 I am going to be speaking about an elephant in the room of a topic, privacy. My name is Himanshu and I am a front-end engineer at GitLab. So the battle between browsers and trackers is not something new. As a web developer, I am all for privacy of users, the prospect of consent and protecting the data of users and not sharing it with unauthorized third parties. But I also have the experience of working for the other side. As a JavaScript developer who has worked on circumventing browser release, the anti-tracking fixes that browsers have released, I have worked on circumventing those. And as someone who has done that, I cannot help but feel like a spy in this big battle of privacy. It's a cat-in-the-mouse game where browser vendors and trackers keep upping their game in each iteration. So first, let us start with the basic question, why should I care about my privacy? You might say that I don't really care about my privacy, I have nothing to hide. Or sometimes you might even say that privacy is a myth, but let me ask you this. Do you lock your home when you leave or do you draw the curtains when it gets dark? If your answer is yes to any of these questions, why should your privacy on the internet be any different? Why do we all have passwords on our email IDs and Facebook accounts if privacy doesn't matter anyway? We should probably be sharing our passwords with everyone. Maybe it would be easier if I answered this question instead. Why is being tracked bad for us? And to answer that question, we need to answer another question first. What are trackers really capable of doing? So the trackers, they can track visitors and conversions. What that means is they can track you across websites, you visit, and they can track your conversions. The conversions could be anything from a page visit to sign up or a purchase or a checkout. They can do AB testing, which means they can show different variations of different pages to different people. They can do interest-based segmentation and based on what your interests are, they can bucket you into different groups. And once you're bucketed into different groups, they can target you with various advertisements. They can track where you click on a particular website, and they can generate a heat map of things, heat map of which are the strongest portions of a website. And finally, they can take all of this information together and identify patterns using machine learning and build a data profile out of you. Some of the trackers can go as far as recording an entire video of your session and sending it to a third party. But honestly speaking, most of the advertisers and trackers just want to make money out of you. They do that in the pretext of giving you better ads, but are they really better? Let's find out. Let's look at how advertising works. Let's say a user wants to visit a particular website, and that website has an advertisement. That advertisement goes to an ad provider, and that ad provider identifies what segment the user is from, and let's say the advertiser uses some ethical segments which are non-personal. This could be location, IP address, browser, operating system, or referrer. And based on these ethical segments, the ad provider determines that there are three advertisers that are bidding on that slot for advertisement, and whoever bids the highest gets the slot. This is an idle world scenario where none of your personal information is being used to display the advertisement, so this is an ethical advertisement. But let's look at another example where there is an unethical advertising. Let's say there is an example of a 26-year-old male who spends a lot of money on Clash Royale. Now that person visits the website, and he sees the advertisement, and the ad provider goes through the segment, but in this case, some unethical segments are used. They could be age, gender, race, religion, or spending habits. And based on these segments, I see that there are some advertisers, and one of the advertisers has bid a high bid of $50. The pretext of this is that this person is spending a lot of money on Clash Royale, so if I bid really high, it is very likely that this person is going to spend a lot of money on this particular game as well. So that unethical advertiser is using your personal data to put a higher price on you so that they can get more money out of you. But you might say, that's not really so bad, right? That's probably okay, but let me tell you a better story. This is a story about Cambridge Analytica. At the University of Cambridge Psychometric Center, Michael Kazinsky created the My Personality Facebook app. So this app is basically a set of questionnaires that you send to people, and this is purely a research project for academic reasons. And they used Ocean Psychological Model to identify details about the user who is doing the questionnaire. So based on psychometrics and Facebook data, they combined the results of the questionnaire and built the largest dataset ever. This dataset could predict a person's details like skin color, sexual orientation, drug use, cigarette alcohol use, their political affiliation, and their religious interests. And they could do this better than anyone who personally knows that person could do. Cambridge Analytica asked Michael for access to this data. Michael said no when he realized that Cambridge Analytica is actually