Preserving Privacy in an Economy that Needs Your Information

Monday, July 7, 2014

In late May, web analytics company comScore agreed to pay $14 million to settle what is described as the largest Internet privacy lawsuit ever granted class-action certification. Mike Harris and Jeff Dunstan, the two plaintiffs, said that comScore’s analytics software was covertly bundled with other installations such as free screen savers, and that comScore tracked everything they did online, storing information such as web searches, credit card numbers, and even the contents of PDFs, and selling it to the company’s clients.

This is an extreme example of problem at the heart of the Internet economy: companies rely both on their customers’ trust and on the collection and analysis of information their customers may not necessarily want them to have – including  the kind of information that Harris and Dunstan sued over.

Istemi Ekin Akkus, a fourth-year PhD student at the Max Planck Institute for Software Systems in Kaiserslautern, Germany, and a visitor to the Networking and Security Group since March, is interested in how to solve this problem.

Istemi Ekin AkkusEkin received master’s degrees from Koç University in Istanbul, Turkey, and from the University of Toronto, Canada. His general area of research is designing and building distributed systems, specifically those that preserve user privacy. He studies the tracking of users for analytics purposes: how users browse the web and use mobile apps provides companies with important customer data as well as enabling ads targeted at customer interests.

Ekin points out that the Internet economy is sustained by this kind of tracking: targeted ads are much more effective than traditional advertising, and their high revenue allows web sites that display them to provide content for free. The advertising industry has been wary about attempts to preserve privacy, including Do Not Track, a proposal that would allow Internet users to control what information about them is stored and by whom. One industry executive told Entrepreneur magazine that Do Not Track might “kill the Internet as we know it,” affecting 80 percent of online advertising and forcing web sites that are now free to charge for subscriptions. That number is disputed, but there is no doubt that such technology threatens the Internet’s current model. Ekin is interested in developing technologies that both prevent the tracking of users and sustain the online economy.

At ICSI, Ekin has been working on the Priv3 Firefox extension, which was initially released in 2011 (with news coverage on Lifehacker.com and Geek.com). Priv3 stops certain social media sites from knowing when you've visited a page.

You’ve probably noticed, while browsing the web, the social widgets that let you post an article to Facebook or Twitter – and perhaps failed to notice, since it’s done invisibly, that those sites are tracking your activity if you’re logged in. This is done through cookies, small text files that sites store on your web browser. Say you log into Twitter and then go to a news site that allows you to tweet the article directly from the page. Your browser downloads the social widget from Twitter’s web site. While doing so, it also sends the cookie Twitter has stored on your computer when you logged in to Twitter. Upon receiving this cookie, Twitter knows you’ve visited the page even if you choose not to tweet the article. Priv3 stops Twitter, along with Facebook, LinkedIn, and Google+, from receiving such cookies right away: it waits until you interact with the widget (by liking the article on Facebook, for example, or sharing it on your LinkedIn profile). This process happens transparently to the user: the user still gets to enjoy the benefits of social widgets as well as protection from third parties tracking her browsing activities without her knowing.

While useful, Priv3 depends on a blacklist of specific social media sites, which must be maintained as new social media sites gain popularity. Additionally, the use of cookies is not restricted to social media sites. In October 2012, the Berkeley Center for Law and Technology found that all of the most popular 100 web sites used cookies, more than two-thirds of which came from third parties. These cookies follow users from site to site, allowing companies to keep track of their interests (at least, as inferred from their web browsing history) and place ads that are most relevant to potential customers. This may end up revealing more than they want to share. Ekin, with other members of the group, are working to extend Priv3 to all third-party tracking without the need of a blacklist. With this generalization, the tracking by these third parties using cookies will be mostly ineffective: although they will be able to set new cookie values, they will not be able to receive them unless the user wants them to.

Web analytics, or the analysis of what people do online, and the ever-growing area of app analytics are closely tied to behavioral advertising. Ekin is interested in how the two can be decoupled. Other researchers at MPI for Software Systems have focused on providing behavioral advertising in a privacy-preserving fashion by keeping behavior profiles (your browsing history, for example, plus personal information and everything that can inferred from that) on users’ local machines. Ekin focuses on developing privacy-preserving protocols to obtain aggregate statistics from these distributed sources and providing useful information for advertisers, publishers, and aggregators to sustain the online economy, while keeping your personal identity and individual data hidden.