Tracking Ecologies

What is tracking?

Gathering data tobuild user profiles

Trackers build profiles about you

—

Decisions big and smallWhich ad to showWhich rate to offerWho doesn't get the job...Who goes to prison

donttrack.us

Google Ads Preferences Managerwww.google.com/settings/ads/onweb/

What kind of data?Online

Page visitsSearchesSocial profilesLikes/retweets/reblogsMail...

OfflineCredit/gift card purchasesFinancial (credit/mortgage/bank)Geographic...

PORN

Who are you to a tracker?It depends

Facebook/Gmail/TwitterGoogle AdsFoursquare

/...Euclid Analytics Nomi

So, like, how much tracking is there?

13%

21%

69%

Websites in GhostRank for June 2013

integrate with Twitter

integrate with Facebook

have Google Analytics

Huh

How do I track thee? (on the Web)Client­side

Standard HTTP CookiesLocal Shared Objects (Flash Cookies)Silverlight Isolated StorageStoring cookies in RGB values of auto­generated, force­cached PNGs using HTML5Canvas tag to read pixels (cookies) back outStoring cookies in Web HistoryStoring cookies in HTTP ETagsStoring cookies in Web cachewindow.name cachingInternet Explorer userData storageHTML5 Session StorageHTML5 Local StorageHTML5 Global StorageHTML5 Database Storage via SQLite

— evercookie

Samy "I'm Popular" Kamkar

How do I track thee, pt. 2Server­side: Device/browser fingerprinting

Server creates fingerprint based on browser request signalsUser AgentScreen SizeFontsBrowser pluginsIP address...

Undetectable on the client sideCan effectively persist across browsers/devicesAlready an industry: BlueCava, ThreatMetrix, ReputationManager, ...

What are trackers?Webpage elements

scriptsimagesiframesembedded objects (Flash)...

Terminology minute!

First­party vs. third­party vs. fourth­party

So how does trackingwork?

Request URL: http://www.newyorker.com/strongbox/

Request Method: GET

Status Code: 200 OK

Request headersAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept­Encoding:

gzip,deflate,sdch

Accept­Language:

en­US,en;q=0.8

Cache­Control:

no­cache

Connection: keep­alive

Cookie: mobify=0; mbox=check#true#1372203648|session#1372203589523­979009#1372205448

DNT: 1

Host: www.newyorker.com

Pragma: no­cache

User­Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36(KHTML, like Gecko) Chrome/29.0.1541.0 Safari/537.36

Response headersAccept­Ranges: bytes

Access­Control­Allow­Origin:

*

Cache­Control: max­age=358

Connection: keep­alive

Content­Encoding: gzip

Content­Length: 30018

Content­Type: text/html; charset=ISO­8859­1

Date: Tue, 25 Jun 2013 23:39:59 GMT

ETag: "a647b0­d556­4dcc54324dd00"

Expires: Tue, 25 Jun 2013 23:45:57 GMT

Last­Modified: Wed, 15 May 2013 17:41:40 GMT

Server: Apache/2.2.15 (Red Hat) mod_ssl/2.2.15 OpenSSL/1.0.0­fips

Vary: Accept­Encoding

DetectionIntercept requestsCompare request URLs to known tracker patternsCancel requests matching blocked trackersNo request, no tracking

Tracking the trackersFinding trackers

User reportsTracker crawlerCompanies ask us to be included

Defining Ghostery tracker patternsNarrow enough to avoid false positivesWide enough to catch all trackers resources

Separating tracking from contentYou can't, sometimes

DisqusBrightcovesocial buttons...

Related projects

Netograph / netograph.com

Collusion / http://www.mozilla.org/en­US/collusion/

FourthParty / fourthparty.info

Panopticlick / panopticlick.eff.org

+ Cookieless Monster: Exploring the Ecosystem of Web­based Device Fingerprinting/ securitee.org/files/cookieless_sp2013.pdf

DuckDuckGo / donttrack.us