Jonathan Mayer is a Ph.D. student in computer science at Stanford University, where he received his J.D. in 2013. Jonathan is a Cybersecurity Fellow at the Center for International Security and Cooperation, a Junior Affiliate Scholar at the Center for Internet and Society, and a Stanford Interdisciplinary Graduate Fellow. He earned his A.B. at Princeton University in 2009, concentrating in the Woodrow Wilson School of Public and International Affairs. Jonathan has consulted for both federal and state law enforcement agencies, and his research on consumer privacy has contributed to multiple regulatory interventions. A proud Chicago native, Jonathan is undaunted by freezing weather and enjoys celery salt on a hot dog.
We're pleased to announce we're beginning work on an IETF Internet-Draft for the Do Not Track header. We look forward to incorporating broad feedback.
In anticipation of the first version of the Internet-Draft, we're making a few minor updates to the header. The reference implementations at DoNotTrack.Us will be revised shortly. Read more » about Minor Updates to the Do Not Track Header
"If you remove tracking, you remove advertisers." "Stop [data] sharing and you put a stop to the Internet as we know it." "Thousands of small websites may disappear." "Would you like to pay $20 a month for Facebook?" A spate of such recent commentaries have speculated that Do Not Track could hobble advertising-supported businesses. Here's why it won't. Read more » about Do Not Track Is No Threat to Ad-Supported Businesses
Since our introduction of DoNotTrack.Us last week we've received a deluge of questions. This post answers some of the most common inquiries. If we haven't covered an issue you'd like a response on, shoot us an email and stay tuned - more Q & A posts are in the pipeline.
Q: Do Not Track does not block third-party tracking. Wouldn't that be a better solution?
Some privacy-conscious users block third-party tracking, most commonly through browser add-ons. This type of self-help is completely compatible with and complementary to Do Not Track; many Do Not Track users may elect to use blocking software. But blocking alone is not a complete solution to web tracking. Here are our chief concerns:
- Universal blocking is infeasible. Web security research (1, 2, 3) has uncovered dozens of means of tracking users; technical barriers to all these approaches are not practical. And a recent informal study of popular Firefox blocking add-ons suggests that blocking is, in practice, far from a universal opt out. Users should not be left guessing as to whether they've actually opted out of tracking.
- Blocking software requires perpetual development and user vigilance. There is frequent turnover of tracking services and tracking technologies. If a developer takes a break, its blocking tool will diminish in effectiveness. Users must, consequently, periodically ensure their blocking software is still maintained and up-to-date.
- Blocking inhibits third-party tools. A number of popular website tools and plug-ins are hosted by a third party that also tracks users. Blocking would disable these tools, while Do Not Track accommodates them.
The web privacy debate is stuck. Privacy proponents decry the diffusion of behavioral advertising and tracking services (1, 2, 3); industry coalitions respond by expounding the merits of personalized content and advertising revenue (1, 2). But for the average user, the arguments are academic: there is no viable technology for opting out of web tracking. A registry of tracking services, like privacy advocates proposed years ago, is cumbersome and unmanageable. Fiddling with cookies, as many advertising networks and anti-regulation advocates recommend, is an incomplete and temporary fix; both Google and NAI (an advertising industry association) have already moved away from opt-out cookies.
Do Not Track ends this standoff. It provides a web tracking opt-out that is user-friendly, effective, and completely interoperable with the existing web. The technology is simple: whenever your web browser makes a request, it includes an opt-out preference. It's then up to advertisers and tracking services to honor that preference – voluntarily, by industry self-regulation, or by law.
Arvind Narayanan and I have been researching Do Not Track for several months, and are pleased to now introduce DoNotTrack.Us, a compilation of what we've learned. The resource explains Do Not Track, provides prototype implementations, and answers some common questions. We'll be updating it in the coming months with new findings and responses to feedback.
Excited as we are about the Do Not Track technology, it is but a first step. Important substantive policy questions remain open: What tracking should be impermissible? When a user visits a site, what constitutes a third party? We look forward to collaborating with advertising networks, NGO's, regulators, lawmakers, and other stakeholders in answering these crucial questions. Read more » about Ending the Web Privacy Stalemate - DoNotTrack.Us
Late last year the Obama administration reopened talks with Russia over the militarization of cyberspace and assented to cybersecurity discussion in the United Nations First Committee (Disarmament and National Security). My intention in this three-part series is to probe Russian and American foreign policy on cyberwarfare and advance the thesis that the Russians are negotiating for specific strategic or diplomatic gains, while the Americans are primarily procedurally invested owing to the “reset” in Russian relations and changing perceptions of cyberwarfare.