a subsidiary of Strategic Communication Laboratories, which is a massive data company that is involved in influencing elections. So Strategic Communication Laboratories has been involved in helping the Nepalese monarch against rebels. They have been involved in influencing elections from Nigeria to Ukraine. However, they found someone else at Cambridge Psychometric Center to create a similar app. And they combined Ocean Psychological Models with electoral roles. And they analyzed using that data, they analyzed the needs and fears of Americans. They combined that data with addresses of people. They combined that with voting habits. And they created such a last dataset. And SCL has worked, Cambridge Analytica and SCL have worked for both exit and Trump campaigns. And while we are not really sure of to what extent psychometrics were used in manipulating people like this, but we do know that it was that this information was used to target a certain group of people on Facebook timeline. And you can actually go to this URL and find out more about this huge data scandal that happened about two years ago. In fact, some of the African American people claim that they saw ads about Hillary Clinton calling African American people super predators. Although this video is very old from 96, it was used to target target black community against Hillary Clinton. So is this manipulation, is this marketing or is this manipulation? So yeah, let's take a deep breath here and let's go a little deeper into how the trackers actually use all of this information. How do they get this information from you? It's pretty simple. Actually, they use a concept that we are all aware of cookies. Yes, cookies, not these cookies, but browser cookies. Let's dive into a little bit of history about cookies. They were created in 1994 by Netscape. The primary reason cookies were created was that the person who created cookies was creating a shopping cart, actually, and he did not want to store the contents of shopping cart on the server. He wanted to store the contents on the client side so that server can save a lot of cost because it was quite expensive back then. And while it was created for this innocent use case, just two years later, privacy concerns regarding cookies were raised and New York Times went as far as calling cookies surveillance files. It was quite far ahead back in those days, but it's quite a reality today. You can read more about the concerns and the articles in the below links. But when cookies were designed, one of the major restrictions that were placed on cookies was that a cookie on a domain cannot be accessed by a website on different domain. So if you visit facebook.com and it stores a cookie to identify who you are, and let's say then you go on to visit some personal blog and that personal blog also has a cookie to identify who you are. In this particular case, Facebook cannot read the cookie on the blog and the blog cannot read the Facebook cookie either. That is how it should be. But how does Facebook actually track you across the internet? Let's say that person who runs this blog actually places a like button on this website. When that like button code is run, it sends a request to facebook.com and a particular URL and as it sends a request to that particular URL, it also sends the cookies that would created earlier on Facebook. So now Facebook knows that you have visited this blog and Facebook can potentially also access the client side cookies and information on that particular blog. I'm just using Facebook as an example here, but the trick is really simple. You just have to convince people to put your code on as many sites as possible. Facebook has it easy because everyone wants a like or a share button on their website. Google also has it easy because everyone wants their ads or Google analytics on their website. You might have seen privacy policies like these all across the internet. How many of you have actually read through any of the privacy policies? I don't think anyone actually reads through them, but just a couple of months ago I had to write my own privacy policy because I was I was developing an app for Apple App Store and Google Play and that required me submitting a privacy policy, so I had to list down what all information I am sharing and with whom I am sharing it with. So if I have to based on the privacy policy, if I have to look at what where the data is going based on the privacy policy, it is going to these particular services and these third party services could potentially sharing that data I shared with them with n number of services and before you know it, this is what your graph looks like. Your data is being shared everywhere and what eventually happens is one at one endpoint. Your data goes into some warehousing or analytics agency and that data is mined and sold to some company. I actually read through some privacy policies of various websites and if you go through the details of them, you will see that there are lots of third party cookies that websites are using. If you look at CNET, they can actually use up to 100 third party cookies. If you are listening to music on last.fm, you could be using 82 third party cookies. If you are reading news on New York Times, it could be using 57 third party cookies. If you are connecting with your social professional network on LinkedIn, you could