brave privacy and standards
play

Brave, Privacy, and Standards Peter Snyder, Privacy Researcher, - PowerPoint PPT Presentation

Jul 07, 2023 •462 likes •1.01k views

Brave, Privacy, and Standards Peter Snyder, Privacy Researcher, pes@brave.com Pranjal Jumde, Security Engineer, pranjal@brave.com Overview Brave's goals on the Web How Brave protects privacy today How the standards process

  1. Brave, Privacy, and Standards Peter Snyder, Privacy Researcher, pes@brave.com 
 Pranjal Jumde, Security Engineer, pranjal@brave.com

  2. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 2

  3. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 3

  4. Brave Is 100% In on Web Openness • Anyone can join / code / view-source • No choke-point 
 Compatibility • Easy to share content • Best cross-device story 
 But things have gone off the rails… � 4

  5. Creators: Users: The Ecosystem Small & declining revenue Slow, abusive, creepy ads and is Broken: Commodification tracking 
 Advertisers: Fraud: 2017 - $16B in US 
 est. $50B by 2025 Data source: Business Insider, Atlantic, Fortune, PageFair � 5

  6. USERS: Already Paying a High Price Slow Invasive Expensive Insecure 5 124 $ 23 3x seconds per 
 trackers 
 monthly average 
 malware and 
 mobile page load 
 on media users pay to 
 ransomware 
 wasted by Adtech sites like TMZ download ads 
 growth in 2017 and trackers � 6 Data source: Bullet 1, New York Times and Medium ; Bullet 2: TMZ: Ghostery ; Bullet 3: New York Times ; Bullet 4: Forbes: Cylance .

  7. PUBLISHERS: Ad-tech Lumascape: High Cost, Low Quality � 7 Data source: www.lumapartners.com for graphic and World Federation of Advertisers for fraud.

  8. ADVERTISERS: 
 Users Respond with Ad-blocking Mobile 380M browsers 600M+ 
 275M devices 181M Desktop 236M browsers 119M 216M 54M 145M 2013 2014 2015 2016 2017 8 � Data source: Pagefair

  9. Our Vision Brave + BAT For a Better Web Reformed digital Private-by-default Reward users to advertising browsing browse/autopay � 9

  10. 
 
 
 Lack Of Browser Privacy is at the Center Draws advertisers away from high quality content 
 Incentivizes performance heck, multi-Mb websites 
 Insulting and abusive to users 
 Pushes users off Web, to closed platforms � 10

  11. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards processes makes privacy difficult 
 (and how it can be fixed) � 11

  12. 
 
 Overview Brave's goals on the web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 12

  13. 
 
 
 Privacy in Brave Tighter Default Storage Controls 
 Tor Integration 
 Resource Blocking 
 Web API / DOM Modifications � 13

  14. 
 
 
 Privacy in Brave Tighter Default Storage Controls 
 Tor Integration 
 Web Standards / W3C Resource Blocking 
 Web API / DOM Modifications � 14

  18. Web API Modifications

  19. Web API Modifications

  20. 
 Web Audio Fingerprinting Standard says websites can query hardware 
 Hardware is pseudo-identifying 
 Enough pseudo-identifiers yield a real identifier 
 So Brave breaks the standard… � 20

  21. 
 Breaking Standards for Privacy Hardware Detection: Font Enumeration: • Web Audio • Canvas • WebGL • SVG 
 • WebUSB Display Information: • Battery API 
 • Client Hints Network Information • WebRTC 
 Browsing History: • Referrer Policy 21 �

  22. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 22

  23. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 23

  24. Privacy vs Compatibility

  25. Three Standards 
 Privacy Anti-Patterns

  26. Three Standards 
 Privacy Anti-Patterns

  27. 1. Defined Functionality, 
 Non-Normative Mitigations 


  28. 
 
 
 Privacy Risk w/ Non-Normative Mitigations Privacy-harming / risky functionality 
 “Privacy considerations" section, but non-standardized mitigation 
 The Web assumes the dominant implementation, instead of the standard 
 Result: Harm is “locked in” / out of control of the standards process � 28

  32. 
 
