privacymail towards transparency in email tracking
play

PrivacyMail: Towards Transparency in Email Tracking Max Maass , - PowerPoint PPT Presentation

Jul 04, 2023 •44 likes •244 views

PrivacyMail: Towards Transparency in Email Tracking Max Maass , Stephan Schwr, Matthias Hollick Secure Mobile Networking Lab, TU Darmstadt 31.05.2019 | Technische Universitt Darmstadt | 1 31.05.2019 | Technische Universitt Darmstadt | 1

  1. PrivacyMail: Towards Transparency in Email Tracking Max Maass , Stephan Schwär, Matthias Hollick – Secure Mobile Networking Lab, TU Darmstadt 31.05.2019 | Technische Universität Darmstadt | 1 31.05.2019 | Technische Universität Darmstadt | 1

  2. Oh no, another online tracking talk?! 31.05.2019 | Technische Universität Darmstadt | 2 31.05.2019 | Technische Universität Darmstadt | 2 Slides & Paper: https://maass.xyz/talk/gpn2019/

  3. Three reasons to keep listening 31.05.2019 | Technische Universität Darmstadt | 3 31.05.2019 | Technische Universität Darmstadt | 3 Slides & Paper: https://maass.xyz/talk/gpn2019/

  4. Wait, Email tracking? 31.05.2019 | Technische Universität Darmstadt | 4 31.05.2019 | Technische Universität Darmstadt | 4 Slides & Paper: https://maass.xyz/talk/gpn2019/

  5. Wait, Email tracking? Tracking views • Remote images • Remote style sheets Tracking interactions • Personalized links Linking identities • Email is used on multiple devices • Allows linking the advertising profiles 31.05.2019 | Technische Universität Darmstadt | 5 31.05.2019 | Technische Universität Darmstadt | 5 Slides & Paper: https://maass.xyz/talk/gpn2019/

  6. What’s the big deal? Tracking highly prevalent: between 24% [3] and 85% [1] of Emails contain tracking. The website knows [2]: • If you opened the eMail • When you opened the eMail • Which device you used • Potentially linking it to other profiles online • Which software you used • Where you were (IP-based geolocation) This data can also be shared with others using HTTP redirects for cookie syncing [1]. 31.05.2019 | Technische Universität Darmstadt | 6 31.05.2019 | Technische Universität Darmstadt | 6 Slides & Paper: https://maass.xyz/talk/gpn2019/

  7. How can we detect it? Static Analysis Dynamic Analysis Used in: [2, 3] Used in: [1] 31.05.2019 | Technische Universität Darmstadt | 7 31.05.2019 | Technische Universität Darmstadt | 7 Slides & Paper: https://maass.xyz/talk/gpn2019/

  8. Prior Work Three studies on Email privacy : • Englehardt et al. [1]: Dynamic analysis of newsletters of popular websites. Find wide-spread tracking, information leakage. Also evaluate defensive measures. • Xu et al. [2]: Static analysis of their own Email accounts and newsletters from top websites. Evaluated privacy risks. Also performed study about user acceptance of tracking. • Hu et al. [3]: Static analysis of large corpus collected from disposable Email services. Also studies risks of using disposable Email systems. Similar systems for web privacy : • PrivacyScore.org [4, 5] • Webbkoll.dataskydd.net [6] 31.05.2019 | Technische Universität Darmstadt | 8 31.05.2019 | Technische Universität Darmstadt | 8 Slides & Paper: https://maass.xyz/talk/gpn2019/

  9. Registering a Service “I want to sign up example.com” “Please use john.doe@domain.com” “Hi, I am john.doe@domain.com” “Please confirm your registration” “Registration confirmed” (after manual inspection) “Here’s your Newsletter” 31.05.2019 | Technische Universität Darmstadt | 9 31.05.2019 | Technische Universität Darmstadt | 9 Slides & Paper: https://maass.xyz/talk/gpn2019/

  10. Dynamic Analysis Mail server Crawler OpenWPM Analyzer DB 31.05.2019 | Technische Universität Darmstadt | 10 31.05.2019 | Technische Universität Darmstadt | 10 Slides & Paper: https://maass.xyz/talk/gpn2019/

  11. Live Demo 31.05.2019 | Technische Universität Darmstadt | 11 31.05.2019 | Technische Universität Darmstadt | 11 Slides & Paper: https://maass.xyz/talk/gpn2019/