be using 28 third party cookies and some sites take it to the extreme. The parent company of Yahoo, Verizon states that some of its web pages could be using up to 455 third party cookies, granted not all at the same time, but that's the extent of where your data is actually going. Not all of those cookies are going to track you and some of those are actually necessary for to maintain login information and all those things, but most of those cookies, like maybe 90% of those cookies, don't serve the user. They are there to serve ads and make money out of you and cookies are everywhere. If you go to top 100 websites and click any two links, you will get 12,000 cookies. You can delete cookies, but persistent trackers will respond them. Cookies share, sometimes cookies share IDs. So even if you delete one cookie and even if one cookie is respond, that means all of the partners of that agency can be able to respond the entire network of cookies. Coming to the next part of my talk, this little game of chess between browser vendors and trackers. So browser vendors have been doing lots of efforts to curb this menace of tracking. And with each iteration, the trackers also have been upping their game as well. Let's look at some of the anti-tracking measures that have been taken by browser. The biggest one is private browsing or incognito mode, which allows you to browse the internet without any cookies, at least for that session, without any cookies, history or cache. And then Safari introduced intelligent tracking prevention, which basically uses a machine learning classifier to classify certain websites as tracking websites and restricts certain features for them. And some browsers like Firefox recently has been doing the disabled third-party tracking. And Firefox has been also been maintaining using this open source list of trackers on disconnect.me, which is basically a list of trackers categorized by severity. So let's talk a little bit about private browsing. As I said, it can be used to browse the web anonymously without any cookies, browsing history or cache. But trackers have been finding loopholes to set up paywalls. Let's say if you visit some website in incognito mode, they know that they cannot track you, so they will ask you to pay money. So they can use certain APIs that are not available in incognito mode. In Chrome, file system API is not available, which was passed in Chrome 74. And in Firefox, index DB is not available in incognito mode. And in Safari, local storage is not available in incognito mode. So if you just check for these features, you can for sure say that the person is using incognito mode. And this is actually a very late check that happens very later on because the first check is obviously the cookie. So this is what the code looked like if you were to detect incognito mode in Chrome before Chrome 74. You just use the file system. If the file system request for temporary file system, temporary storage is granted. That means you are not in incognito, otherwise you are in incognito. It's pretty simple, but they fixed it in Chrome 74. But just two days after the fix was released publicly in Chrome 76, it was in beta and Chrome 74 under the feature flag. There was a new leak that happened and using storage again using temporary storage quotas if the available temporary storage quota is less than 120 MB, that means the person is in incognito mode. There was some research on how this number came to be and you can look at the research on this article. This was done by Vikas Mishra. So because of his research, now we have this back again. So if you look at New York Times in incognito mode, it will ask you to log in or subscribe. Fari has been doing similar work to prevent tracking in ITP. So let's talk about ITP 1 and 2. So when ITP 1, they introduced a machine learning classifier which uses an internal proprietary algorithm by Apple to classify certain sites as tracking websites. So if the classifier determines that a particular website is a tracker, then their cookies will be partitioned after 24 hours, which means that their first party cookies, suppose Facebook, I'm visiting facebook.com, that is my first party cookie. And if I'm using a like button on some other website, that's the third party cookie. So it partitions the first party and third party cookies and third party cookies cannot be used on to do things like a like or a share button after 24 hours. ITP 1.1 added storage access API just in case someone is OK with sharing their data, you will get a pop like this in Safari. Hey, do you want to allow Facebook.com to use cookies and websites while browsing Buzzfeed? So usually actually explicitly have to allow them to share the data with Facebook. So if you do that, then the partitioning is you can you can the cookies can be used in third party context in ITP 2.0, they disabled one, the 24 hour access altogether and you have to use the storage access API all the time. If you want to access cookies in third party context. But instead of following the rules, crackers went a step ahead and ignored the rules and they bypassed them. They moved the cookies to first party context. So instead of storing data in third party context on Facebook.com, let's say on on some tracking websites domain, they stored it on the client's domain and they just share tracking IDs like I talked about the