WHO IS TRACKING US ONLINE AND SHOULD THEY STOP Kirsten Martin, Ph.D. George Washington University
University of Buffalo October 1, 2014
Online with New York Times Audience Science ChartBeat DoubleClick Dynamic Yield Google Adsense Insight Express Krux Digital Moat New Relic New York Times ScoreCard Research Beacon Sizmek WebTrends
Online with Wired – Treat Level Adobe Test & Target Brightcove ChartBeat Disqus DoubleClock DoubleVerify GoogleAdsense Google Analytics Integral Ad Science Media Optimizer (Adobe) Mobify New Relic Omniture (Adobe) Polar Mobile ScoreCard Research Beacon
Online with ESPN Adobe Test & Target ChartBeat DoubleClick DoubleVerify Dynamic Logic Google Adsense Gravity Insights Omniture (Adobe) PointRoll ScoreCard Research Beacon Visual Revenue VoiceFive
Individuals as entering online space
Device
Browser
Web Page
Other Websites
Data Aggregators
Ad Networks
1. Did you read the notice?
2. Did you consent? 3. Did you hand
over personal information?
61% of websites surveyed passed
identifying information to at least one other
actor and 45% passed to 4+ other actors
Estimated that 244 hrs/year spent on reading (154 hrs/yr skimming)
notices…or $781B annually US
(Cranor; Krishnamurthy, Willis, and Naryshkin, 2011; Mayer, 2011)
Actors as watching our interactions
Device
Browser
Web Page
Other Websites
Data Aggregators
Ad Networks
Agenda The goal of this presentation is to…(a) reframe how we think about the many actors online and (b) identify the roles and responsibilities of those tracking us online.
1. Who is online?
2. What do they do?
3. Should they stop? • What are the actors’ responsibilities?
WHO IS ONLINE
A lot of people….
LoC 20 TB
LoC 20 TB
LoC 20 TB
LoC 20 TB
LoC 20 TB
1997, Lib of Congress housed 20TB
2013, NSA processed 4 LoC every minute…
Gelman, 2013, Wash Post
In 2013, data brokers collected • 1.4B consumer transactions and • 700B aggregated data elements
FTC data broker report, 2014.
62
43
0 10 20 30 40 50 60 70
Online Mktg Online Adv
2013 ($B)
Concerns: Tracking Online
Device Browser
Web Page
Data Aggregators e.g., RapLeaf
Ad Networks e.g., Google
AdSense
Tracking Companies
e.g., BlueKai, Lotame,
Other Websites
Device Fingerprinting e.g., BlueCava,
Marketo
Customer Facing
Backend Processing
Google RapLeaf
ESPN Datium
Type of Relationship
Bro
ad
Info
rmat
ion
Nar
row
In
form
atio
n Bre
adth
of I
nfor
mat
ion
Firefox Mac OS
Amazon
Making Sense of Actors Online….
OK Cupid
WHAT DO THEY DO?
What do they do?
1. As a member of a supply chain
2. Within a system of surveillance
3. As an arm of law enforcement
1. As a Member of a Supply Chain
Device Browser
Web Page
Data Aggregators
Ad Networks
Tracking Companies
Other Websites
Retargeting
Selective Search
Differential Pricing – e.g., WSJ and CNET
Obligations within Supply Chain
1. Potential harm from secondary use
2. Possible breaching of privacy expectations and confidentiality
• Voluntary Receipt of Benefits: Primary website benefits from harm caused to individuals within the info supply chain.
• Position/Relationship: Without primary website, individual would not disclose information
• Knowledge: Primary website has unique knowledge about what information is tracked by whom.
Threats to Privacy Obligations of Key Actors
2. Within a System of Surveillance…
Device Browser
Web Page
Other Websites
Data Aggregators
Ad Networks Dynamic Logic
ChartBeat
Omniture
ForeSee
DoubleClick
Twofold Disability (Cohen, 2008) 1. Unable to be seen
• Flash and ‘super’ cookies
2. Unable to escape • Of top 100 sites, all had
cookies • 85% with 3rd party cookies. • 74% with Google presence.
Good and Hoofnagle (2012)
Obligations within system of surveillance
1. Inability to identify the watcher
2. Inability to avoid the watcher
• Voluntary Benefit: In aggregating data, tracking actors benefit from the personality and identify of others which directly contributes to the harm of surveillance. Run the risk of treating users as a mere means.
• Contracting Minimums: Take away ability ability of users to identify contractors (trackers) and have a voice.