 
 Result Well described functionality 
 Vaguely / undefined / unclear mitigations 
 Web assumes the defined functionality, privacy-harm gets locked in 
 Solution: Make mitigations normative and standardized! � 32

  33. 1. Defined Functionality, 
 Non-Normative Mitigations 
 2. Uncommon Use Case, 
 Common Availability 


  34. 
 
 
 Uncommon Use Case, Common Availability Genuinely useful functionality, for niche scenarios 
 Functionality is made widely available (first-party, third-party, frames, etc.) 
 Co-opted by tracking, code-paths assume availability 
 Result: can't be removed, even from irrelevant sites � 34

  39. 
 
 Widely Available 
 Sites / benign code expects 
 Removing / blocking breaks benign sites

  40. Lots of rare-use-case functionality Brightness sensors WebVR Machine Learning APIs High Resolution Timers Vibration WebGL operations Tracing APIs Many many many more… � 40

  41. 
 
 Lesson Learned Assume people will find bad uses for your functionality 
 General access -> difficult to remove / modify 
 Solution: Restrict access to the use cases you care about • User gestures • Permission prompts • Not-in-frames � 41

  42. 1. Defined Functionality, 
 Non-Normative Mitigations 
 2. Uncommon Use Case, 
 Common Availability 
 3. “No worse than the 
 status quo”

  43. 
 
 “No worse than the status quo” Privacy-harming / risky functionality 
 “Information is available elsewhere, so no additional harm” 
 Result: Web compat difficulty expands… � 43

  45. Client Server

  46. Client Server GET /index.html

  47. Client Server GET /index.html Accept-CH: DPR 
 Accept-CH: Viewport-Width

  48. Client Server GET /index.html Accept-CH: DPR 
 Accept-CH: Viewport-Width DPR: 2 
 Viewport-Width: 1434

  49. Values in Client Hints are Identifying Eckersley, Peter. "How unique is your web browser?." PETS 2010 
 Viewport height and width Laperdrix et al. ”Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints." S&P 2016. 
 Device color depth 
 Englehardt et al. "Online Tracking: A 1-million-site Measurement and Analysis.” CCS 2016 
 The above are being used often! � 49

  50. 
 
 Client Hints Authors’ Current Position This information is already available No further exposure / no marginal harm 
 Brave’s Concerns with the Client-Hints Proposal 
 https://brave.com/brave-and-client-hints/ � 50

  52. 
 
 Lesson Learned “Horizontal” privacy risk is technological debt 
 Same data in more places entrenches the risk 
 Solution: Treat all additional privacy risk as equally problematic � 52

  53. 
 
 Overview Brave's goals on the Web 
 How Brave protects privacy today 
 How the standards process makes privacy difficult 
 (and how it can be fixed) � 53

  54. 
 Conclusion Brave is working to improve the 
 Web for users, content creators and advertisers. 
 Privacy preserving standards are Pete Snyder 
 important to improving the Web. 
 Privacy Researcher 
 pes@brave.com 
 The standards process can be Pranjal Jumde 
 improved to help privacy. Security Engineer 
 pranjal@brave.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privacy, Standards and Anti-Patterns Peter Snyder, Privacy Researcher, pes@brave.com

Privacy, Standards and Anti-Patterns Peter Snyder, Privacy Researcher, pes@brave.com

Privacy, Standards and Anti-Patterns Peter Snyder, Privacy Researcher, pes@brave.com Overview Standards as a privacy focused implementor How the standards process makes privacy difficult (and how it can be fixed)

467 views • 46 slides
Privacy Preserving Bandits Joint work with: Mohammad Malekzadeh (QMUL/Brave) Hamed

Privacy Preserving Bandits Joint work with: Mohammad Malekzadeh (QMUL/Brave) Hamed

Privacy Preserving Bandits Joint work with: Mohammad Malekzadeh (QMUL/Brave) Hamed Haddadi(ICL/Brave) Ben Livshits (ICL/Brave) Dimitrios Athanasakis (Brave) 02.03.2020 @dimmu Why this is an important topic Personalization

906 views • 23 slides
IoT's Brave New World: What it Means to Privacy Pros Today and Tomorrow IAPP KnowledgeNet

