Post on 10-Feb-2016
description
transcript
Adnostic: Privacy Preserving Targeted
Advertising
Rachel Stonehirsch and Nan Wu
Online Behavioral Advertising• Track users across web sites to infer user
interests and preferences
• Better ad placement
• Not a new practiceo 1990s: DoubleClick used 3rd party cookies to track
users
Parties
• Advertisero Has an online ad to embed in web pages
• Publishero Owns web pages and is willing to place ads from
others
• Ad-networko Collects ads/payment from advertiserso Places ads on publisher pages
Parties
• Content Distribution Network(CDN)- "Collude" with ad network
• Trusted third party- Cryptographic service provider
- Not "collude" with any other parties
Tracking
• Associate an identifier with a user
• Cookies, IP address and User-Agent strings
Privacy
• Privacy and consumer advocacy groups concerned about how OBA affects privacy
• Argument:o Behavioral targeting is inherently in conflict with
privacy
• Our work shows that it is possible to have effective targeted advertising and still preserve privacy
Privacy Threat s
• Clickstream
• Behavioral profile
• Ad impression history
• Ad click history
Adnostic
• A Firefox extension
• Uses browsing history database
• Runs behavioral targeting algorithm in browser
o User information not leaked outside the browser
Motivation: A complement, not a replacement
Adnostic
• Cryptographic techniques for accurate billing
• Only click history is provided to ad network
o Against click fraud scams
o Available from advertisers
Why adnostic?
1. Pleasure privacy-conscious publishers
2. More visibility
3. Maybe better than user tracking
4. Private browsing mode
5. User control
6. Standardized segmentation
Adnostic Architecture: Targeting with Privacy
1. Behavior profiling
2. Ad insertion
3. Accounting
Behavioral Profiling
• Continually updates interest categorizations
• More than interest: intent and influence
• User sessions: keystroke dynamic or last few pages viewed
Ad Insertion
• Ad-network detects Adnostic
• A list of n ads is send back, each with a classification
• One of n ads is chosen to display
Billing: Charge per Click Model
• Users click on ad and re-directed to advertiser's site
• Billing takes place directly at the site
Billing: Charge per Impression Model
• N ads are pushed to the browser
• One ad is displayed to user
• One advertiser is chargedo How can the ad-network charge the correct
advertiser without knowing which ad was displayed?
• Solution:o Additively homomorphic encryptiono Zero knowledge proofs
Homomorphic Encryption
• Given public key pk
• Given ciphertexts E(pk, x1) and E(pk, x2)o Can create ciphertext E(pk, x1 + x2)o Can create ciphertext E(pk, c*x) for any scalar
c
Billing: Initialization
• �Ad-network identifies ad by an ID
• �Ad-network stores each ad and encrypted
counter, CID
• �When ad is first uploaded
o CID E(pk, 0)
Billing: Ad Insertion• Ad-network sends pk and n ads to browser
o (pk, ad1, ad2, ...,adn)
• Browser chooses ad to display to usero Creates binary vector v with n componentso Encrypt each element of v using pk and send to ad-
network with zero-knowledge proofs (E(pk, v1),...,E(pk,vn))
Billing: Ad Insertion
• Ad-network multiplies vector by co (E(pk, c*v1),...E(pk,c*vn))
• Ad-network adds encrypted vector values to each ad's encrypted countero Result: Quantity c is added to counter of ad
displayed
Billing: Settlement
• Ad-network sends encrypted counters to a trusted third party (TTP)
• TTP decrypts counters and sends response to ad network
Implementation
• User Profiling Moduleo Monitors browsing activity to build a list of user
interests
• Ad Rendering Moduleo Selects ads based on user profileo Inserts ads into the web pages
Implementation: User Profiling
• Adnostic extracts keywords from the page meta-data and the URL
• List of keywords used to retrieve categories related to page content
• Categories derived from all pages visited used to make up profile
Implementation: In-Browser Categorization
• Adnostic comes with:o List of categorieso Cosine-similarity matrix
Used to compute categories for a list of keywords obtained from a web page
Implementation: Ad Rendering
• Ad-network sends to the browser:o List of behavioral categorieso A score representing relevancy of the ado For each extension any numerical parameters that
the extension accepts
• Browser creates combined score for each ado Uses score sent by ad-network o Uses how well list of categories match the user's
profile
Implementation: Ad Rendering
• adnostic.render()o Attributes are an id, url, and targeting inputs
described earlier, height and width parameters, and cryptographic key
• Browser creates n DOM elements
• All ads are downloadedo Only one is displayed to the user
Evaluation
• Based on advertisement rendering delay• Observe impact on page loading time
• Websites cano Publish many adso Intensively use scriptso Include external elements that take time to load
• Adnostic increases loading dealyo Might be negligible on heavy websiteso Might affect lightweight websites
Evaluation
1. SlashDot• Lightweight website (3 banner ads)
1. ReadWriteWeb• Heavy website( 13 banner ads and
content from external websites) 1. WeSecretSoftwareClub
• Lightweight website (3 text ads)1. TheRegister
• Publishes text ads and banners.
Evaluation: Ad Rendering Time
• Website 3 achieves fastest rendering timeo Publishes only text ads
• Faster when 10 text ads are downloaded• Time increases when banner ad are
displayed• Time to download 10 banner is similar to
time to download 20 text ads
Evaluation: Page Loading Time• In general, impact on loading time was low• Website 2
o Includes external content and publishes many adso To load page, browser opens many connectionso Firefox limits number of simultaneous connections
• Solution: o Increase number of simultaneous connections
Degrade browsing experience
• Alternative: Fetch n ads via a single HTTP request
Conclusion
• Address issues between tension surrounding behavioral targeting and user privacy
• Primary goal: Create a system that would preserve user privacy and still serve ads effectively
• Complement existing ad infrastructure not replace it