Greetings from Portsmouth, NH!
I had the opportunity to travel down to the nation's capital this week to attend a couple of thought-provoking events on privacy. For me, there was a theme to both: How privacy research and scholarship can and should affect technology and policy. The main event was the Federal Trade Commission's PrivacyCon event at the Constitution Center near the National Mall. The day featured a bevy of talented researchers, academics, industry representatives, and other stakeholders to better explore the privacy implications of emerging technology.
Looking back, I took away the most from session one, which focused on the collection, exfiltration and leakage of private information. There is a lot to unpack here, and I'll plan on doing so in future Privacy Tech blog posts, but several topics grabbed my attention, including how invasive email tracking can be, the amount of data leaked by browser extensions, and the potential exfiltration of personal information from "session-replay scripts."
Princeton University's Steven Englehardt noted that it's possible for marketers to correlate email tracking with web tracking. This can reveal a lot of information about a user, far beyond what an average user realizes. His team's research points out: "Email-address-based tracking identifiers are persistent, cross-device, and unique. Users will very rarely change their email address, and will share it with companies when they sign up for online accounts or make in-person purchases at a store." This can then be used to segment user activities across devices, they point out, even after a user has "taken steps to clear their on-device identifiers, and to 'onboard' data from offline sources."
Michael Weissbacher, of Northeastern University, presented on data leaks from browser extensions. "Browser extensions, while a useful mechanism for allowing third-party extensions to core browser functionality, post a security risk in this regard since they have access to privileged browser APIs," the research states. "Because of this, they have become a major vector for introducing malicious code into the browser."
Gunes Acar, also of Princeton, discussed some of his research, also in conjunction with Englehardt, on the privacy implications of so-called "session-replay scripts." Though third-party analytics scripts are common, more sites are beginning to employ this technology. These newer scripts can log user keystrokes, mouse movement, page scrolling and other user interactions with the page. Of course, these can be beneficial tools for companies, but, as Acar and his co-researchers point out, this kind of tracking likely exceeds user expectations. Additionally, since these scripts collect more data than traditional trackers, leaks of sensitive information often take place, including, according to Acar, credit card details and other sensitive data.
These are just three examples of more than a dozen research papers presented at PrivacyCon, but they really demonstrated how little notice and user control exists during many basic online activities.
Relatedly, Tuesday night I attended the Future of Privacy Forum's always enjoyable Privacy Papers for Policy Makers event. It led with current FTC Commissioner Terrell McSweeny, who said she'd like to see consumer rights better mapped to the digital world. She also advocated for more work around what she called "governance by design" and for more European-style digital rights concepts, such as data portability. It's difficult to imagine a GDPR-style regime here in the U.S., but since so many companies are gearing up for it in their global operations, perhaps many organizations will operationalize some of their GDPR-related tools and systems for U.S. users.
As I said above, there is still much to unpack from these two events, but nevertheless, it's great to see government and business pay attention to the privacy and security research currently under way. There's clearly lots of value that companies and government can derive from this kind of work.
Finally, I just want include a note about our new Privacy Tech Vendor Report. I recently interviewed a dozen privacy practitioners and consultants to get their insights into purchasing and operationalizing third-party privacy tech solutions. If you're considering the purchase of new privacy tech to help your day-to-day operations, please do check out our report. There are many tips in there to consider during your purchasing and implementation processes. And, of course, don't hesitate to send me an email if you have any questions about the report.
Until next week, be well!
If you want to comment on this post, you need to login.