Jonathan Mayer is an Assistant Professor of Computer Science and Public Affairs at Princeton University. Before joining the Princeton faculty, Jonathan served as the technology law and policy advisor to United States Senator Kamala Harris and as the Chief Technologist of the Federal Communications Commission Enforcement Bureau. Jonathan's research centers on the intersection of technology and law, with emphasis on national security, criminal procedure, consumer privacy, network management, and online speech. Jonathan is both a computer scientist and a lawyer, and he holds a Ph.D. in computer science from Stanford University and a J.D. from Stanford Law School.
Tracking the Trackers: Where Everybody Knows Your Username
By Jonathan Mayer on October 11, 2011 at 8:06 am
Click the local Home Depot ad and your email address gets handed to a dozen companies monitoring you. Your web browsing, past, present, and future, is now associated with your identity. Swap photos with friends on Photobucket and clue a couple dozen more into your username. Keep tabs on your favorite teams with Bleacher Report and you pass your full name to a dozen again. This isn't a 1984-esque scaremongering hypothetical. This is what's happening today.
[Update 10/11: Since several readers have asked – this study was funded exclusively by Stanford University and research grants to the Stanford Security Lab. It was not supported by any advocacy organization.] Read more about Tracking the Trackers: Where Everybody Knows Your Username
Tracking the Trackers: Self-Help Tools
By Jonathan Mayer on September 13, 2011 at 4:35 am
A number of technologies have been touted to offer consumers control over third-party web tracking. This post reviews the tools that are available and presents empirical evidence on their effectiveness. Here are the key takeaways:
- Most desktop browsers currently do not support effective self-help tools. Mobile users are almost completely out of luck.
- Self-help tools vary substantially in performance.
- The most effective self-help tools block third-party advertising.
Following the usage model in the FTC staff's 2010 preliminary online privacy report, this post is oriented towards the user who wants a simple, persistent, comprehensive solution such that with high confidence no third party collects her browsing history. We assume that some third-party trackers will use non-cookie tracking methods including supercookies and fingerprinting (e.g. Microsoft, KISSmetrics, Epic Marketplace, BlueCava, Interclick, Quantcast).
Thanks to Jovanni Hernandez and Akshay Jagadeesh for assisting with data collection, and to Arvind Narayanan and Peter Eckersley for input on drafts.
{C} Read more about Tracking the Trackers: Self-Help Tools
Tracking the Trackers: Microsoft Advertising
By Jonathan Mayer on August 18, 2011 at 3:56 am
Despite all the attention they've received in the debates around online privacy, cookies are far from the only way to track a user. Broadly speaking, a website can either stash a unique identifier anyplace in the browser ("tagging")1 or explore features of the browser until it becomes unique ("fingerprinting").2 Tracking technologies that do not rely on cookies are often referred to as "supercookies," and they are widely viewed as unsavory in the computer security community because they continue tracking even when a user clears her cookies to preserve privacy. Sometimes a site will use a supercookie to "respawn" its original identifier cookie, creating a "zombie cookie" — the basis of several lawsuits.
In one of our recent FourthParty web measurement crawls we included a cookie clearing step to emulate a user's privacy choice. We observed that after clearing the browser's cookies an identifier cookie (named "MUID" for "machine unique identifier") respawned on live.com, a Microsoft domain. We dug into Microsoft's cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies. We contacted Microsoft with our observations, and we have collaborated to assist in rectifying the issues we uncovered. Here is what we know.
Thanks, once again, to Jovanni Hernandez and Akshay Jagadeesh for their indispensable research assistance. Read more about Tracking the Trackers: Microsoft Advertising
Tracking the Trackers: The AdChoices Icon
By Jonathan Mayer on August 18, 2011 at 12:57 am
(Jovanni Hernandez and Akshay Jagadeesh are the first authors of this study.) Read more about Tracking the Trackers: The AdChoices Icon
FourthParty: A New Approach to Web Measurement
By Jonathan Mayer on August 9, 2011 at 12:21 am
Last week marked the twentieth anniversary of the public World Wide Web, and there is much to celebrate. The early web consisted of a few text pages linked together; the modern web supports audio, video, interactivity, complex storage, and even native applications. Both Microsoft and Google are now developing entire operating systems around web technologies.
Tools for measuring the web have not kept pace. Many studies still rely on HTTP header logging and static analysis of HTML, CSS, and JavaScript. Researchers who want to go beyond these simple tools are often forced to develop purpose-built software from scratch.
Today we're releasing FourthParty, an open-source platform for web measurement. FourthParty is built on Mozilla Firefox and the Add-on SDK, making it fast, modular, easy to use, multi-platform, and up-to-date with the latest web technologies. And FourthParty is already generating research results: it's the tool we've been using in our Tracking the Trackers studies (1, 2). To learn more and get started, visit fourthparty.info. Read more about FourthParty: A New Approach to Web Measurement