  12. Results – Third Party Prevalence # of services Percentage of total Embeds on view 112 82 % Embeds on click 104 76 % Embeds either 116 85 % Results from 136 newsletters, 10 208 Emails analyzed 31.05.2019 | Technische Universität Darmstadt | 12 31.05.2019 | Technische Universität Darmstadt | 12 Slides & Paper: https://maass.xyz/talk/gpn2019/

  13. Results – Third Party Prevalence Third Party Embed Count Type mailchimp.com 16 Tracker googleapis.com 12 CDN gstatic.com 12 CDN list-manage.com 11 Tracker srv2.de 10 Tracker ioam.de 8 Tracker cloudfront.net 6 CDN amazonaws.com 6 CDN exactag.com 4 Tracker mojn.com 4 Tracker Results from 136 newsletters, 10 208 Emails analyzed 31.05.2019 | Technische Universität Darmstadt | 13 31.05.2019 | Technische Universität Darmstadt | 13 Slides & Paper: https://maass.xyz/talk/gpn2019/

  14. Results – Cookie Syncing 1. http://li.fastcompany.com/imp?[...]&e= <plaintext email address> &p=20182 2. http://p.liadm.com/imp?[...]m= <MD5 1 > &sh= <SHA1> &sh2= <SHA256> [...]&dom= <plaintext email domain> 3. http://i.liadm.com/s/h/33013?m= <MD5 1 > &sh1= <SHA1> &sh2= <SHA256> [...] 4. http://i.liadm.com/s/h/33013?sh2= <SHA256> &[...]&m= <MD5 1 > &[...]&sh1= <SHA1> &previous_uuid= <UUID 1 > 5. http://sync.mathtag.com/sync/img?mt_exid=36&redir=http%3A%2F%2Fi.liadm.com%2Fs%2Fe %2F33013%2F0%2F <MD5 3 > %3Fmpid%3D7156%26muid%3D%5BMM_UUID %5D&licd=27296&previous_uuid= <MD5 3 > 6. http://sync.mathtag.com/sync/img?mt_exid=36&redir=http%3A%2F%2Fi.liadm.com%2Fs%2Fe %2F33013%2F0%2F <MD5 3 > %3Fmpid%3D7156%26muid%3D%5BMM_UUID %5D&licd=27296&previous_uuid= <MD5 3 > &mm_bnc&mm_bct 7. http://i.liadm.com/s/e/33013/0/ <MD5 3 > ?mpid=7156&muid= <UUID 2 > 31.05.2019 | Technische Universität Darmstadt | 14 31.05.2019 | Technische Universität Darmstadt | 14 Slides & Paper: https://maass.xyz/talk/gpn2019/

  15. Results – Email Address Disclosure Leak Algorithm # Services Examples Leak Algorithm # 3Ps MD5 9 Expedia.de, asgoodasnew.com MD5 15 URLencode 7 spd.de, humblebundle.com URLencode 12 SHA-256 6 Ticketmaster.de, lidl.de SHA-256 10 Plaintext 5 spd.de, suedkurier.de Plaintext 8 Base64 3 Expedia.de, booking.com Base64 3 SHA-1 2 Fastcompany.com SHA-1 2 Results from 136 newsletters, 10 208 Emails analyzed 31.05.2019 | Technische Universität Darmstadt | 15 31.05.2019 | Technische Universität Darmstadt | 15 Slides & Paper: https://maass.xyz/talk/gpn2019/

  16. Decoding hashed Emails is hard, right? datafinder.com/products/email-recovery developer.myacxiom.com/code/api/endpoints/hashed-entity 31.05.2019 | Technische Universität Darmstadt | 16 31.05.2019 | Technische Universität Darmstadt | 16 Slides & Paper: https://maass.xyz/talk/gpn2019/

  17. Results – A/B Testing A/B testing detected by comparing related eMails (time, title, …) 3 sites use A/B testing, all of them online shops 31.05.2019 | Technische Universität Darmstadt | 17 31.05.2019 | Technische Universität Darmstadt | 17 Slides & Paper: https://maass.xyz/talk/gpn2019/