tracking IDs that were shared earlier. Just based on that tracking IDs, they just identify who the person is and then sync the data using other methods like course and Apple realized that Apple realized that people are moving from third party context to first party context and they blocked first party context also a little bit. So they blocked they added a restriction to make sure make client side cookies expire after seven days. So client side cookies are any cookies that are not STTP only and are created using document.cooking. And for ITP 2.2, which was released just like two weeks after ITP 2.1 in around April this year, they restricted social traffic coming from social networks to just one day. If basically if any URL has if the URL that the person is visiting has any query parameters like FB ID or something, then the cookies on the client side will expire in just 24 hours, no matter what you said the expiry to. And again, I have personally worked on something to bypass this. So practice started maintaining redundancy. We can't use cookies. Okay. So let's store it instead and they blocked client side cookies. So let's store the cookies on server instead, although it requires a little bit effort on on the target website. But yeah, that's doable because there's no restriction on the server side cookies. Yeah. And browsers started using a disconnect.me list. Like if you are listed on that disconnect.me list, it's kind of like a death note. You are identified as a tracker and one day you will be blocked permanently. So and some of the sites based on based on the severity are blocked completely. Trackers came up with a new solution. They just see name it. Let's say if Google Analytics is blocked. I just have to add a sub domain and see name it to Google Analytics and load the script from there instead of the actual URL. So even though Google Analytics might be blocked, I can still use g.mywebsite.com and that is not in the disconnect.me list. So I bypassed it. But yeah, after all the stock of cookies and incognito mode and all that, the browsers, the trackers, they have the ultimate weapon, fingerprinting. Fingerprinting means getting bits and pieces of information about you, about where you come from and about your browser, about your operating system, about what plugins you have installed, about what system fonts you have installed, and what your canvas fingerprint is. And I can take all of these little fingerprints and put and give a sign and ID to you. And based on that, I can identify who you are no matter what, no matter if you use incognito mode or if you use, if you keep on deleting your cookies or whatever. If you would like to look at what your fingerprint looks like and how unique it is, you can just visit this URL. If you want to look at what your canvas fingerprint is, you can visit this URL browserleaks.com slash canvas. A canvas fingerprint is basically a piece of text on a canvas, two pieces of text overlaying each other on a canvas. Because all CPUs and GPUs are a little different, the rendering output or the PNG output of canvas will be a little different from machine to machine. And using that, I can actually identify you uniquely. Folks is doing a lot of effort to prevent fingerprint tracking, fingerprint scanning like this. But it needs to be in strict mode for that. So yeah, let's take a deep breath here again and think about what all we can do. Edwards Snowden surprisingly revealed that, unsurprisingly revealed that NSA is not made of magic. It still uses cookies to track you. And with little steps you can take to protect yourself from tracking. You can protect yourself from even the most sophisticated trackers. First of all, you should start using private browsing board. That will allow you to, if certain websites are blocked in private browsing, you can just fire up a new instance of Chrome. There are some commands in command line you can use to do that. And don't share your details when you don't have to. Like for instance, when you have to sign up for a service but you don't really care about the service, you can do it using this little website called 10minutemailemail.com. Just visit this website. You will get an email ID for 10 minutes. And just don't share your personal details like email address, phone number, and address if you don't have to. And you should use privacy friendly browsers like Firefox, Safari, or Brave. And for what it's worth, you should maybe turn on strict board even though it might break a few websites for it for you. But it's probably worth it for the gain that you are protected from crypto miners, fingerprinters, and third party tracking cookies. You can also use some browser plugins like Privacy Badger or Ghostry. You can use some privacy friendly search engines like DuckDuckGo. If you would like to know more about privacy friendly search engines, you can just visit this URL. Later on, the slides are shared in the proposal link. And finally, when you're actually accepting the terms of cookies and accepting the privacy terms, just don't click that I'm okay with that button and see if you can actually manage your settings. This Guardian website has my options setting, and it gives you two options here. It lets you set your personalized preferences. I could either say that I'm okay with personalized ads or I'm not okay with personalized ads. So the example I