Re: [projectvrm] [Privacy-list] Tracking the Trackers - Talks@TechSci 11/18 11AM - 12PM

[Peter Cranstone < >]

Hi Don,

Couple of thoughts. 

Firefox and DNT - still doesn't implement the proposed standard correctly. No ability to store consent and no ability to transmit DNT=0

RE: Test pilot... good idea BUT what we need to see is the DATA - show us exactly what you are sending to:

• Yahoo in the USA,
  
• Yandex in Russia,
  
• Baidu in China,
  
• Google 'elsewhere' (need to understand that more clearly). 
  

Nobody pays anyone $300 million a year for no reason. $300 million equates to value - the value of the data that the search engines are receiving.

As Regan said - Trust but verify - Think of DNT as a 'Trust' Signal - what's missing is the Verify document - TCS and the upcoming GDPR.

Peter Cranstone

Sent with ProtonMail Secure Email.

-------- Original Message --------

Subject: Re: [projectvrm] [Privacy-list] Tracking the Trackers - Talks@TechSci 11/18 11AM - 12PM

Local Time: November 12, 2016 6:51 PM

UTC Time: November 13, 2016 1:51 AM

From:

To: Doc Searls < >

Peter Cranstone < >, Adrian Gropper < >, ProjectVRM list < >

begin Doc Searls quotation of Sat, Nov 12, 2016 at 02:44:55PM -0800:

> > On Nov 12, 2016, at 1:44 PM, Peter Cranstone < > wrote:

> >

> > Interesting. Nobody is talking about this part:

> > HTTP/2's preference for using a single TCP connection allows correlation of a user's activity on a site. If connections are reused for different origins, this allows tracking across those origins.

> > Nobody needs to look for a DNT header now. They'll just use the protocol itself to correlate your activity across a site to track and serve ads to you. The get out of jail card is 'if' the connections are reused.

>

> Good point. Looking for comments from others here as well. Weigh in, please.

>

> > Let's see if the authors have any financial motivation to reuse them?

> >

> > >> M. Belshe, BitGo

> > >> R. Peon, Google, Inc

> > >> M. Thomson, Mozilla

> >

> > Former Google engineer.

> > Current Google engineer.

> > Probably an engineer at Mozilla

> >

> > Mozilla gets $300m a year for their Google search bar.

>

> I believe the current deal is with Yahoo, fwiw.

(I work for Mozilla. Not speaking for Mozilla here.

Opinions and errors mine.)

Martin Thomson at Mozilla works on HTTP2/, WebRTC, and

other areas.

https://blog.mozilla.org/blog/2016/02/08/martin-thomson-appointed-to-the-internet-architecture-board/

Mozilla's search deals are by country, with Yahoo in

the USA, Yandex in Russia, Baidu in China, and Google

elsewhere.

https://blog.mozilla.org/blog/2014/11/19/promoting-choice-and-innovation-on-the-web/

> > The contract has another 3 years to run. Google and Mozilla both have their own browsers which will support HTTP2

> >

> > Hmmm. And the beat goes on.

>

> That’s an ad hominem argument, and I don’t think it washes, except in the most indirect and general ways. And maybe not even then. Financial interest might be a factor. But I have to say that I’ve worked for Mozilla, and I know a lot of people with Mozilla, Google, Facebook, and even in the advertising and adtech industries (and there is a distinction); and I have found no mapping of money to what engineers do, or wish to do. More the other way around. Hell, several of us here got washed out of Mozilla when it closed what it called the advertising group, even though its only completed work was proving there was an ethical non-tracking based way of doing advertising. Frankly, most of the people I know in those companies often fight those companies and their financial benefactors from the inside.

>

> > If you really want to control your identifiers then you're going to need your own browser.

>

> Well, this is what I hoped Mozilla would be. If somebody from Mozilla is listening, it would be good to have them weigh in here.

>

> Personally, I believe a browser should be one’s own, just like a house or a car, a purse or a pair of pants should be one’s own, and that the castle doctrine should apply to it: <http://j.mp/cstledoc <http://j.mp/cstledoc>>.