IoT's Brave New World: What it Means to Privacy Pros Today and Tomorrow IAPP KnowledgeNet

IoT's Brave New World: What it Means to Privacy Pros Today and Tomorrow IAPP KnowledgeNet Detroit July 29, 2015 Agenda Intros, announcements and administration Discuss privacy aspects of IoT 2 Intro Matters Future Meeting Dates

418 views • 11 slides
Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago

Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago

Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago actual Chicago Law school, then freelance web design Started: Anchorage, AK Ended: Judge Judy Show invitation PhD in Computer Science

1.09k views • 105 slides
The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda

The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda

The Odyssey: challenges to model privacy threats in a brave new world Rafa Glvez and Seda Grses Motivation imec - ESAT/COSIC, KU Leuven Threat Modeling 1. Characterize the system 2. Identify the threats 3. Threat and Risk analysis

147 views • 12 slides
Towards Privacy Standards Based on Empirical Data Serge Egelman Erika McCallister 2 Previous

Towards Privacy Standards Based on Empirical Data Serge Egelman Erika McCallister 2 Previous

Towards Privacy Standards Based on Empirical Data Serge Egelman Erika McCallister 2 Previous Privacy Standards P3P had highly granular privacy options Major web browsers supported it >25% of the most popular websites supported

446 views • 8 slides
BUTTON PROJECT OVERVIEW PRESENTATION OVERVIEW Brave Technology Coop Brave Button Overview

BUTTON PROJECT OVERVIEW PRESENTATION OVERVIEW Brave Technology Coop Brave Button Overview

4/5/19 Brave Technology Cooperative BUTTON PROJECT OVERVIEW PRESENTATION OVERVIEW Brave Technology Coop Brave Button Overview Ongoing Project Highlights System Features Implementation Co-Design and Onboarding Testing and Installation

315 views • 5 slides
Designing Privacy into Systems (and what is the role of organizations developing standards)

Designing Privacy into Systems (and what is the role of organizations developing standards)

Designing Privacy into Systems (and what is the role of organizations developing standards) Hannes Tschofenig (IAB) Jon Peterson (IAB) Bernard Aboba (IAB) Karen Solins (MIT CFP PrivSec) Privacy In the context of this presentation the

674 views • 8 slides
Privacy Resilience and Techno-Policy Standards (?) The case of the W3C Julien Rossi

Privacy Resilience and Techno-Policy Standards (?) The case of the W3C Julien Rossi

Privacy Resilience and Techno-Policy Standards (?) The case of the W3C Julien Rossi julien.rossi@utc.fr @julienrossi Can privacy resilience be a property of the information and communication systems we use? And if so, then how? Standards

232 views • 21 slides
BEING BRAVE & THE SHIFT TO MEANING A Presentation to the PANA 29 August 20 19 Philip

BEING BRAVE & THE SHIFT TO MEANING A Presentation to the PANA 29 August 20 19 Philip

BEING BRAVE & THE SHIFT TO MEANING A Presentation to the PANA 29 August 20 19 Philip Tiongson T: @Ptiongson || @HavasOrtega www.havasortega.com For internal sharing only. Not for public distribution BRAVE UNIQUE NOVEL DIFFERENT

1.13k views • 92 slides
Surviving Th e Mam m y Com p le x: Be in g Th e On ly In A Brave Ne w W orld

Surviving Th e Mam m y Com p le x: Be in g Th e On ly In A Brave Ne w W orld

Surviving Th e Mam m y Com p le x: Be in g Th e On ly In A Brave Ne w W orld Deena A. Sellers Faculty, Modern and Classical Languages and English Departments Diversity Coordinator Xavier High School, New York, NY But

395 views • 16 slides
Faculty Professional Development as Shared Brave Space 4CSD Conference Breakout Session #2

Faculty Professional Development as Shared Brave Space 4CSD Conference Breakout Session #2

Faculty Professional Development as Shared Brave Space 4CSD Conference Breakout Session #2 16 March 2017 Kristine Oliveira and Michelle Hernandez Antelope Valley College How can academic professionals engage in Brave Spaces in our own

