Nicholas Weaver

Jaeyoung Choi, Istemi Ekin Akkus, Serge Egelman et al.

Under U.S. law, marketing databases exist under almost no legal restrictions concerning accuracy, access, or confidentiality. We explore the possible (mis)use of these databases in a criminal context by conducting two experiments. First, we show how this data can be used for "cybercasing" by using this data to resolve the physical addresses of individuals who are likely to be on vacation. Second, we evaluate the utility of a "bride to be" mailing list augmented with data obtained by searching both Facebook and a bridal registry aggregator. We conclude that marketing data is not necessarily harmless and can represent a fruitful target for criminal misuse.

Michael Carl Tschantz, Serge Egelman, Jaeyoung Choi et al.

Google's Ad Settings shows the gender and age that Google has inferred about a web user. We compare the inferred values to the self-reported values of 501 survey participants. We find that Google often does not show an inference, but when it does, it is typically correct. We explore which usage characteristics, such as using privacy enhancing technologies, are associated with Google's accuracy, but found no significant results.

Istemi Ekin Akkus, Nicholas Weaver

The privacy implications of third-party tracking is a well-studied problem. Recent research has shown that besides data aggregators and behavioral advertisers, online social networks also act as trackers via social widgets. Existing cookie policies are not enough to solve these problems, pushing users to employ blacklist-based browser extensions to prevent such tracking. Unfortunately, such approaches require maintaining and distributing blacklists, which are often too general and adversely affect non-tracking services for advertisements and analytics. In this paper, we propose and advocate for a general third-party cookie policy that prevents third-party tracking with cookies and preserves the functionality of social widgets without requiring a blacklist and adversely affecting non-tracking services. We implemented a proof-of-concept of our policy as browser extensions for Mozilla Firefox and Google Chrome. To date, our extensions have been downloaded about 11.8K times and have over 2.8K daily users combined.