How OpenWPM and the Transparency Census will bring ...
Transcript of How OpenWPM and the Transparency Census will bring ...
![Page 1: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/1.jpg)
The Web Privacy Problem is a Transparency Problem
How OpenWPM and the Transparency Census will bring transparency to the web.
webtap.princeton.edu
Steven Englehardt@s_englehardt
![Page 2: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/2.jpg)
Source: Mayer & Mitchell; Third-Party Web Tracking: Policy and Technology
![Page 3: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/3.jpg)
![Page 4: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/4.jpg)
Web tracking lacks transparency
![Page 5: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/5.jpg)
Web tracking lacks transparency
...but we are changing that
![Page 6: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/6.jpg)
Web tracking lacks transparency
...but we are changing that(and I’ll show you how we already have)
![Page 7: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/7.jpg)
Transparency encourages best practices
May 2012
Canvas FingerprintingIntroduced
![Page 8: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/8.jpg)
Transparency encourages best practices
May 2012
Canvas FingerprintingIntroduced
May 2014
![Page 9: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/9.jpg)
Transparency encourages best practices
May 2012
Canvas Fingerprinting
Measured
May 2014
Canvas FingerprintingIntroduced
![Page 10: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/10.jpg)
Transparency encourages best practices
May 2012
May 2014
Canvas Fingerprinting
Measured
Canvas FingerprintingIntroduced
July 21st 2014
NewsCoverage
![Page 11: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/11.jpg)
Transparency encourages best practices
May 2012
May 2014
July 21st 2014
July 23rd 2014
NewsCoverage
LargestFingerprintersStopped
Canvas Fingerprinting
Measured
Canvas FingerprintingIntroduced
![Page 12: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/12.jpg)
Canvas Fingerprinting was a known technique for 2 years.
In just 2 months following our measurement work the largest users of
canvas fingerprinting stopped.
Why?
![Page 13: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/13.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 14: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/14.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 15: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/15.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 16: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/16.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 17: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/17.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 18: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/18.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 19: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/19.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 20: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/20.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 21: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/21.jpg)
Our measurement work removed information asymmetry between trackers and the rest of the web.
![Page 22: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/22.jpg)
Information asymmetry not just between trackers and users.
“YouPorn contacted us to say…’[the website was] completely unaware that AddThis contained a tracking software…’”
![Page 23: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/23.jpg)
Transparency is effective at returning control to users and publishers
![Page 24: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/24.jpg)
Automated, large-scale measurements can provide this transparency
![Page 25: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/25.jpg)
1. Developing OpenWPM
2. Running monthly, 1 million site measurements
3. Building an analysis layer on top of the data
We’re doing three things to help:
![Page 26: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/26.jpg)
OpenWPM
![Page 27: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/27.jpg)
OpenWPM
Web
![Page 28: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/28.jpg)
OpenWPM
Web
![Page 29: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/29.jpg)
OpenWPM
Web
![Page 30: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/30.jpg)
OpenWPM
Web
Browser Instance
![Page 31: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/31.jpg)
![Page 32: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/32.jpg)
OpenWPM supports browsing with persistent state
● Browser can keep profile through crashes and freezes○ Cookie setting over a session○ Cookie synchronization (id sharing)○ Zombie Cookies
![Page 33: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/33.jpg)
OpenWPM uses a real browser● Extensions
○ AdBlock Plus, Ghostery, ...● Privacy Features
○ Block third-party cookies, FF tracking protection, ... ● Support for new web technologies
○ WebRTC, Audio, Video, WebGL
![Page 34: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/34.jpg)
OpenWPM is already used by at least 7 research groups● At Princeton
○ 4 published studies and several ongoing
● Ongoing Research○ Columbia University
● In published studies:○ The Web Privacy Census (UC Berkeley / Berkeley Law)○ Variations in Tracking in Relation to Geographic Location (CMU / RAND)○ Forthcoming WWW’16 study by Nick Nikiforakis (Stony Brook)
● By journalists● By regulators
![Page 35: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/35.jpg)
The Web Transparency Census
Monthly1 Million Site Crawl
![Page 36: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/36.jpg)