By Edward Felten and Jonathan Mayer
Snooping on the Internet is tricky. The network is diffuse, global, and packed with potential targets. There’s no central system for identifying or locating individuals, so it’s hard to keep track of who is online and what they’re up to. What’s a spy agency to do? Read more » about How the NSA Piggy-Backs on Third-Party Trackers
John Mitchell and I have written a new paper that synthesizes research on policy and technology issues surrounding third-party web tracking. It will appear at the IEEE Symposium on Security and Privacy in May. Read more » about Third-Party Web Tracking: Policy and Technology
"From serving as a consultant to law enforcement to collaborating with Firefox on a cookie-blocking feature, Jonathan Mayer J.D. ’12 Ph.D. ’16 has made a name for himself in recent years with regards to technology policy and online privacy issues." Read more » about Graduate student soars to tech policy stardom
""We are no longer seen as a safe business climate," said Aleecia M. McDonald, director of privacy at Stanford's Center for Internet and Society."
"Jonathan Mayer, a doctoral student in computer science and Cybersecurity Fellow at the Center for International Security and Cooperation, said that the law is still evolving in our highly digital world – and right now, it does not go far enough in safeguarding privacy." Read more » about Surveillance threatens U.S. business climate, democracy, say Stanford researchers
"Rejecting Google’s reasoning, Koh effectively reinterpreted old U.S. privacy laws for the Internet age, said Jonathan Mayer, a Stanford University doctoral student with a law degree who tracks online privacy issues.
“Federal privacy law mostly makes sense for phone calls and messages, but it’s deeply ambiguous on newer technology,” said Mayer, whose February 2012 blog post drew early attention to Google’s attempt to bypass privacy settings on Apple browsers, which ended with the search giant’s $17 million payment to 37 states in November." Read more » about Clickable Consent at Risk in Internet Privacy Lawsuits
"The National Security Agency likes to claim that intelligence officers are only collecting the phone records of millions of Americans, safely omitting their actual names from analysis. But a Stanford researcher, Jonathan Mayer, found that he and his co-author could easily match so-called “meta-data” to individual names with little more than a Google search." Read more » about Stanford Researcher Proves NSA Can Probably Identify Individuals From Phone Records
"“If the NSA were to mistakenly classify domestic servers as outside the United States, even at low rates, it would acquire a substantial amount of purely domestic internet traffic,” wrote Jonathan Mayer of Stanford University’s department of computer science. " Read more » about NSA review to leave spying programs largely unchanged, reports say
This talk presents an empirical assessment of the NSA’s legal restrictions, including research cited by President Obama’s intelligence review group. We find that present limits on bulk surveillance programs come up far short; authorities to intercept international Internet traffic and domestic telephone metadata place ordinary Americans at risk. Read more » about The Science of Surveillance
Solutions to many pressing economic and societal challenges lie in better understanding data. New tools for analyzing disparate information sets, called Big Data, have revolutionized our ability to find signals amongst the noise. Big Data techniques hold promise for breakthroughs ranging from better health care, a cleaner environment, safer cities, and more effective marketing. Yet, privacy advocates are concerned that the same advances will upend the power relationships between government, business and individuals, and lead to prosecutorial abuse, racial or other profiling, discrimination, redlining, overcriminalization, and other restricted freedoms. Read more » about Big Data and Privacy: Making Ends Meet
Have you ever borrowed a smartphone without asking? Modified a URL? Scraped a website? Called an undocumented API? Congratulations: you might have violated federal law! A 1986 statute, the Computer Fraud and Abuse Act (CFAA), provides both civil and criminal remedies for mere "unauthorized" access to a computer. Read more » about Innovation or Exploitation?
Hosted by the Stanford Center for E-Commerce.
5:30 pm - 6:30 pm: Registration/Reception (Manning Faculty Lounge, second floor breezeway fo Stanford Law School) Read more » about Behavioral Advertising and Privacy Law Reboot - US and International Legal Trends and Best Practices for Internet, Cloud and E-Commerce Companies
The third edition of the Privacy Identity Innovation conference will be held in downtown Seattle this Spring. Taking place May 15-16 at the Bell Harbor International Conference Center, pii2012 Seattle will explore how to protect sensitive information while enabling new technologies and business models. Read more » about Privacy Identity Innovation - pii2012
Have you ever borrowed a smartphone without asking? Modified a URL? Scraped a website? Called an undocumented API? Congratulations: you might have violated federal law! A 1986 statute, the Computer Fraud and Abuse Act (CFAA), provides both civil and criminal remedies for mere "unauthorized" access to a computer. Read more » about Innovation or Exploitation (Video)
Have you ever borrowed a smartphone without asking? Modified a URL? Scraped a website? Called an undocumented API? Congratulations: you might have violated federal law! A 1986 statute, the Computer Fraud and Abuse Act (CFAA), provides both civil and criminal remedies for mere "unauthorized" access to a computer. Read more » about Innovation or Exploitation? (Audio)