468 views • 19 slides
Brave Browser & Basic Attention Token Blockchain and new revenue models NOVEMBER 27, 2018

Brave Browser & Basic Attention Token Blockchain and new revenue models NOVEMBER 27, 2018

Brave Browser & Basic Attention Token Blockchain and new revenue models NOVEMBER 27, 2018 Twitter: @brave Early days of the web This simple ad spawned a huge industry Data source: www.lumapartners.com for graphic and World Federation

603 views • 39 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
CHALLENGE HANDLING MASSIVE STREAMING DATA COLIN MACNAUGTHON NEEVE RESEACH WHO IS NEEVE

CHALLENGE HANDLING MASSIVE STREAMING DATA COLIN MACNAUGTHON NEEVE RESEACH WHO IS NEEVE

THE IOT APPLICATION CHALLENGE HANDLING MASSIVE STREAMING DATA COLIN MACNAUGTHON NEEVE RESEACH WHO IS NEEVE RESEARCH? Headquartered in Silicon Valley Creators of the X Platform - Memory Oriented Application Platform. Passionate

607 views • 26 slides
TheCOMOProject PereBarletRos,UPCBarcelona

TheCOMOProject PereBarletRos,UPCBarcelona

TheCOMOProject PereBarletRos,UPCBarcelona GianlucaIannaccone,IntelResearchBerkeley Disclaimer Thispresenta@onfocusesonCOMOv2.0thatis

482 views • 19 slides
Achieving Secure Continuous Delivery (cont..) --lightning talk-- Nikos / Jesus / Lucian

Achieving Secure Continuous Delivery (cont..) --lightning talk-- Nikos / Jesus / Lucian

Achieving Secure Continuous Delivery (cont..) --lightning talk-- Nikos / Jesus / Lucian April 2018 Typical discussions X Pain points Same problem in 2018! Security requirements appear (dark magic!) when project is almost finished

320 views • 13 slides
VIRTUAL LEGAL ROUNDTABLE 2019 EFS MASTER CLINICAL TRIAL AGREEMENT Liliana Rincon-Gonzalez,

VIRTUAL LEGAL ROUNDTABLE 2019 EFS MASTER CLINICAL TRIAL AGREEMENT Liliana Rincon-Gonzalez,

VIRTUAL LEGAL ROUNDTABLE 2019 EFS MASTER CLINICAL TRIAL AGREEMENT Liliana Rincon-Gonzalez, PhD Program Director, Clinical Science Medical Device Innovation Consortium Jaime Walkowiak, JD Chief Operating Officer, Baylor Scott & White

413 views • 19 slides
Unde nderstandi nding ng the he Evolvi ving ng Interne rnet Ram Durairajan Assistant

Unde nderstandi nding ng the he Evolvi ving ng Interne rnet Ram Durairajan Assistant

Unde nderstandi nding ng the he Evolvi ving ng Interne rnet Ram Durairajan Assistant Professor, Computer and Information Science Co-director, Oregon Networking Research Group University of Oregon 0 In Inter erne net t is is a a co

742 views • 26 slides
Do You Know What Your I/O Is Doing? (and how to fix it?) William Gropp

Do You Know What Your I/O Is Doing? (and how to fix it?) William Gropp

Do You Know What Your I/O Is Doing? (and how to fix it?) William Gropp www.cs.illinois.edu/~wgropp Messages Current I/O performance is often appallingly poor Even relative to what current systems can achieve Part of the problem is

350 views • 24 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak12/ Fall 2012 Sonja Buchegger buc@kth.se Lecture 9 Firewalls (maybe start on Multilevel Security) DD2395 Sonja Buchegger 1 Catch-up Labs l Labbvecka in June

540 views • 35 slides
Artificial Intelligence Games need opponents that are challenging, or allies that are helpful

Artificial Intelligence Games need opponents that are challenging, or allies that are helpful

10/4/2012 Introduction to Artificial Intelligence (AI) Many applications for AI Computer vision, natural language processing, speech recognition, search But games are some of the more interesting apps Artificial Intelligence

519 views • 8 slides

More recommend