Search advertising competes with other forms of

advertising for the same marketing budgets. IMHO it

is clearly in Mozilla's interest to block the creepy

stuff, such as retargeting, that Mozilla doesn't get

a piece of the action from (and that doesn't match up

with Mozilla's principles on giving users control of

their web experience, but as long as we're following

the money here, might as well follow it right.)

Unfortunately, it's hard to block all the creepy

stuff without breaking some site's shopping cart

or fonts or comments or some other random feature.

So Tracking Protection in Firefox is, right now, a

"Test Pilot" feature, not the default.

https://testpilot.firefox.com/experiments/tracking-protection

Tracking Protection is already a cleaner, more

hassle-free experience than most of the privacy stuff

you can run in a browser, and I would recommend it to

non-web-developer users. But Mozilla has to collect

more data from the Test Pilot experiment to know more

about which users to turn it on for and when.

As far as HTTP/2 goes, just establishing a fresh

connection for each first-party site is nowhere near

enough. You still need to be able to do all 4 layers

of protection.

http://blog.aloodo.org/posts/protection-layers/

(fingerprinting protection is another story, but that's

in progress too.)

Don

> Doc

>

>

> >

> >

> > Peter Cranstone

> > Sent with ProtonMail <https://protonmail.com/> Secure Email.

> >

> >> -------- Original Message --------

> >> Subject: Re: [projectvrm] [Privacy-list] Tracking the Trackers - Talks@TechSci 11/18 11AM - 12PM

> >> Local Time: November 12, 2016 12:39 PM

> >> UTC Time: November 12, 2016 7:39 PM

> >> From:

> >> To: Peter Cranstone < >

> >> Adrian Gropper < >, ProjectVRM list < >

> >>

> >> Thanks for bringing this up.

> >>

> >> Here is the link to the Wikipedia article on HTTP/2: <https://en.wikipedia.org/wiki/HTTP/2 <https://en.wikipedia.org/wiki/HTTP/2>>

> >>

> >> And here is the #Criticisms section of the article:

> >> <https://en.wikipedia.org/wiki/HTTP/2#Criticisms <https://en.wikipedia.org/wiki/HTTP/2#Criticisms>>

> >>

> >> And here is a link to a document with the texty cited below (a passage from its "10.8 Privacy Considerations” section):

> >> <https://tools.ietf.org/html/draft-ietf-httpbis-http2-17#section-10.2 <https://tools.ietf.org/html/draft-ietf-httpbis-http2-17#section-10.2>> (Feb 2015)

> >>

> >> Here are two more links to later versions of the same:

> >> <http://www.tech-invite.com/y75/tinv-ietf-rfc-7540.html <http://www.tech-invite.com/y75/tinv-ietf-rfc-7540.html>> (May 2015)

> >> <https://github.com/Jxck/http2/blob/master/main/rfc7540.txt <https://github.com/Jxck/http2/blob/master/main/rfc7540.txt>> (May 2015)

> >>

> >> Why are those concerns not surfaced in the Wikipedia article, or elsewhere? (That I can find, anyway?) I have no idea. But I would like to have one, or a few.

> >>

> >> Anybody know the authors? Here they are:

> >>

> >> M. Belshe, BitGo

> >> R. Peon, Google, Inc

> >> M. Thomson, Mozilla

> >>

> >> Doc

> >>

> >>> On Nov 12, 2016, at 10:08 AM, Peter Cranstone < <mailto: >> wrote:

> >>>

> >>> For all you privacy advocates you need to read section 10.8 of the HTTP 2.0 spec. Or as it should be known - Tracking 2.0

> >>>

> >>> So what's the Holy Grail of advertising - to track you across MULTIPLE ORIGINS. What does this mean? Multiple devices. You're on your desktop and then you switch to mobile.