The Web Transparency Census
Monthly1 Million Site Crawl
● Javascript Calls● All javascript files● HTTP Requests and Responses● Storage (cookies, Flash, etc)
Collecting:
![Page 37: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/37.jpg)
Supporting a variety of measurements1. Effectiveness of Privacy Tools● Ghostery● AdBlock Plus● HTTPS Everywhere
![Page 38: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/38.jpg)
Supporting a variety of measurements1. Effectiveness of Privacy Tools● Ghostery● AdBlock Plus● HTTPS Everywhere
2. Effectiveness Browser Protections● DNT● Third-party cookie Blocking● Firefox Tracking Protection
![Page 39: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/39.jpg)
Supporting a variety of measurements1. Effectiveness of Privacy Tools● Ghostery● AdBlock Plus● HTTPS Everywhere
2. Effectiveness Browser Protections● DNT● Third-party cookie Blocking● Firefox Tracking Protection
3. Use of javascript for tracking● Canvas Fingerprinting● Property Enumeration● WebRTC Local IP Sniffing
![Page 40: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/40.jpg)
Supporting a variety of measurements1. Effectiveness of Privacy Tools● Ghostery● AdBlock Plus● HTTPS Everywhere
2. Effectiveness Browser Protections● DNT● Third-party cookie Blocking● Firefox Tracking Protection
3. Use of javascript for tracking● Canvas Fingerprinting● Property Enumeration● WebRTC Local IP Sniffing
4. Tracking Practices● Cookie Syncing● Cookie Respawning● Setting ID cookies
![Page 41: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/41.jpg)
Case Study 1: Canvas Fingerprinting
Case Study 2: WebRTC Local IP Sniffing
![Page 42: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/42.jpg)
Source: Mowery and Shacham; Pixel Perfect: Fingerprinting Canvas in HTML5
2012: Canvas Fingerprinting Introduced
![Page 43: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/43.jpg)
Source: Mowery and Shacham; Pixel Perfect: Fingerprinting Canvas in HTML5
2012: Canvas Fingerprinting Introduced
![Page 44: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/44.jpg)
2014: Canvas Fingerprinting Measured
COSIC
![Page 45: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/45.jpg)
Source: Acar, Eubank, Englehardt, Juarez, Narayanan, Diaz; The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
2014: Canvas Fingerprinting Measured
![Page 46: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/46.jpg)
Source: Acar, Eubank, Englehardt, Juarez, Narayanan, Diaz; The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
2014: Canvas Fingerprinting Measured
1. Write a Firefox patch
2. Write automation with Selenium
3. Write analysis code
![Page 47: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/47.jpg)
Case Study 1: Canvas Fingerprinting
Case Study 2: WebRTC Local IP Sniffing
![Page 48: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/48.jpg)
1. I saw a tweet that nytimes.com is IP sniffing
![Page 49: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/49.jpg)
2. I added code to JS Instrumentation for next crawl
// Access to webRTC instrumentObject(window.mozRTCPeerConnection.prototype
"mozRTCPeerConnection",prototype=true);
![Page 50: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/50.jpg)
3. I wrote some analysis code
● Grab all urls that execute○ mozRTCPeerConnection.onicecandidate○ mozRTCPeerConnection.createDataChannel○ mozRTCPeerConnection.createOffer
● Check JS Files to confirm
![Page 51: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/51.jpg)
4. I found several third-parties sniffing local IP
● 121 first-party sites (October 2015)○ 29 in the top 10k
● 24 unique scripts● Only 1 of which is blocked by
EasyList/EasyPrivacy
![Page 52: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/52.jpg)
Measurement with OpenWPM is much easier
1. Write a Firefox patch
2. Write automation with Selenium
3. Write analysis code
Canvas Fingerprinting WebRTC Local IP Sniffing
![Page 53: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/53.jpg)
Measurement with OpenWPM is much easier
1. Write a Firefox patch
2. Write automation with Selenium
3. Write analysis code
Canvas Fingerprinting WebRTC Local IP Sniffing
1. Write 1 line of JavaScript
![Page 54: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/54.jpg)
Measurement with OpenWPM is much easier
1. Write a Firefox patch
2. Write automation with Selenium
3. Write analysis code
Canvas Fingerprinting WebRTC Local IP Sniffing
1. Write 1 line of JavaScript1. Write 1 line of JavaScript
2. Use OpenWPM
![Page 55: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/55.jpg)
Measurement with OpenWPM is much easier
1. Write a Firefox patch
2. Write automation with Selenium
3. Write analysis code
Canvas Fingerprinting WebRTC Local IP Sniffing
1. Write 1 line of JavaScript1. Write 1 line of JavaScript
2. Use OpenWPM
3. Write analysis code
![Page 56: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/56.jpg)
Where to go from here:
1. Inform the public2. Provide data for privacy tools3. Make data more accessible to less technical
investigators
![Page 57: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/57.jpg)
We’d like to collaborate with you
1. Submit pull requests for OpenWPM2. Use OpenWPM to run measurements and
release the data3. Download our data and build analysis on top
of ita. (Coming soon!)
![Page 58: How OpenWPM and the Transparency Census will bring ...](https://reader036.fdocuments.net/reader036/viewer/2022062408/62ac00f06c8afc362b0e0bc1/html5/thumbnails/58.jpg)
Help us make the web more transparent!● Contribute:
○ github.com/citp/OpenWPM● Collaborate:
○ webtap.princeton.edu
Image Assets from the Noun Project:Database by Creative Stall; programmer by Hadi Davodpour
Email: [email protected] Twitter: @s_englehardt