Threats to Privacy Obligations of Key Actors
3. As an arm of law enforcement
Tracking Companies
Website
DoJ FBI DHS Police
Data Aggregators
Device Browser
Web Page
Clickstream
Search History
Ad Impressions
Behavioral Profile
Think about this in two ways… (a) as changing the structure and (b) as extending the time between
disclosure and observation
In 1-2Q 2014, Twitter received 2,058 rqsts.
60% from U.S. (1,257). complied 72%
Google received 12,539
(84% compliance).
3-4Q 2013, Facebook received 12,598 requests (81% compliance) from
U.S. government.
Etzioni (2012) “Privacy Merchants”
As an arm of law enforcement….
Technological Social Legal
Police
Physical
Police
Entering House (4th Amendment)
Police
Thermal Imaging Cameras
As an arm of law enforcement….
Physical Technological Social Legal
Police
Police
Tracking Behaviors
Police
Tracking Behaviors Online
E.g., Of U.S. requests, 75% subpoenas with no
judge approval necessary
(r.t. search warrants).
As an arm of law enforcement…. Police
Tracking Behaviors
Police
Tracking Behaviors Online
time
Jan ‘13 Oct ‘14
Obligations as arm of law enforcement
1. Lowering hurdles for law enforcement to access data
2. Storing data and leaving individual vulnerable to changes in laws/norms
• Benefit: Actors who benefit from facets of data (individualized and aggregated) that make it attractive to law enforcement.
• By Breaking Existing Structures:The actors voluntarily take on the responsibility to reconstitute the social and technological structures relied upon to uphold privacy interests.
• Because Rendering Others Vulnerable: retaining data makes others vulnerable to unforeseen searches without corresponding benefit to the users.
Threats to Privacy Obligations of Key Actors
SHOULD THEY STOP?
What do they do? Problem
1. As a supply chain • Possible harmful secondary use • Possible breaching of privacy
expectations (rules).
2. As surveillance • Duality as both unknown and
inescapable
3. As an arm of law enforcement • Change in the structure protecting
information
Important Actors
• Primary website as gatekeeper
• (Hidden) backend processing • Aggregated data across contexts
• Maintaining attractive datasets over time
Customer Facing
Backend Processing
Google RapLeaf
ESPN Datium
Type of Relationship
Bro
ad
Info
rmat
ion
Nar
row
In
form
atio
n Bre
adth
of I
nfor
mat
ion
Firefox Mac OS
Amazon
Customer Facing
Backend Processing
Bro
ad
Info
rmat
ion
Nar
row
In
form
atio
n
Type of Relationship
Bre
adth
of I
nfor
mat
ion
Key Actors in Law Enforcement by
(a) having data attractive to law enforcement or
(((b) gathering any data and diminishing hurdles to law enforcement
Key Actors in Surveillance by
(a) creating a mosaic of individuals’ movements with
broad data gathering or
(b) being hidden from user.
Key
Act
ors
in S
uppl
y C
hain
ESPN
Amazon
What should they do?
1. As a supply chain • As a gate keeper: control who has access to information
• Based on unique relationship, knowledge, and position.
2. As surveillance • Rather than hidden Make presence known. • Rather than broad Work within specified contexts
3. As an arm of law enforcement • Recreate ‘structure’ through firm policies and user obscurity • Make data less attractive: aggregate less, de-identify
• Don’t retain data: delete data
Recap
The goal of this presentation was to (1) reframe how you you think about the many actors online and (2) shift the focus onto the roles and responsibilities of those tracking us online.
1. Who is online?
2. What do they do?
3. Should they stop? • What are the actors’ responsibilities?
Good Sources
• Scholars: • Chris Jy Hoofnagle & Nathan Good, The Web Privacy Census ,
October 2012, available at http://law.berkeley.edu/privacycensus.htm • Jonathan Mayer (Stanford); • Helen Nissenbaum (NYU) • Lorri Faith Cranor (CMU) • Law: Paul Ohm (Colorado); Dan Solove (GWU); Woodie Hartzog;
Ryan Calo.
• Blogs: • Wired – Threat Level • WSJ DIGITS • Kashmir Hill - Forbes
• Technology: Ghostery (purple box…)
QUESTIONS
Sources of Data/Concepts
• Twofold Disability: Cohen, Julie E. “Privacy, Visibility, Transparency, and Exposure.” University of Chicago Law
Review 75, no. 1 (2008).
APPENDIX