Re: [projectvrm] [Privacy-list] Tracking the Trackers - Talks@TechSci 11/18 11AM - 12PM

[Peter Cranstone < >]

Some comments. Just my opinion.

TLS 1.2 is for security of your data in transit - not the privacy of how your data is used when it arrives at the other end. That is governed by policies such as the TCS and or GDPR. 

I take my hat of to the folks who thought up HTTP2... Bravo - track using the protocol - very clever. It will be known as the HyperText Tracking Protocol before long. Again see my comment above - it's the policy that counts and the TCS is a moral obligation and NOT a legal requirement.

DNT will work just fine. But again HTTP2 is NOT designed for that. It's designed to re-use connections for different origins which allows tracking across those origins. Go look at Google's Mobile stats - they have to have a way to track you from the desktop to mobile or lose revenue.

>> Moreover, the DNT _javascript_ API would also work in HTTP/2.

Agreed. To bad it's not fully implemented – https://www.w3.org/wiki/Privacy/TPWG/TPE_Implementation_Report just like DNT is missing from Google Chrome on mobile and still there's no support for setting DNT=0 

Peter Cranstone

Sent with ProtonMail Secure Email.

-------- Original Message --------

Subject: Re: [projectvrm] [Privacy-list] Tracking the Trackers - Talks@TechSci 11/18 11AM - 12PM

Local Time: November 12, 2016 3:16 PM

UTC Time: November 12, 2016 10:16 PM

From:

To: Doc Searls < >

Peter Cranstone < >, Adrian Gropper < >, ProjectVRM list < >

>> Why are those concerns not surfaced in the Wikipedia article, or

>> elsewhere? (That I can find, anyway?) I have no idea. But I would like

>> to have one, or a few.

Three thoughts I would like to add to the discussion:

HTTP/2 (SPDY4) is not enabled by default in browsers (yet). E.g., in

firefox, the settings are configurable in

network.http.spdy.enabled.http2draft and security.ssl.enable_alpn.

Major browsers, e.g., Firefox and Chrome, will (most likely) implement

HTTP/2 support for TLS connections only, which in fact would enhance the

privacy of the communication with a server.

Communications secrecy is a different risk compared to web tracking. But

HTTP/2 is "intended to be as compatible as possible with current uses of

HTTP" (see, e.g., https://http2.github.io/http2-spec/#HEADERS).

Therefore, I think that there is no reason to assume that existing

standardization in the HTTP header like Do Not Track wouldn't work. This

means that, from the application perspective, the features of the HTTP

protocol are largely unchanged. Moreover, the DNT _javascript_ API would

also work in HTTP/2.

Rob

Doc Searls schreef op 2016-11-12 20:39:

> Thanks for bringing this up.

>

> Here is the link to the Wikipedia article on HTTP/2:

> <https://en.wikipedia.org/wiki/HTTP/2>

>

> And here is the #Criticisms section of the article:

> <https://en.wikipedia.org/wiki/HTTP/2#Criticisms>

>

> And here is a link to a document with the texty cited below (a passage

> from its "10.8 Privacy Considerations” section):

> <https://tools.ietf.org/html/draft-ietf-httpbis-http2-17#section-10.2>

> (Feb 2015)

>

> Here are two more links to later versions of the same:

> <http://www.tech-invite.com/y75/tinv-ietf-rfc-7540.html> (May 2015)

> <https://github.com/Jxck/http2/blob/master/main/rfc7540.txt> (May

> 2015)

>

> Why are those concerns not surfaced in the Wikipedia article, or

> elsewhere? (That I can find, anyway?) I have no idea. But I would like

> to have one, or a few.

>

> Anybody know the authors? Here they are:

>

> M. Belshe, BitGo

> R. Peon, Google, Inc

> M. Thomson, Mozilla

>

> Doc

>

>> On Nov 12, 2016, at 10:08 AM, Peter Cranstone

>> < > wrote:

>>

>> For all you privacy advocates you need to read section 10.8 of the

>> HTTP 2.0 spec. Or as it should be known - Tracking 2.0

>>

>> So what's the Holy Grail of advertising - to track you across

>> MULTIPLE ORIGINS. What does this mean? Multiple devices. You're on

>> your desktop and then you switch to mobile.