  18. Lessons Learned from Prior Email Privacy Research • Lack of awareness in the general population [2] • Useful defense mechanisms are missing • “Asking nicely” probably won’t work • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works for experts, but does not work for entire populations • “Don’t load remote content” defends against view -tracking, but not click-tracking • We attempt transparency for online tracking [4], but had mixed success rate in the past [5] 31.05.2019 | Technische Universität Darmstadt | 18 31.05.2019 | Technische Universität Darmstadt | 18 Slides & Paper: https://maass.xyz/talk/gpn2019/

  19. Conclusion • Web tracking is only part of the online privacy picture • Email tracking should be considered a threat • We provide a transparency system • Feel free to use it: https://PrivacyMail.info/ • Problems? Ideas? Pull Requests? https://github.com/PrivacyMail/PrivacyMail • Want access to the data? Contact me! mmaass [at] seemoo.tu-darmstadt.de 31.05.2019 | Technische Universität Darmstadt | 19 31.05.2019 | Technische Universität Darmstadt | 19 Slides & Paper: https://maass.xyz/talk/gpn2019/

  20. Literature and Acknowledgements [1] Englehardt, S., Han, J., Narayanan, A.: I never signed up for this! Privacy implications of email tracking . Proc. Priv. Enhancing Technol. (2018) [2] Xu, H., Hao, S., Sari, A., Wang, H.: Privacy Risk Assessment on Email Tracking . In: IEEE INFOCOM. (2018). [3] Hu, H., Peng, P., Wang, G.: Characterizing Pixel Tracking through the Lens of Disposable Email Services . In: IEEE Security & Privacy. (2019). [4] Maass, M., Wichmann, P., Pridöhl, H., Herrmann, D.: PrivacyScore: Improving Privacy and Security via Crowd- sourced Benchmarks of Websites . Lect. Notes Comput. Sci. 10518 LNCS (2017). [5] Maass, M., Walter, N., Herrmann, D., Hollick, M.: On the Difficulties of Incentivizing Online Privacy through Transparency: A Qualitative Survey of the German Health Insurance Market . In: 14. Internationale Tagung Wirtschaftsinformatik (2019). [6] Andersdotter, A., Jensen-Urstad, A.: Evaluating Websites and Their Adherence to Data Protection Principles: Tools and Experiences . In: IFIP Advances in Information and Communication Technology. (2016). Part of this research was funded by the DFG as part of subproject C.1 within the RTG 2050 “Privacy and Trust for Mobile Users”. Image source: pixabay.com (public domain images) 31.05.2019 | Technische Universität Darmstadt | 20 31.05.2019 | Technische Universität Darmstadt | 20 Slides & Paper: https://maass.xyz/talk/gpn2019/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Characterizing Pixel Tracking through the Lens of Disposable Email Services Hang Hu, Peng Peng,

Characterizing Pixel Tracking through the Lens of Disposable Email Services Hang Hu, Peng Peng,

Characterizing Pixel Tracking through the Lens of Disposable Email Services Hang Hu, Peng Peng, Gang Wang Computer Science Virginia Tech hanghu@vt.edu 1 Privacy #1: Online Activity Real-world Identity Email address is one of the most

400 views • 23 slides
Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor entrance &amp; exit. Real-time indoor &amp; outdoor tracking of visitors. SMS, screen pop up &amp; email alerts. Alerts if a visitor strays from

382 views • 12 slides
1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

Politics and Information: Discussion Notes 1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No democratic society worthy of the name can govern itself without transparency and information. Onthecommons.org

461 views • 5 slides
- Bug Tracking Credits: Carnegie-Mellon Alan Beccati Instructor: Peter Baumann email:

- Bug Tracking Credits: Carnegie-Mellon Alan Beccati Instructor: Peter Baumann email:

The Maintenance Phase - Bug Tracking Credits: Carnegie-Mellon Alan Beccati Instructor: Peter Baumann email: p.baumann@jacobs-university.de tel: -3178 office: room 88, Research 1 Error: Keyboard not attached. Press F1 to continue.

