1

Online Privacy

May 19, 2014

Janine L. Spears, Ph.D.
DePaul University
CNS 477

2
1. Announcements
2. The concept of PII
3. Online behavioral tracking


Agenda
3
Reading assignment for next week
Case: Online Advertising, Behavioral Targeting, and Privacy,
CACM, 2011
The Nothing to Hide case and the case assigned for next week
will both be part of a role-playing exercise next week


Announcements
4
The meaning of privacy is perceived as:
a) The right to be left alone
b) The right to be free from unreasonable personal intrusion
c) The right to determine what personal information can be
communicated and to whom
Privacy
5

Amazing mind reader reveals his secret:
http://9gag.com/gag/5450071




An Introduction to Consumer Privacy
6
Consumer Information Privacy
Source: Protecting Consumer Privacy in an Era of Rapid Change, U.S. Federal Trade Commission (FTC) Report, 2012, p. B-2
7
In the context of privacy in a digital world, much is made
about personally identifiable information (PII): those
data attributes that identify a specific individual
PII (within the US) has been limited to a short list of data
attributes
When PII has been shared with unauthorized parties,
it is considered to be a data breach
Otherwise, there is no data breach, and therefore, no legal
protection


PII as the trigger for what is a data breach
8
Depending on the regulation and/or perspective, PII (in
the US) may include name + any one of the following:
Address
E-mail address
Drivers license number
Financial account numbers
Phone number
Social security number
Personally Identifiable Information (PII)
9
Two categories of personal information the FTC has
defined in its complaints against companies:

account-level information (e.g., financial account #)
identity-level information (e.g., SSN)

Breaches to identity-level personal information has a
higher penalty than account-level. Why?
Personally Identifiable Information (PII)
Hanson, J of LTC, Washington Univ, 2008
10
At the core of privacy laws is the concept of PII

The basic assumption of privacy laws is that in absence
of PII, no harm is done

Privacy regulation focuses on the collection, use, and
disclosure of PII and leaves non-PII largely unregulated

The Current State of U.S. Privacy Laws and PII
Schwartz & Solove, NY University Law Review 2011
11
1. US privacy laws lack a uniform definition of PII:

Three approaches to defining PII:
a. Tautological: any info that identifies a person
b. Non-public: any info not in public domain
c. Specific types of information: list of data types
No need to memorize these 3 approaches; the key point
is that there is no uniform definition of PII

Issues with PII (1 of 2)
Schwartz & Solove, NY University Law Review 2011
12
2. Non-PII can be transformed into PII.
Consequently, privacy laws do not cover:
a) Data mining
b) Online behavioral advertising (online tracking)
c) Data aggregation and re-identification
Whether information is identifiable to a person
depends upon context and cannot be pre-
determined a priori.

Issues with PII (2 of 2)
Schwartz & Solove, NY University Law Review 2011
13

What companies know about Joel Stein @ Time mag: (2:33)
http://www.time.com/time/video/player/0,32068,821500876
001_2058396,00.html



Introduction to Online Behavioral Tracking
14
Online behavioral advertising refers to the tracking of a
consumers activities online including the searches the
consumer has conducted, the web pages visited, and the
content viewed in order to deliver advertising targeted
to the individual consumers interests.

Online Behavioral Advertising defined
http://www.ftc.gov/os/2007/12/P859900stmt.pdf
15
Upon visiting a web site, at least the following info may
be sent to the web server:
Your IP address
The referring page (i.e., page last visited)
Your web browser type and configuration
Operating system type/version
The time of visit



Type of Information that is Collected & Shared/Sold
16

How Advertisers Use Internet Cookies to Track
You, WSJ video (7:14):
http://live.wsj.com/video/how-advertisers-use-internet-cookies-to-track-
you/92E525EB-9E4A-4399-817D-8C4E6EF68F93.html#!92E525EB-9E4A-4399-
817D-8C4E6EF68F93



Introduction to Cookies and Online Behavioral Tracking
17
Advances in cookie technologies
1
st
party vs. 3
rd
party cookies
Cookie size larger, detection harder
HTTP (4kb), Flash (100kb), HTML5 (5MB)
Cookie respawning
Original study: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862
Technology explained: http://ashkansoltani.org/docs/respawn_redux.html




Methods of Online Behavioral Tracking
18
Browser fingerprinting
A researcher developed Panopticlick as a tool to test your
browser to see how unique it is based on the information it will
share with sites it visits.
http://panopticlick.eff.org/ (see uniqueness of your browser)
A fingerprint that carries no more than 15-20 bits of identifying
information will in almost all cases be sufficient to uniquely
identify a particular browser
Consequently, a browser (i.e., user) can be tracked without the
use of cookies
Non-Cookie Methods of Online Behavioral Tracking
Source: Peter Eckerley 2010

19
Web beacons (aka web bugs)
Are typically a 1x1 image that is invisible to the user and is
embedded in the HTML code on a web page or in an email for
the purpose of tracking a users site and page visits.
A web bug viewed by a user may transmit to a server (e.g., of
an advertising entity) the users IP address, web page visited,
time, and value of previously set cookies
One study found that all 50 of the top sites contained at least 1
web bug


