1 of 24

SRCCONRestoring our

Readers Privacy

In a Time of None

Matt Dennewitz

Michael Donohoe

2 of 24

SRCCON�AI Blockchain for

Machine Learning

Matt Dennewitz

Michael Donohoe

3 of 24

HELLO

  • Michael
  • Matt

4 of 24

QUIZ TIME

Question:�What information is your browser �broadcasting about you?

Answer:

  • IP address, Referrer
  • Language, device, operating system, timezone
  • Country, State, City, Neighborhood, ZIP/Postal Code, Airport
  • Connection type (3G, Wifi, Cable), Mobile carrier
  • Browser plugins
  • Device and app installs

5 of 24

QUIZ TIME

Question:�What are some of the ways in which �all your browsing history is recorded?

Answer:

  • Social Buttons
  • Embedded content (videos, tweets, Instagram pics, …)
  • Commenting and embedded services
  • Intentionally added tracking scripts (ads, pixels)
  • Commonly used libraries on CDNs

6 of 24

CRACKS IN THE DAM

  • 1 Journalist
    • Creates and writes...
  • 1 article
    • Tagged: health, prozac, children, ADHD
  • 1 Embed
    • Which in turn loads 3 different trackers
  • 10,000 Unique PVs

= 30K leaks of Reader Information

  • 1 Developer
    • Writes code for...
  • 1 Template
    • Used globally, which includes...
  • 1 Embed
    • Which in turn loads 3 different trackers
  • 1,000,000 Unique PVs

= 30M leaks of Reader Information

7 of 24

AUDIT TIME

Well known and commonly used embeds:

  • Facebook
    • Link
  • NPR
    • Link
  • Tableau
    • Link

8 of 24

AUDIT TIME

Let's take some live examples...

What should we test?

What do we expect to find?

9 of 24

AUDIT TIME / DIY

Google Chrome

  1. Menu: View > Developer... > Developer Tools
  2. Choose tab: Network
  3. Open web page...

10 of 24

AUDIT TIME / DIY

We surveyed some sites

It’s not great

Results: https://trackertracker.surge.sh

11 of 24

Pushing Back / Referrer Policy

HTTP Referrer Policy lets you control referrer-sending for links and subresources (images, scripts, stylesheets, etc.). Supported on all modern browsers except Opera Mini:

<meta name="referrer" content="no-referrer">

You can apply it to audio, img, link, script, and video tags referencing resources which require CORS so only the absolute minimum (the Origin header) will be shared:

<script src="https://example.com/hi.js" crossorigin="anonymous"></script>

(You can't get rid of the Origin header while using CORS as the remote sites need to know what domain is making the request in order to allow or deny it)

12 of 24

PUSHING BACK / YouTube

YouTube has a privacy-enhanced mode. Instead of this:

<iframe width="560" height="315" src="https://www.youtube.com/embed/79DijItQXMM" frameborder="0" allow="autoplay; encrypted-media"></iframe>

Do this:

<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/79DijItQXMM" frameborder="0" allow="autoplay; encrypted-media"></iframe>

YouTube won't store information about visitors on your website unless they play the video. (Source)

13 of 24

Pushing Back / Twitter

Twitter still honors DNT for personalization on suggestions and ads.

Easily applied on a site template level for global effect

<meta name="twitter:dnt" content="on">

Source

14 of 24

Pushing Back / Twitter

Twitter still honors DNT on an embedded tweet level:

<blockquote class="twitter-tweet" data-dnt="true">� <p lang="und" dir="ltr">🎩💕🎩💕🎩💕</p>� &mdash; BrooklynJS (@brooklyn_js) � <a href="https://twitter.com/brooklyn_js/status/723318379805827072">� April 22, 2016� </a>�</blockquote>

�<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

15 of 24

Pushing Back / Facebook

Facebook calls out "Mixed Audience without Age Gate"

"Your site, app or service is directed to children but its primary target audience is people who are at least 13 years old. Your site, app or service does not include an age gate."

16 of 24

Pushing Back / Facebook

Using the kid_directed_site parameter to restrict what gets collected.

This applies to:

  • Plugins
  • JavaScript SDK
    • FB.init({ � appID: <APP_ID>, status: true, � xfbml: true, kidDirectedSite: true});

Source: https://developers.facebook.com/docs/plugins/restrictions#kdsparam1

17 of 24

Adding Trackers

Questions you can ask...

  1. I'd love to, but we have a lot already, �what should I swap it with?
  2. Awesome! Can you tell me about everything�it will inject into the page?
  3. Can do ol’ pal, ol’ buddy,�but when does the contract/relationship expire?
  4. Totally! Can you tell me what it collects and who it shares the data with so we can update the privacy policy and run it by legal?
  5. It’s already there :D

18 of 24

Pushing Back / Lockdown

Content Security Policies

You could also expressly forbid your site not to load things you...

You can't do this if your site has advertising

CSPs are and powerful way to lockdown your site for EU visitors

Think of it as your own Ad Blocker within your site

Two forms:

  1. Headers
  2. META tags

You're going to have issues with IE and Opera Mini though

But do you really care?

19 of 24

Pushing Back / Lockdown

Ex: allow images from any origin, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code.

Header

Content-Security-Policy: default-src 'self'; �img-src *; media-src m1.com m2.com; script-src blah.example.com

META Tag

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src *; �media-src m.com m.com; script-src blah.example.com" />

20 of 24

REMEMBER

Our readers cannot modify articles or templates (hopefully anyway)

We can - or we know those who can.

We need to understand our responsibility to protect our readers’ privacy

What’s stopping us from doing this right now?

21 of 24

QUESTIONS FOR YOU

What are you doing at your organization?

How can developers take measures now?

How can site directors and editorial team members lobby for user protection?

Slides:�http://bit.ly/srccon-reader-privacy

22 of 24

BONUS ROUND - GDPR

This is the world's strongest data protection rules, but what does it mean?

  1. Consent: must be explicit for data collected and the purposes data is used for.
  2. Pseudonymisation: the process that transforms personal data; an example of this is encryption.
  3. Right of Access: the right to access personal data, and about how this data is processed.
  4. Right to Erasure: the data subject can request erasure of personal data related to them on any number of grounds.
  5. Portability: a person can transfer their personal data from one electronic processing system to another, without being prevented from doing so.
  6. Design and by Default: data protection must be designed into the development of business processes for products and services, and privacy settings must be set at a high level by default.

23 of 24

BONUS ROUND - CALIFORNIA PRIVACY LAW

New legislation, which goes into effect in January 2020:

  • Grants consumers the right to know
    • What information companies are collecting about them
    • Why they are collecting that data
    • With whom they are sharing it
  • Grants right to tell companies to
    • Delete their information
    • Do not sell or share their data
  • Businesses must still give consumers who opt out the same quality of service
  • Makes it more difficult to share or sell data on children younger than 16.
  • Worth noting:
    • Google, Facebook, Verizon, Amazon, Comcast and AT&T opposed proposed ballot measure

24 of 24

BONUS ROUND - DELETE FACEBOOK

All together now

  • Turn to your neighbor and delete their Facebook profile*

* They will still track you