483 views • 12 slides
Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory Management Section Prescription Medicines Authorisation Branch Market Authorisation Division, TGA ARCS Scientific Congress Canberra 2016 Two transparency

652 views • 36 slides
www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India is the accredited Indian National Chapter of Transparency International. It was established in 1997. Transparency International India endeavors

603 views • 45 slides
43% www.aidcoin.co = TRANSPARENCY www.aidcoin.co AIDCOIN AIDCHAIN www.aidcoin.co FEATURES

43% www.aidcoin.co = TRANSPARENCY www.aidcoin.co AIDCOIN AIDCHAIN www.aidcoin.co FEATURES

43% www.aidcoin.co = TRANSPARENCY www.aidcoin.co AIDCOIN AIDCHAIN www.aidcoin.co FEATURES TRACKING CONVERT SMART CONTRACTS AIDPAY www.aidcoin.co ECONOMIC MODEL - 1 ECONOMIC MODEL - 2 INNOVATIONS The revolution of the charity

549 views • 27 slides
Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Capacity-building Initiative for Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement Article 13: Transparency To build mutual trust and confidence and to promote effective implementation

643 views • 15 slides
Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

September 28, 2017 Alex Hathaway Center for State and Local Finance Fiscal Transparency and Accountability Overview Importance of Institutional Transparency Review of the Literature Methodology Volcker Alliance questions

343 views • 16 slides
NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation Activities of NTW Workshop on Environmental Mapping: Mobilising Trust in Measurements and Engaging Scientific Citizenry Nadja Zeleznik nzeleznik@rec.org

338 views • 30 slides
Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency an organisational view Transparency is all about the release of information by institutions or companies that is relevant for the evaluation of

883 views • 32 slides
Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location of one target in video starting from a bounding box in the first frame. When conceived as an instant learning problem, the task is to discriminate

651 views • 39 slides
transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

Driving change in fisheries trade through transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI Sub-Committee on Fish trade / Busan, 6 September 2017 The necessity of transparency in fisheries International

346 views • 15 slides
www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

1 www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013 NZ's National Integrity System Assessment The Treasury Friday 14 th March 2014 1:30pm- 3:00pm liz.brown@paradise.net.nz mpetrie@esg.co.nz

947 views • 45 slides
Transparency in THz Metamaterial 2020 Ruchi Bhati*, Anil K. Malik Department of Physics, Ch.

Transparency in THz Metamaterial 2020 Ruchi Bhati*, Anil K. Malik Department of Physics, Ch.

Active Control of Polarization and Plasmon Induced METANANO Transparency in THz Metamaterial 2020 Ruchi Bhati*, Anil K. Malik Department of Physics, Ch. Charan Singh University Meerut, Uttar Pradesh- 250004, India *Email id -

677 views • 6 slides
The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum Mykkah Herner, MA, CCP Director of Professional Services Paige Hanley, CCP Sr. Compensation Professional 14,000 Positions 3000 Customers 11 Countries

371 views • 35 slides
Automatic SSH public key fingerprint retrieval and publication in DNSSEC Pascal Cuylaerts &amp;

Automatic SSH public key fingerprint retrieval and publication in DNSSEC Pascal Cuylaerts &amp;

Automatic SSH public key fingerprint retrieval and publication in DNSSEC Pascal Cuylaerts &amp; Marc Buijsman 2 February 2011 Overview Introduction Research Mechanism design Proof of concept Conclusion Demo 2 of 17

300 views • 17 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Introduction to Cryptology Laboratory for cryptologic algorithms Arjen K. Lenstra What is

Introduction to Cryptology Laboratory for cryptologic algorithms Arjen K. Lenstra What is

Introduction to Cryptology Laboratory for cryptologic algorithms Arjen K. Lenstra What is Cryptology? The art and science of secret writing What this talk could be: ------------------------------------

959 views • 59 slides
FORM 10-Q (Mark One) QUARTERLY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES

FORM 10-Q (Mark One) QUARTERLY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES

Toggle SGML Header (+) Section 1: 10-Q (10-Q) Table of Contents UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 10-Q (Mark One) QUARTERLY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT

827 views • 64 slides
50 32 , CTO of Mail Services at

50 32 , CTO of Mail Services at

50 32 , CTO of Mail Services at Mail.ru 50 85%

1.18k views • 84 slides
An Overview of Blockchain Technologies and Uses (Day 2) Andy Dolan Computer Science

An Overview of Blockchain Technologies and Uses (Day 2) Andy Dolan Computer Science

An Overview of Blockchain Technologies and Uses (Day 2) Andy Dolan Computer Science Department Colorado State University Last Time we Covered An Introduction to Bitcoin The Core Features: What is a Blockchain? Distributed

731 views • 33 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who am I? Samiux is an Information Security Enthusiast. - OSCE, OSCP, OSWP - Blogger - Linux user Hobbies : - Programming - Reading

261 views • 12 slides

More recommend