Tracking the trackers: Investigators reveal pervasive profiling of Web users
Revealing and measuring the many commercial tools that invisibly track Web users is a key step toward improving transparency and privacy on the Internet, according to a set of privacy and technology experts who convened at Princeton University on Oct. 24.
"What's unfortunate is the huge gap of information — understanding what's happening on the Web and what users know about tracking," said conference organizer and Assistant Professor of Computer Science Arvind Narayanan. "We're interested in building tools by the public and for the public. We want to make transparency mutually beneficial between businesses and Web users."
The day-long conference, titled "Web Privacy and Transparency," featured academics and other experts who gave a tutorial on Web privacy, described new methods for measuring data use and discussed potential public policy responses. The University's Center for Information Technology Policy (CITP) organized the conference.
Julia Angwin, an investigative journalist and author of "Dragnet Nation," delivered the event's keynote talk describing a three-year privacy investigation she began at The Wall Street Journal in 2010. The project, published as a series of articles called "What They Know," led her to question the impact of having someone else in control of her data.
When online activities could reveal personal information or government surveillance could capture private moments without its citizens realizing, there's a "human toll," she said.
As part of the investigation, Angwin went to great lengths to shield her identity from data collection. She detailed her experience changing Internet search engines, switching email systems and using software to block advertisements.
After spending $2,500 for various security measures, Angwin said she was only 50 percent successful in protecting her privacy.
"I have no assurances my efforts worked and I can't convince my friends to do the same," she said.
There are some less effective but simpler ways Web users can protect themselves, she said, such as having strong passwords and avoiding popular search engines.
Narayanan described one of the newest and more persistent online tracking techniques, called "canvas fingerprinting," which he and colleagues first identified being used in May. It works by instructing the user's Web browser to load an image that is hidden from the user.
Because of differences between individual computers, the way that the browser renders the image creates a "fingerprint" that can be unique and individually identifiable. Narayanan noted that the invisibility and accuracy of the technique can be "creepy."
"Consumers might see this and think things might not be as bad and still feel comfortable with Web browsing," said Narayanan. "But essentially third-party online tracking [is] compiling a profile of you, and this happens almost every time you visit a site."
The profiles will eventually shape which advertisements, news stories or other types of content are displayed, he said.
"What are these companies using these data for? They're learning what you're interested in and feeding you more information that you're interested in," said Narayanan. "The consequence is you're looking at the same things and will become increasingly isolated in a 'filter bubble'."
As the lead researcher of Princeton's Web Transparency and Accountability Project, or WebTAP, Narayanan and his team found more than 5,500 of the top 100,000 websites include canvas fingerprinting scripts. A majority of the scripts belonged to a single provider, AddThis, but the researchers discovered a total of 20 providers using canvas fingerprinting.
Nick Nikiforakis, a conference panelist and assistant professor of computer science at Stony Brook University, added that it is important to understand that canvas fingerprinting is only one of countless tools to track user activities without using cookies, the more commonly known technique that stores a snippet of information on a Web user's computer.
Unlike cookies, fingerprinting and these other tools do not require a website to place anything on the user's computer, yet still can recognize the user again and again. "There's nothing to find, nothing to delete to give you a clean slate as you go on to new websites," Nikiforakis said.
The panel on measuring online tracking and data collection also included Jonathan Mayer, a computer scientist and lawyer at Stanford University, and Peter Eckersley, technology projects director for the Electronic Frontier Foundation, who believes the solution is to make privacy less burdensome for users.
"The strategy here is to build privacy and measurement tools people can use 24/7 on their browsers," Eckersley said, "reintroduce the concept of consent-to-track, encourage industry best practices, and create incentives for technological innovation that allows advertisers to show high quality and relevant ads to people without being invasive."
As people become more aware of tracking, it will become a priority in policymaking, though limited government resources mean that it will take time for new policies to gain significant ground, said Ed Felten, the Robert E. Kahn Professor of Computer Science and Public Affairs and director of CITP.
"There are very few people who understand enough about the technology and policies to do the work in this area," said Felten. "We're trying to increase that population through education."