Over the past decade, the World-Wide Web has developed a unique ecosystem of third-party services, including advertisements, active content for web analytics, and tightly integrated application programming interfaces. These third-party tools collect large amounts of information, the scale and implications of which are largely unknown to the public and difficult to gauge even for even experts. The implication of users' web-surfing on their privacy has not previously been studied from the most natural perspective, namely that of the users themselves. This research aims to close this gap by focusing on users' actual web behavior, any existing countermeasures they employ to safeguard their privacy, the amount of information leaked, and the implications this has for the profiling capabilities of third-party services.
To measure information leakage, real-world web-surfing traffic will be examined through an anonymized picture of each discernible user, including browser details, any countermeasures taken to safeguard his or her privacy, and the cookies, referrals, and web visits as observed by the third parties involved. Next, profiling strategies will be examined that reflect different vantage points and intent, mirroring the capabilities of third parties with access to information about the users' web surfing. Finally, a browser extension will be developed that not only informs users about the parties their current web-surfing is providing information to, but also actively minimizes privacy leaks via fine grained policy enforcement that allows third-party services to function correctly.
The social elements on many web sites, such as the Facebook "Like" button, Google's "+1", Twitter's "tweet this", don't just act as convenient tools, but actively share information with the social networks, revealing what pages a person reads, whether or not they actually click on the button. This tracking can be doubly problematic, as simply blocking these trackers can significantly disrupt site tools such as embedded maps, feedback widgets, and other social elements. We developed two separate approaches to mitigate these trackers, which we made available as free extensions to the Firefox Web Browser. The first, priv3, available at https://addons.mozilla.org/en-US/firefox/addon/priv3/ , utilized a blacklist of social trackers. For these trackers, they were first loaded without cookies. Only if a user interacted with the tracker would the tracker be first reloaded with cookies. Thus, for example, a Facebook powered feedback element would be readable without indicating to Facebook the current visitor. Only when the user takes an implicit action, such as a mouseclick or keystroke, does Facebook learn the identity. The second, priv3+, available at https://addons.mozilla.org/en-US/firefox/addon/priv3plus/ , extended the priv3 model in a generic fashion. Rather than having a blacklist of all trackers, priv3+ implements tracking-blocking on all third party data. For images like advertisements, with their nested structure, a user keypress or mouseclick is simply forwarded without reloading, while single-frame social elements are reloaded. Both extentions clearly demonstrated that the web doesn't have to be about tracking, but that tracking can be mitigated without substantially impacting user experience. This is in sharp contrast to either allowing tracking or blocking the widgets completely. Thus this represents a significantly new way of thinking about cookies and tracking. They also demonstrate that one can reasonably infer "user intent" to determine when to enable cookies. This work also has a built in broader impact: rather than just theorizing and laboratory-evaluating the effectiveness of this technique, the two extensions were made available to the public, allowing the public to directly benefit from this research.
