Jonathan Mayer's blog

Spy on Your Metadata

Co-authored with Patrick Mutchler. This is a project of the Stanford Security Lab.

Just over a month ago we launched MetaPhone, an Android app for crowdsourcing phone metadata. Our results have already confirmed that phone activity easily reveals private relationships, is deeply interconnected, and can trivially be identified.

We’ve received lots of great feedback on the study from researchers and participants. One request has been especially consistent: show me my metadata!

Starting today, the MetaPhone app will provide personalized results about your phone metadata privacy. Read more about Spy on Your Metadata

Setting the Record Straight on Google’s Safari Tracking

Our recent research on Google’s circumvention of the Safari cookie blocking feature has led to some confusion, in part owing to the company’s statement in response (reproduced in its entiretybelow). This post is an attempt to elucidate the central issues. As with the original writeup, I aim for a neutral viewpoint in the interest of establishing a common factual understanding. Read more about Setting the Record Straight on Google’s Safari Tracking

Safari Trackers

Apple’s Safari web browser is configured to block third-party cookies by default. We identified four advertising companies that unexpectedly place trackable cookies in Safari. Google and Vibrant Media intentionally circumvent Safari’s privacy feature. Media Innovation Group and PointRoll serve scripts that appear to be derived from circumvention example code. Read more about Safari Trackers

Tracking the Trackers: Where Everybody Knows Your Username

Click the local Home Depot ad and your email address gets handed to a dozen companies monitoring you. Your web browsing, past, present, and future, is now associated with your identity. Swap photos with friends on Photobucket and clue a couple dozen more into your username. Keep tabs on your favorite teams with Bleacher Report and you pass your full name to a dozen again. This isn't a 1984-esque scaremongering hypothetical. This is what's happening today.

[Update 10/11: Since several readers have asked – this study was funded exclusively by Stanford University and research grants to the Stanford Security Lab. It was not supported by any advocacy organization.] Read more about Tracking the Trackers: Where Everybody Knows Your Username

Tracking the Trackers: Self-Help Tools

A number of technologies have been touted to offer consumers control over third-party web tracking. This post reviews the tools that are available and presents empirical evidence on their effectiveness. Here are the key takeaways:

  1. Most desktop browsers currently do not support effective self-help tools. Mobile users are almost completely out of luck.
  2. Self-help tools vary substantially in performance.
  3. The most effective self-help tools block third-party advertising.

Following the usage model in the FTC staff's 2010 preliminary online privacy report, this post is oriented towards the user who wants a simple, persistent, comprehensive solution such that with high confidence no third party collects her browsing history. We assume that some third-party trackers will use non-cookie tracking methods including supercookies and fingerprinting (e.g. Microsoft, KISSmetrics, Epic Marketplace, BlueCava, Interclick, Quantcast).

Thanks to Jovanni Hernandez and Akshay Jagadeesh for assisting with data collection, and to Arvind Narayanan and Peter Eckersley for input on drafts.
{C} Read more about Tracking the Trackers: Self-Help Tools

Tracking the Trackers: Microsoft Advertising

Despite all the attention they've received in the debates around online privacy, cookies are far from the only way to track a user. Broadly speaking, a website can either stash a unique identifier anyplace in the browser ("tagging")1 or explore features of the browser until it becomes unique ("fingerprinting").2 Tracking technologies that do not rely on cookies are often referred to as "supercookies," and they are widely viewed as unsavory in the computer security community because they continue tracking even when a user clears her cookies to preserve privacy. Sometimes a site will use a supercookie to "respawn" its original identifier cookie, creating a "zombie cookie" — the basis of several lawsuits.

In one of our recent FourthParty web measurement crawls we included a cookie clearing step to emulate a user's privacy choice. We observed that after clearing the browser's cookies an identifier cookie (named "MUID" for "machine unique identifier") respawned on, a Microsoft domain. We dug into Microsoft's cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies. We contacted Microsoft with our observations, and we have collaborated to assist in rectifying the issues we uncovered. Here is what we know.

Thanks, once again, to Jovanni Hernandez and Akshay Jagadeesh for their indispensable research assistance. Read more about Tracking the Trackers: Microsoft Advertising

FourthParty: A New Approach to Web Measurement

Last week marked the twentieth anniversary of the public World Wide Web, and there is much to celebrate. The early web consisted of a few text pages linked together; the modern web supports audio, video, interactivity, complex storage, and even native applications. Both Microsoft and Google are now developing entire operating systems around web technologies.

Tools for measuring the web have not kept pace. Many studies still rely on HTTP header logging and static analysis of HTML, CSS, and JavaScript. Researchers who want to go beyond these simple tools are often forced to develop purpose-built software from scratch.

Today we're releasing FourthParty, an open-source platform for web measurement. FourthParty is built on Mozilla Firefox and the Add-on SDK, making it fast, modular, easy to use, multi-platform, and up-to-date with the latest web technologies. And FourthParty is already generating research results: it's the tool we've been using in our Tracking the Trackers studies (1, 2). To learn more and get started, visit Read more about FourthParty: A New Approach to Web Measurement

Tracking the Trackers: To Catch a History Thief

Last week we reported some early results from the Stanford Security Lab's new web measurement platform on how advertising networks respond to opt outs and Do Not Track. This week we're back with a new discovery in the online advertising ecosystem: Epic Marketplace,1 a member of the self-regulatory Network Advertising Initiative (NAI), is history stealing.

Many thanks once again to research assistants Akshay Jagadeesh and Jovanni Hernandez. Read more about Tracking the Trackers: To Catch a History Thief

Tracking the Trackers: Early Results

Over the past several months researchers at the Stanford Security Lab have been developing a platform for measuring dynamic web content. One of our chief applications is a system for automated enforcement of Do Not Track by detecting the myriad forms of third-party tracking, including cookies, HTML5 storage, fingerprinting, and much more. While the software isn't quite polished enough for public release, we're eager to share some unexpected early results on the advertising ecosystem. Please bear in mind that these are preliminary findings from experimental software; our primary aims at this stage are developing the platform and validating the approach to third-party tracking detection. Many thanks to Jovanni Hernandez and Akshay Jagadeesh for their invaluable research assistance. Read more about Tracking the Trackers: Early Results

Do Not Track, Meet IETF

Do Not Track is on its way to becoming an Internet standard. In collaboration with Sid Stamm at Mozilla we've submitted an Internet-Draft to the IETF, specifying both the HTTP header syntax and the requirements for compliance.

This is just the beginning of the IETF's process and the evolution of the draft. But it's a transformative moment for web privacy: Do Not Track is now a formal standards proposal. Every browser, advertising network, analytics service, and social plug-in provider has a clear instruction manual on how to implement Do Not Track.

We owe a tremendous debt of gratitude to the colleagues and friends whose efforts have made Do Not Track a reality: Alissa Cooper, Peter Eckersley, Alex Fowler, John Mitchell, Ashkan Soltani, Lee Tien, and Harlan Yu. And we particularly thank Chris Soghoian, Do Not Track's unflagging champion for nearly two years. Read more about Do Not Track, Meet IETF

Do Not Track FTC Comment: What It Means, How to Enforce It, and More

Last Friday we submitted a comment to the FTC articulating our vision for Do Not Track. We expanded on a number of views already expressed on this blog: Do Not Track is about much more than behavioral advertising, an HTTP header is the right implementation, and Do Not Track is no threat to ad-supported businesses. Here are the new highlights. (For a fuller exposition of each, please see our comment.) Read more about Do Not Track FTC Comment: What It Means, How to Enforce It, and More


Subscribe to RSS - Jonathan Mayer's blog