Profile picture
Arvind Narayanan @random_walker
, 6 tweets, 3 min read Read on Twitter
The fallout from our research continues: we reveal how website operators are in the dark about privacy violations by third-party scripts on their own sites. Includes HIPAA-protected and FERPA-protected data. Thousands of websites are affected.
freedom-to-tinker.com/2018/01/12/web…
Ironically, Princeton's own Information Security course was also affected by the student data exfiltration. We badly need more systematic ways of figuring out what other sensitive data is going where it shouldn't go.
This one was an absolute doozy. Ad tracking is so wantonly complex that website owners can't figure out what's going on even after we tell them that data is being exfiltrated from their site. Here's the thread where the hapless developer reached out: freedom-to-tinker.com/2017/12/27/no-…
Here's the worst part. Because of the way real-time ad auctions work, the set of third parties present on a page can differ each time it is loaded. So no matter how thoroughly they test their sites, website operators can never be sure that users' privacy isn't being violated.
Most of the ad tech / analytics industry is premised on keeping not just users but also website operators in the dark about privacy violations. The effort required by website operators to fully audit third parties would negate much of the benefit of offloading tasks to them.
It comes full circle — someone pointed out the trackers on Freedom to Tinker. Embarrassingly enough, I never thought to check this.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Arvind Narayanan
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @random_walker see all

Profile picture
In 2018 the blockchain/decentralization story fell apart. For example, a study of 43 use cases found a 0% success rate. theregister.co.uk/2018/11/30/blo…
Let's talk about some mistaken assumptions about decentralization that led to the blockchain hype, and what we can learn from them.
(For context, I think the technology is sound, interesting and important from a CS perspective. That’s why I’ve been researching and teaching it since 2013. bitcoinbook.cs.princeton.edu But I’ve also been speaking/writing about the pitfalls of decentralization for ~10 years.)
Blockchain proponents have a vision of _society_ in which centralized entities are weakened/eliminated. But blockchain tech is a way to build _software_ without centralized servers. Why would the latter enable the former? It’s a leap of logic that’s left unexplained.
Read 14 tweets
Profile picture
Less than 5% of cryptographers work on creating/breaking encryption algorithms. Encryption isn't the most important or most fundamental cryptographic construction. It's also mostly a solved problem. Attackers rarely even try to break encryption; they just exploit software bugs.
Here are a few of the cool things that modern cryptographers work on.
1. Secure Multiparty Computation: a powerful & broad set of techniques that enables (e.g.) 2 hospitals to do a genetic study on their combined patient records—without either sending its records to the other.
2. Theory of cryptography: how do questions about computational complexity (such as P vs NP) relate to which cryptographic algorithms are or aren’t secure? This is best understood as a quest to reveal the computational laws of nature and isn't directly motivated by applications.
Read 6 tweets
Profile picture
The online ad tech industry has created an extraordinarily invasive surveillance infrastructure that threatens our democracy. But the most tragic thing is how little has been gained—how poorly ad tech works despite all the data.
Even if rampant ad fraud is curbed, there's a deeper reason why ad tech doesn't work: measuring the returns to advertising is a statistical problem that's near impossible even with perfect tracking. This neat paper shows why and deserves to be better known justinmrao.com/lewis_rao_near…
One reason why print/TV ads work—by conspicuously spending money, the firm signals to consumers that it is big & will stick around, is invested in its reputation, and has products worth advertising. Online ads don't achieve this. The more targeted the ad, the *weaker* the signal.
Read 3 tweets

Related threads

Profile picture
With the MeitY looking to overhaul the existing Intermediary Liability regime, let's look at what an intermediary is, where it comes from, and how content regulation will impact #FoS & #privacy.

Thread by @arpithadesai who volunteers at IFF to #ELI5 this complex issue! 1/11
@arpithadesai Who is an intermediary?

An intermediary is anyone who receives, stores or transmits an electronic record on behalf of someone. Includes your telecom provider, social media websites, e-commerce sites & search engines. Big, small and tiny.