>>

>> Ok.. so with that in mind read the following section:

>>

>> 10.8 Privacy Considerations

>>

>> * Several characteristics of HTTP/2 PROVIDE AN OBSERVER AN

>> OPPORTUNITY TO CORRELATE ACTIONS OF A SINGLE CLIENT OR SERVER OVER

>> TIME. These include the value of settings, the manner in which

>> flow-control windows are managed, the way priorities are allocated

>> to streams, the timing of reactions to stimulus, and the handling of

>> any features that are controlled by settings.

>>

>> * AS FAR AS THESE CREATE OBSERVABLE DIFFERENCES IN BEHAVIOR, THEY

>> COULD BE USED AS A BASIS FOR FINGERPRINTING A SPECIFIC CLIENT, as

>> defined in Section 1.8 of [HTML5].

>>

>> * HTTP/2's preference for using a single TCP connection allows

>> correlation of a user's activity on a site. Reusing connections for

>> different origins allows tracking across those origins.

>>

>> * Because the PING and SETTINGS frames solicit immediate responses,

>> they can be used by an endpoint to measure latency to their peer.

>> THIS MIGHT HAVE PRIVACY IMPLICATIONS IN CERTAIN SCENARIOS.

>>

>> All you have to do is 'Follow the Money'. HTTP needs to evolve for

>> mobile advertising. And that means I need to track you across

>> different origins.

>>

>> HTTP2 is a protocol that is supported by a web server and browser.

>> Look to see who controls BOTH endpoints. I wonder whose browser and

>> server will support 2.0 first.

>>

>> DNT is now no longer required because the PROTOCOL is tracking you,

>> NOT the headers or the Identifiers or the Attributes.

>>

>> It's good to own a browser.

>>

>> Peter Cranstone

>>

>> Sent with ProtonMail [5] Secure Email.

>>

>>> -------- Original Message --------

>>>

>>> Subject: [projectvrm] Fwd: [Privacy-list] Tracking the Trackers -

>>> Talks@TechSci 11/18 11AM - 12PM

>>>

>>> Local Time: November 11, 2016 3:35 PM

>>>

>>> UTC Time: November 11, 2016 10:35 PM

>>>

>>> From:

>>>

>>> To: ProjectVRM list < >

>>>

>>> TALKS@TECHSCI IN THE TOTS AND TIP SERIES [1]

>>>

>>> Friday 11/18 11AM - 12PM in CGIS Knafel K262 (1737 Cambridge St).

>>> Conference call 724-707-3623 [2] PIN: 53553

>>>

>>> Tracking the Trackers

>>>

>>> <TALKS9_IMAGE.PNG>

>>>

>>> Online tracking poses a serious privacy challenge that has drawn

>>> significant attention in both academia and industry.

>>>

>>> In this talk, I discuss my company's recent work in detecting

>>> tracking and exposing both the extent of tracker and the (mostly

>>> unseen) profiles generated by the tracking for the trackers. I

>>> will also reflect on whether the benefits of "Big Data" actually

>>> requires a massive privacy breach on a global scale or whether

>>> this is just a convenience for the companies involved to have all

>>> the data at hand. The interesting case of the browser (a major

>>> component/accomplice in tracking) as a precursor of things to come

>>> when everything becomes a computer (IoT etc...) will be discussed.

>>>

>>> SPEAKER: Jean-Paul Schmetz is the Chief Scientist of Burda GmbH (a

>>> major German Media Company) and the founder/CEO of Cliqz GmbH (a

>>> browser/search engine company owned by Burda and Mozilla). He

>>> received his MS in Computer Science from Stanford University and

>>> his MA in Philosophy from the University of Louvain.

>>>

>>> _______________________________________________

>>>

>>> Privacy-list mailing list

>>>

>>>

>>>

>>> To unsubscribe from this list or get other information:

>>>

>>> https://lists.fas.harvard.edu/mailman/listinfo/privacy-list [3]

>>>

>>> --

>>>

>>> Adrian Gropper MD

>>>

>>> PROTECT YOUR FUTURE - RESTORE Health Privacy!

>>> HELP us fight for the right to control personal health data.

>>> DONATE: http://patientprivacyrights.org/donate-2/ [4]

>

>

>

> Links:

> ------

> [1] http://dataprivacylab.org/TIP/

> [2] tel:724-707-3623

> [3] https://lists.fas.harvard.edu/mailman/listinfo/privacy-list

> [4] http://patientprivacyrights.org/donate-2/

> [5] https://protonmail.com/