNotTrackprize,”BloombergBusinessweek,December2010,opinion.[78]H.David,“DoNotTrack:Revenueimpactononlineadver-tising,”BloombergGovernment,March2011.[79]J.Mayer.(2011,January)DoNotTrackisnothreattoad-supportedbusinesses.[Online].Available:http://cyberlaw.stanford.edu/node/6592[80]H.Beales,“Thevalueofbehavioraltargeting,”March2010.[Online].Available:http://networkadvertising.org/pdfs/Beales NAI Study.pdf[81]A.GoldfarbandC.E.Tucker,“Privacyregulationandonlineadvertising,”ManagementScience,January2011.[82]——,“Onlineadvertising,behavioraltargeting,andpri-vacy,”CommunicationsoftheACM,May2011.[83]J.Yan,N.Liu,G.Wang,W.Zhang,Y.Jiang,andZ.Chen,“Howmuchcanbehavioraltargetinghelponlineadvertis-ing?”inProceedingsofthe18thConferenceontheWorldWideWeb,April2009.[84]J.Franks,P.Hallam-Baker,J.Hostetler,S.Lawrence,P.Leach,A.Luotonen,andL.Stewart,“HTTPauthenti-cation:Basicanddigestaccessauthentication,”RFC2617,June1999.[85]R.Fielding,J.Gettys,J.Mogul,H.Frystyk,L.Masinter,P.Leach,andT.Berners-Lee,“Hyptertexttransferprotocol–HTTP/1.1,”RFC2616,June1999.[86]N.Cubrilovic.(2011,August)PersistentandunblockablecookiesusingHTTPheaders.[Online].Available:http://nikcub.appspot.com/posts/persistant-and-unblockable-cookies-using-http-headers[87]E.Bursztein.(2011,July)TrackingusersthatblockcookieswithaHTTPredi-rect.[Online].Available:http://elie.im/blog/security/tracking-users-that-block-cookies-with-a-http-redirect/[88]M.Zalewski.(2011,December)Rapidhistoryextractionthroughnon-destructivecachetiming.[Online].Available:http://lcamtuf.coredump.cx/cachetime/[89]T.DierksandE.Rescorla,“Thetransportlayersecurity(TLS)protocolversion1.2,”RFC5246,August2008.[90]J.Hodges,C.Jackson,andA.Barth,“HTTPstricttransportsecurity(HSTS),”draft-ietf-websec-strict-transport-sec-06,March2012.[91]Z.Weinberg,E.Chen,P.R.Jayaraman,andC.Jackson,“Istillknowwhatyouvisitedlastsummer:Leakingbrowsinghistoryviauserinteractionandsidechannelattacks,”inProceedingsofthe2011IEEESymposiumonSecurityandPrivacy,May2011.[92]S.Kamkar.(2010,September)evercookie.[Online].Available:http://samy.pl/evercookie/[93]A.M.McDonaldandL.F.Cranor,“AsurveyoftheuseofAdobeFlashlocalsharedobjectstorespawnHTTPcookies,”CarnegieMellonCyLab,Tech.Rep.11-001,January2011.[94]J.Mayer.(2011,August)Trackingthetrackers:Microsoftadvertising.[Online].Available:http://cyberlaw.stanford.edu/node/6715[95]——,“`Anyperson...apamphleteer':Internetanonymityintheageofweb2.0,”Undergraduatethesis,PrincetonUniversity,Princeton,NJ,May2009.[96]P.Eckersley,“Howuniqueisyourwebbrowser?”inPro-ceedingsofthe2010PrivacyEnhancingTechnologiesSym-posium,July2010.[97]T.-F.Yen,Y.Xie,F.Yu,R.P.Yu,andM.Abadi,“Hostngerprintingandtrackingontheweb:Privacyandsecurityimplications,”inProceedingsofthe19thAnnualNetworkandDistributedSystemSecuritySymposium,February2012.[98]S.Guha,B.Cheng,andP.Francis,“Privad:Practicalprivacyinonlineadvertising,”inProceedingsofthe2011USENIXSymposiumonNetworkedSystemsDesignandImplementa-tion,April2011.[99]A.Reznichenko,S.Guha,andP.Francis,“AuctionsinDo-Not-TrackcompliantInternetadvertising,”inProceedingsofthe2011ACMConferenceonComputerandCommunica-tionsSecurity,October2011.[100]V.Toubiana,A.Narayanan,D.Boneh,H.Nissenbaum,andS.Barocas,“Adnostic:Privacypreservingtargetedadvertis-ing,”inProceedingsofthe2010NetworkandDistributedSystemSecuritySymposium,March2010.[101]M.FredriksonandB.Livshits,“Repriv:Re-envisioningin-browserprivacy,”inProceedingsofthe2011IEEESympo-siumonSecurityandPrivacy,May2011.[102]M.BilenkoandM.Richardson,“Predictiveclient-sidepro-lesforpersonalizedadvertisingg,”inProceedingsofthe2011ACMConferenceonKnowledgeDiscoveryandDataMining,August2011.[103]M.J.Rasmussen,“Adobepositionpaperonprivacyandtracking,”inW3CWorkshoponWebTrackingandUserPrivacy,April2011.[104]S.Clifford,“Alittle`i'toteachaboutonlineprivacy,”TheNewYorkTimes,January2010.[105]J.Hernandez,A.Jagadeesh,andJ.Mayer.(2011,August)Trackingthetrackers:TheAdChoicesicon.[Online].Available:http://cyberlaw.stanford.edu/node/6714[106]M.HastakandM.J.Culnan,“Onlinebehavioraladvertisingiconstudy,”January2010.[Online].Available:http://futureofprivacy.org/nal report.pdf[107]P.G.Leon,B.Ur,R.Balebako,L.F.Cranor,R.Shay,andY.Wang,“WhyJohnnycan'toptout:Ausabilityevaluationoftoolstolimitonlinebehavioraladvertising,”CarnegieMellonCyLab,Tech.Rep.11-017,October2011.[108]WorldWideWebConsortium.(2011,April)Webtrackinganduserprivacyworkshop.[Online].Available:http://w3.org/2011/04/29-w3cdnt-minutes.html[109]G.Aggrawal,E.Bursztein,C.Jackson,andD.Boneh,“Ananalysisofprivatebrowsingmodesinmodernbrowsers,”inProceedingsofthe19thUSENIXSecuritySymposium,2010.[110]J.Mayer.(2011,September)Trackingthetrackers:Self-helptools.[Online].Available:http://cyberlaw.stanford.edu/node/6730[111]A.Fowler.(2011,November)DoNotTrackAdoptioninFirefoxMobileis3xhigherthandesktop.[Online].Available:http://blog.mozilla.com/privacy/2011/11/02/do-not-track-adoption-in-refox-mobile-is-3x-higher-than-desktop/[112]S.Guha,B.Cheng,andP.Francis,“Challengesinmeasuringonlineadvertisingsystems,”inProceedingsofthe10thACMConferenceonInternetMeasurement,November2010.[113]J.Mayer.(2011,July)Trackingthetrackers:Earlyresults.[Online].Available:http://cyberlaw.stanford.edu/node/6694