Brussels / 2 & 3 February 2019

schedule

Watching Them Watching Us

WebExtensions Exposing Privacy Leaks


PLEASE EDIT TO REFLECT MERGER:

ORIGINAL TRACKULA ABSTRACT: Trackula on the Web is a community effort that begun as an idea to raise awareness about the current state of privacy on the digital realm for the average user. A WebExtension addon saves locally the user's own history and interactions with third-parties in order to educate them about the state of surveillance of the web, and about third-parties who are so systematically rooted in websites that have as accurate a view of your history as your own browser. We are currently looking for community feedback for continuing the project, and we will also be presenting an audit on GDPR compliance using the plugin's data. No personal data will be collected for this presentation.

ORIGINAL LOCAL SHERIFF ABSTRACT: Think of Local sheriff as a reconnaissance tool in your browser for gathering information about what companies know about you. While you as a user normally browse the internet it works in the background and helps you identify what sensitive information(PII – Name, Date Of Birth, Email, Passwords, Passport number, Auth tokens.) are being shared/leaked to which all third-parties and by which all websites.

The issues that Local Sheriff helps identify:

-  What sensitive information with is being shared this which parties?
-  What companies are behind these third parties?
-  What can they doing with this information? EG: de-anonymize users on the internet, create shadow profiles.

Local Sheriff can also be used by organizations to audit:

-   Which all the third-parties that are being used on their websites.
-   The third-parties on the websites are implemented in a way that respect user’s privacy and sensitive data is not being leaked to them.

Local Sheriff is a web-extension that can used with Chrome, Opera, Firefox.

Details: https://github.com/cliqz-oss/local-sheriff

PLEASE EDIT TO REFLECT MERGER:

ORIGINAL TRACKULA DESCRIPTION: Trackula begun as a collaborative effort in a hackerspace in Madrid, and it has now grown into a group of related activities. Trackula on the Web is a narrative experience for the average user that warns them about the state of digital surveillance the web is on nowadays. The Trackula addon performs no effort to disrupt the communications; its existence is just to record the interactions as they happen in order to report the user about how much data they are, consciously or not, giving away on the Internet. It is then the user's choice to provide their own countermeasures to that, and they will then be visible by the user in their report. We used the plugin in an effort to assess the impact of the GDPR in certain websites, and we will show in this presentation how we measured the interactions with websites and the conclusions of our report.

We will talk about the following: - The beginning - How the narrative idea of the web addon came to existence - Our analysis of the GDPR on the web and Trackula's role; a report handed to the Spanish Data Protection Agency that gave us the second prize on their national Research Prize for 2017 - Ideas on how other communities could use this data - How we improved the interaction recording in order to analyze GDPR compliance at larger scale(*) - Conclusions, future work, questions and feedback

(*) This is, at the time of submission, a work in progress. We are currently analyzing consent-related privacy invasions on websites and expect to have an analysis ready later on December.

ORIGINAL LOCAL SHERIFF DESCRIPTION: It has become a norm for websites to load enormous amounts of third-party resources on their webpages. While the websites have genuine use cases like analytics, measure app performance, audience measurements, goal conversions, content recommendation, social sharing , CDNs etc.

Third-parties have been known to use techniques like cookie, canvas fingerprinting to generate and track users across the web, but because the way these third-parties collect data and the way they are implemented by the websites it is very easy for these third-parties to not just know users web browsing history but also DE-ANONYMIZE the user to the extent of knowing Name, Address, Nationality etc etc.

Using Local Sheriff users, researchers can not only find out how they are being tracked across the web and by whom but also hold companies accountable on how the websites they use: - Leaks PII to these third-parties. - Information entered in the forms, it’s being share with third-parties. - Username and passwords are being sent to third-parties. Not only this, Local Sheriff can also be used by organizations as a measure: - To ensure the third-parties that they are using are not using shady techniques to track users. - To ensure they themselves have implemented the third-parties respecting user’s privacy

In order to achieve the above mentioned goals, Local Sheriff works as a web-extension in user’s browser and starts to observe network traffic: - Webpages loading third-parties. - URLs being leaked via HTTP-headers and query-parameters with these third-parties. - Whether these URLs are behind login or not and what data is present on them. - If the values entered on webpages like emailID, username, password is being transmitted to these third-parties.

In the control-panel of Local Sheriff, users can: - Search for any value that they think is private to them and should not have been shared, or at least not without their consent. - Can search for a specific cookie to see if that cookie is being shared with other domains that are not the owners of this cookie. – Cookie Syncing. - Detect if some third-party is creating shadow profiles. Example without ever visiting Facebook.com, what facebook knows about that user.

Demo video of how information entered in forms is leaked and Local Sheriff highlights it: https://streamable.com/yl3qq

Local Sheriff, cuts down all the clutter of using network inspecting tools and provides a search interface to users which shows the ugly world of data collection, third-parties and how users PII is being shared with companies they have not even visited, used or even heard of.

Everything is done locally, and no data is sent out to Local Sheriff servers. (Actually they don't even exist) It is not bound to WebExtensions, it can be developed further and used with network inspecting tools too.

More details, demos can be found in the readme section of the repo: https://github.com/cliqz-oss/local-sheriff/blob/master/README.md

You can also install it from Chrome store: https://chrome.google.com/webstore/detail/local-sheriff/ckmkiloofgfalfdhcfdllaaacpjjejeg/ All the code for this project is open-sources under license GPL v3.0, the code can be found at: https://github.com/cliqz-oss/local-sheriff

Please feel free to contact me for any more details. Any feedback is greatly appreciated. Local sheriff was also recently showcased at Defcon 26 Demo Labs.

Press coverage:https://github.com/cliqz-oss/local-sheriff#coverage

Speakers

Santiago Saavedra
Photo of Konark Modi Konark Modi

Links