web privacy topics
DESCRIPTION
Web Privacy Topics. Andy Zeigler Senior Program Manager, Internet Explorer Microsoft. Overview. Web Standards and Privacy CSS 2.1 Geolocation User Tracking Previous Approaches P3P Tracking Protection, “Do Not Track”. Web Standards and Privacy. CSS. CSS (Cascading Style Sheets) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/1.jpg)
Web Privacy Topics
Andy ZeiglerSenior Program Manager, Internet Explorer
Microsoft
![Page 2: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/2.jpg)
Overview
• Web Standards and Privacy– CSS 2.1– Geolocation
• User Tracking– Previous Approaches• P3P
– Tracking Protection, “Do Not Track”
![Page 3: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/3.jpg)
WEB STANDARDS AND PRIVACY
![Page 4: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/4.jpg)
CSS
• CSS (Cascading Style Sheets)– Core Web technology used for visually styling
HTML markup– Develops use CSS to select HTML elements and
apply a variety of styles (fonts, colors, sizes, etc.)– 1998: CSS 2.0 (W3C Recommendation)• Defines :visited selector
![Page 5: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/5.jpg)
:visited
• Selects elements in a page that have previously been visited by a user:– :visited { color: red } • Changes all visited links to red
– :visited { font-size: 200%}• Changes the font size of visited links to be 200% of what
they normally would be• Causes changes in layout of the page
– getComputedStyle()• Returns the actual style of any element in a page
![Page 6: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/6.jpg)
:visited -- Attack
1) Create a bunch of links in a page (like – 10000)
2) Style them with :visited3) Detect that they have been visited either by
detecting changes in layout, or by calling getComputedStyle()
4) Combine with XHR to send back to server
![Page 7: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/7.jpg)
CSS 2.0If the following link:
<A class="external" href="http://out.side/">external link</A>
has been visited, this rule:
A.external:visited { color: blue }
will cause it to be blue.
![Page 8: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/8.jpg)
CSS 2.1If the following link:
<A class="external" href="http://out.side/">external link</A>
has been visited, this rule:
A.external:visited { color: blue }
will cause it to be blue.
• Note. It is possible for style sheet authors to abuse the :link and :visited pseudo-classes to determine which sites a user has visited without the user's consent.
• UAs may therefore treat all links as unvisited links, or implement other measures to preserve the user's privacy while rendering visited and unvisited links differently. See [P3P] for more information about handling privacy.
![Page 9: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/9.jpg)
Geolocation
• Allows a website to obtain the physical location of the user
• Javascript API, supports– Latitude– Longitude– Accuracy– Elevation– …
![Page 10: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/10.jpg)
![Page 11: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/11.jpg)
Geolocation Privacy Considerations
• Considerations for browser vendors– “User agents must not send location information to Web sites without
the express permission of the user. User agents must acquire permission through a user interface, unless they have prearranged trust relationships with users…”
• Considerations for Websites– “Recipients must only request location information when necessary.
Recipients must only use the location information for the task for which it was provided to them. Recipients must dispose of location information once that task is completed…”
• Many other great examples in the spec
![Page 12: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/12.jpg)
Takeaways
• Take privacy into consideration when authoring specifications
• Privacy risks exist in most technologies – even ones that might appear to have little risk
• Privacy issues can be very difficult to fix after a spec is implemented – privacy risk, compatibility, interoperability, etc. all must be balanced
![Page 13: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/13.jpg)
USER TRACKING
![Page 14: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/14.jpg)
User Tracking
• Today, users are surreptitiously tracked as they browse the web for a variety of purposes:– Behavioral Profiling– Conversion Tracking– Site metrics– …
![Page 15: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/15.jpg)
User Tracking
![Page 16: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/16.jpg)
Further Reading
• http://www.wsj.com/wtk
![Page 17: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/17.jpg)
Previous Approaches
• P3P – “Platform for Privacy Preferences”– Websites express their privacy policies in a
computer-readable format (XML)– Web Browsers download these preferences and
compare them with the user’s preferences– Action is taken if the preferences are not
compatible (cookies can be blocked, etc.)
![Page 18: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/18.jpg)
P3P Challenges
• Too complex for users• Too simple for nuanced business relationships• Not a lot of incentive for websites to
implement
![Page 19: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/19.jpg)
Tracking Protection
• Tracking Protection Lists (TPLs) block tracking content
• Users can add TPLs to protect their privacy• As the user browses the web, TPLs filter out
tracking content
![Page 20: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/20.jpg)
Tracking Protection
![Page 21: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/21.jpg)
![Page 22: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/22.jpg)
“Do Not Track” Header
• HTTP header (“DNT: 1”)– Signals to Websites that the user prefers not to be
tracked (exact definition TBD)• Requires that Websites “respect” the header
by modifying their tracking behavior
![Page 23: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/23.jpg)
Takeaways
• Lots of activity in W3C and IETF in Web Privacy• New W3C Working Group being formed• IE9 supports Tracking Protection and Do Not
Track
![Page 24: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/24.jpg)
Thank you!
![Page 25: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/25.jpg)
Appendix: Tracking Protection Resources
– Get a Tracking Protection List: http://www.iegallery.com/us/trackingprotectionlists/default.aspx
– Documentation: http://msdn.microsoft.com/en-us/library/hh273399(v=VS.85).aspx
– W3C Member Submission: http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/
![Page 26: Web Privacy Topics](https://reader036.vdocuments.net/reader036/viewer/2022062521/56816859550346895dde89dc/html5/thumbnails/26.jpg)
Example List