[Nope, not the colony gossiper] 2/11
@arpithadesai Under the IT Act, 2000, intermediaries enjoy what is called 'safe harbour' protection where the intermediary acts a facilitator and does not play any part in creation/modification of the information.

But, why? Because they facilitate free speech of end users. 3/11
Read 12 tweets
Profile picture
Morning campers! I’ll be live-tweeting from the European Court of Justice today about @Google’s “Right to be Forgotten” hearing.

What’s the main point? Should Europe (or France’s #privacy regulator) be able to apply its rules over the internet worldwide.

A recap:
La Vanguardia, a Spanish newspaper, published records in the late 1990s detailing the debt delinquencies of Mario Costeja.

About a decade later, Costeja sued, saying that the publication breached his right to privacy.
After a lengthy legal dispute, the case was referred to the ECJ which, in 2014, ruled that individuals had the right to ask that search engines like @Google remove links (but not the underlying webpages) from search results
Read 60 tweets
Profile picture
Friction is the enemy of #compliance. Before you conduct security awareness training for topics like third-party security, make sure you understand and FEEL the friction in the end-to-end experience for employees who have to follow those processes and policies. #UX matters. 1/
Sit with your sales team to understand the #UX of getting an NDA in place with a prospective customer or partner. Try to understand the pain and confusion when it comes to delays, manual steps, confusion, approval workflows, or lack of integration with things like #CRM. 2/
Ask yourself: do the right people have access to the #ContractManagement or e-signature systems, or do they need to REQUEST access and wait for approval? Do the systems support #SSO? Do people have to manually print and scan docs (in 2018!), and if so - do they know how? 3/
Read 8 tweets
Profile picture
Ad-tech intermediary lobbyists use Google and FB to massively overstate benefits of tracking, news at 11. Publishers waking up to this after years of being on the losing end of the Lumascape.

This chart gets "old news" reaction from smarties, or a "how can this go on" reaction from others.

But there's another angle: @acfou estimates fraud at 20%, It could be 40%. Google takes 60% of ad spend, $80B in USA last year. 0.2 x 0.6 x $80B = $9.6B; 0.4 x 0.6 x $80B = $19.2B.
The @guardian bought out its own inventory the other year and got paid 30 pence on the pound. They just did a similar test and found 72% ad fraud (domain spoofers) for video ads: mediapost.com/publications/a…. Ad fraud is huge and all exchanges (Google runs the biggest) profit from it.
Read 13 tweets
Profile picture
Here's someone who's highly engaged in politics, news and society but didn't know about #MyHROptOut until this morning.

If you're in media and wondering if this needs more coverage, here's your answer. #MyHealthRecord #Privacy
Opting out doesn't appear to be going well for people so far. I've seen multiple reports of long wait times on the phone and web server crashes.

I've you're planning to opt out, I'd suggest maybe not doing it today, but definitely not waiting too long.

#MyHealthRecord #Privacy
For the record, I've gone back and forward on opting out myself.

As a journalist with strong interests in tech and privacy, I really want to see the system for myself. Kick its tyres and experience its flaws and limitations personally. But ...

#MyHealthRecord #Privacy
Read 142 tweets
Profile picture
A brief thread on the Facebook ad and page problem (h/t to @TheLiberal_x and @TransparentRef) 1/ The day before Facebook introduced the new view ads feature in Ireland, this domain was registered:
who is behind undecided8 ? Whois is private. Hosted on DigitalOcean in New Jersey. Don't know who registered it.
Website SSL cert registered the same day. Website has no details about who is behind the website, no about section, no transparency.
Read 66 tweets

Trending hashtags

#ELI5 #Ramadan #Skripal #walkaway #10YearsOfLostInTheMovies #Benghazi #ContractManagement #MyHealhRecord #EndTrafficking #Jerusalem #JohnBrennan #ETH #idontknowher #privacy #ChildSexualAbuse #CrookedHillary #TIL #RESEARCH #LT #GDPR #Rafale4NatSecurity #SaturdayMotivation #ITRules #Wikileaks #Privacy

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!