> >>>

> >>> Ok.. so with that in mind read the following section:

> >>>

> >>> 10.8 Privacy Considerations

> >>> Several characteristics of HTTP/2 provide an observer an opportunity to correlate actions of a single client or server over time. These include the value of settings, the manner in which flow-control windows are managed, the way priorities are allocated to streams, the timing of reactions to stimulus, and the handling of any features that are controlled by settings.

> >>> As far as these create observable differences in behavior, they could be used as a basis for fingerprinting a specific client, as defined in Section 1.8 of [HTML5].

> >>> HTTP/2's preference for using a single TCP connection allows correlation of a user's activity on a site. Reusing connections for different origins allows tracking across those origins.

> >>> Because the PING and SETTINGS frames solicit immediate responses, they can be used by an endpoint to measure latency to their peer. This might have privacy implications in certain scenarios.

> >>> All you have to do is 'Follow the Money'. HTTP needs to evolve for mobile advertising. And that means I need to track you across different origins.

> >>>

> >>> HTTP2 is a protocol that is supported by a web server and browser. Look to see who controls BOTH endpoints. I wonder whose browser and server will support 2.0 first.

> >>>

> >>> DNT is now no longer required because the PROTOCOL is tracking you, NOT the headers or the Identifiers or the Attributes.

> >>>

> >>> It's good to own a browser.

> >>>

> >>>

> >>> Peter Cranstone

> >>> Sent with ProtonMail <https://protonmail.com/> Secure Email.

> >>>

> >>>> -------- Original Message --------

> >>>> Subject: [projectvrm] Fwd: [Privacy-list] Tracking the Trackers - Talks@TechSci 11/18 11AM - 12PM

> >>>> Local Time: November 11, 2016 3:35 PM

> >>>> UTC Time: November 11, 2016 10:35 PM

> >>>> From: <mailto: >

> >>>> To: ProjectVRM list < <mailto: >>

> >>>>

> >>>> Talks@TechSci in the ToTS and TIP Series <http://dataprivacylab.org/TIP/>

> >>>>

> >>>>

> >>>> Friday 11/18 11AM - 12PM in CGIS Knafel K262 (1737 Cambridge St). Conference call 724-707-3623 <tel:724-707-3623> PIN: 53553

> >>>>

> >>>> Tracking the Trackers

> >>>> <talks9_image.png>

> >>>>

> >>>> Online tracking poses a serious privacy challenge that has drawn significant attention in both academia and industry.

> >>>> In this talk, I discuss my company's recent work in detecting tracking and exposing both the extent of tracker and the (mostly unseen) profiles generated by the tracking for the trackers. I will also reflect on whether the benefits of "Big Data" actually requires a massive privacy breach on a global scale or whether this is just a convenience for the companies involved to have all the data at hand. The interesting case of the browser (a major component/accomplice in tracking) as a precursor of things to come when everything becomes a computer (IoT etc...) will be discussed.

> >>>> Speaker: Jean-Paul Schmetz is the Chief Scientist of Burda GmbH (a major German Media Company) and the founder/CEO of Cliqz GmbH (a browser/search engine company owned by Burda and Mozilla). He received his MS in Computer Science from Stanford University and his MA in Philosophy from the University of Louvain.

> >>>>

> >>>>

> >>>>

> >>>> _______________________________________________

> >>>> Privacy-list mailing list

> >>>> <mailto: >

> >>>>

> >>>> To unsubscribe from this list or get other information:

> >>>>

> >>>> https://lists.fas.harvard.edu/mailman/listinfo/privacy-list <https://lists.fas.harvard.edu/mailman/listinfo/privacy-list>

> >>>>

> >>>>

> >>>>

> >>>>

> >>>> --

> >>>>

> >>>> Adrian Gropper MD

> >>>>

> >>>> PROTECT YOUR FUTURE - RESTORE Health Privacy!

> >>>> HELP us fight for the right to control personal health data.

> >>>> DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/>

> >

>

--

Don Marti < >

http://zgp.org/~dmarti/

Are you safe from 3rd-party web tracking? http://www.aloodo.org/test/