Non-Cookie Methods of Online Behavioral Tracking
Source: Gomez et al., KnowPrivacy.org 2009
20

Mobile device apps

Video: (4:17)
http://online.wsj.com/article/SB10001424052748704694004576
020083703574602.html#articleTabs%3Dvideo

Article:
http://online.wsj.com/article/SB10001424052748704694004576
020083703574602.html#articleTabs%3Darticle






Online behavioral tracking not limited to desktop PCs
21
Online Tracking Ecosystem
Source: Wall Street Journal, http://graphicsweb.wsj.com/documents/divSlider/ecosystems100730.html
22
The WSJ conducted a major study and published a series
of articles in 2010 on online tracking. Findings included:
the nation's 50 top websites on average installed 64 pieces of
tracking technology onto the computers of visitors, usually
with no warning.
the Journal identified more than 100 middlementracking
companies, data brokers and advertising networks
the top 50 sites placed 3,180 tracking files in total on the
Journal's test computer.
Nearly a third of these were innocuous
Over two-thirds2,224were installed by 131 companies, many of
which are in the business of tracking Web users to create rich
databases of consumer profiles that can be sold
How Pervasive is Online Tracking?
S
o
u
r
c
e
:

h
t
t
p
:
/
/
o
n
l
i
n
e
.
w
s
j
.
c
o
m
/
a
r
t
i
c
l
e
/
S
B
1
0
0
0
1
4
2
4
0
5
2
7
4
8
7
0
3
9
4
0
9
0
4
5
7
5
3
9
5
0
7
3
5
1
2
9
8
9
4
0
4
.
h
t
m
l
#
a
r
t
i
c
l
e
T
a
b
s
%
3
D
a
r
t
i
c
l
e

23
1. Joel Stein, Times columnist:
http://www.time.com/time/printout/0,8816,2058205,00.html
What were the economics?
What are the threats?
2. One example of massive consumer profiles assembled
per individual:

What do the trackers know about you?
24

Online Anonymity? Don't Bet On It: (6:44)
http://online.wsj.com/article/SB100014241278873247844045
78143144132736214.html
Note comments on: (a) online forms, (b) Like and similar
buttons for major social networking sites


But PII is not collected during normal web surfing ...
25
Massive consumer profiles assembled per individual
Name not included in profile
Profiles sold for 1/10 to 2/3 of a cent
Targeted ads and pricing, based on income-level & interests
E.g., shopping bots
One example of behavioral target advertising:

Some Effects of Online Tracking.Innocuous or Not?
26
Another example of online behavioral advertising:

Is anything off limits? Who decides?
27
A Big Interview with Sir Martin Sorrell, CEO of WPP
Group, Wall Street Journals What They Know Series:
Video: (23:50)
http://online.wsj.com/article/SB100014240527487039409045
75395073512989404.html#articleTabs%3Dvideo
This video gives an advertising executives perspective of
online behavioral advertising
The WPP Group is the worlds largest advertising company,
according to Wikipedia.



An interview from an advertising exec.this one is for at home
28
The perspective of online behavioral advertising exec:

Are direct-marketing campaigns by postal mail comparable to OL beh adverts?
29
It matters little if your name is John Smith, Yesh Mispar,
or 3211466. The persistence of information about you will
lead firms to act based on what they know *+. (bold added, p. 7)


from Joseph Turows book, The Daily You: How the New Advertising Industry is
Defining Your Identity and Your Worth (2011)
(Turow is a Chaired Communications Professor at Univ of Penn with extensive
knowledge of the media industry.)



What if a persons name is not collected?
30
Customize browser settings
Do Not Track (voluntary compliance)
InPrivate browsing (MS Internet Explorer)
Cookie deletion
Flash cookies require use of another tool to delete them
Clear browser history and cache:
http://www.piriform.com/ccleaner
Opt out:
http://www.networkadvertising.org/choices/
http://www.lotame.com/privacy/



Examples of Safeguards to Reduce Online Tracking
31
Browse anonymously
VPN, Tor browsers, use of proxies not providing your IP address
Browser add-ons:
NoScript
Prohibits JavaScript execution unless user permission given
Ghostery
Alerts users about the web bugs, ad networks and widgets on
visited web pages
BetterPrivacy
Alerts users of hidden, never expiring Local Shared Objects (Flash
cookies) and provides a means to view and manage them since
browsers are unable to do that for you.



Examples of Safeguards to Reduce Online Tracking
32
Lightbeam for Mozilla Firefox
An add-on that allows you see the trackers that are tracking
you as you move from site to site.
Formerly called Collusion
Video: http://www.youtube.com/watch?v=PvqGy9wz_wA
About: http://www.mozilla.org/en-US/lightbeam/about/
Download: http://www.mozilla.org/en-US/lightbeam/


Examples of Safeguards to Reduce Online Tracking
33
The problem with the nothing to hide view is that it
myopically views privacy as a form of secrecy, not
taking into account other threats beyond the potential
disclosure of bad things. (Daniel Solove 2011)
What are some other threats that Solove describes?
A key point Solove makes is that we (e.g., public policy
debaters, and I would add, researchers) need to move
beyond discussions on data collection and explore
further information processing and use



Case: Nothing to Hide