gave you about non-personalized ads, it will not use any of your personal information to target you with advertising. So you could just opt for this option wherever it is available. Or maybe if you don't want to hide your behavior, you can fake your online behavior. This particular tool, TrackMeNot, can be used to send fake search engine queries to tracking search engines. So when you see ads of things, the advertising provider does not really know what you actually searched about. Whether you searched about security or you searched about My Little Pony. Similarly, this tool ad nauseam will actually hide the ads, but it will also click all the ads underneath it. So if you use this plugin, the ad vendors might think that you are into everything from clothes to shopping to movies to guns to My Little Pony. You could also manually block known trackers using an ETC host entry. You could set up a custom DNS server where you can block certain trackers. You can use the disconnect.me list again. This is for people who don't want to use Firefox for that. You can use Pyhool to set up a DNS server and then you can block certain websites from there. And as I said before, you can opt out of tracking when possible. So yeah, to conclude with Little Steps, we take, we can actually prevent this mess from blowing out of proportion. Thank you. If you have any questions, please ask. Otherwise, you can reach out to me on Twitter or outside for a conversation. Hi. That was a really good talk. You mentioned tracking primarily from an advertiser's perspective. Yeah. There are scenarios where tracking is done for other cases as well, apart from advertiser. You mentioned about Cambridge Analytica and so on as well, but can you just list out other cases that you have seen where people are tracking? Yes, I mentioned actually earlier what trackers are capable of doing. So in that part, I mentioned that they are capable of doing A V test. They can do, they can record a video for your entire session. They can do analysis of conversions, how you are performing. They can do A V test and all sorts of things as well. So in the security field, we currently speak about something called APT, Advanced Persistent Threat, which is, you know, you're not targeting a group of people, but you pick a specific person, an individual, you know, and you do, you do a specialized attack for them. So from a tracking perspective, is it possible to like pinpoint one individual and then track their behavior across different things? Yes, definitely it's possible. Because you have all the information about users, you have created, it is possible to create personas around them and you can target a particular person as well. But most of the trackers, they are trying to make money out of you. They don't really want to hack your information. So it is unlikely that tracking services will actually try to hack you, but some hacker might use the data that is purchased from, that went to some data analytics company and then it was purchased and then it was created like I talked about the Cambridge Analytica example that some specific groups were targeted to pivot them against the election campaign. So yes, definitely they can use it to target specific groups and they can use to target specific people as well. Any other questions? Okay. I myself have a question here. I never thought that reading just a news on a website would track me in 100 ways. Thanks for that insight. So however, now most of us probably would be using the ad blockers or the privacy blockers and all these plugins and they themselves probably can track us, somewhere I read about that. Do you have any insights about that and how do we trust these plugins? Yeah, you have to actually trust someone at least. If you are using the ad blocker, it's unlikely but it's probable that your data is going to that agency or company or whatever. But if you can, you have to put your trust in somebody at least. These Firefox is doing a lot of, Mozilla is doing a lot of good work in this region, this area. They're actually also releasing a FPN, Firefox private network where you can browse the internet privately. It's like a VPN but it's built into Firefox. So you can use things like that and you can put your trust into at least some companies or some people so that at least your data is not going everywhere. Thank you. Hi. Here, here. Hi. Actually, I do have two questions. You mentioned here, deck-deck go for the search engine and we know Google is taking search results for these suggestions and everything. But why this search engine is more into the security aspects? Sorry. This deck-deck go. You mentioned a search engine here. So. Yeah, can you take that slide, please? I can spell it clearly. So yeah, I actually had this slide. Yeah. Yeah. So this is an ad of Google on Washington Post. They put a three-page ad on the fact that you can control your privacy settings. You can turn off your privacy settings. If you want to, you have to do it just one by one in every app that Google provides. Except deck-deck go and other folks, they are privacy first, which means that even if they are showing ads, they are not using your personal information to show those ads. They're using the ethical segments that are described before and they're not using your personal information like your age, your interest or anything to provide you with ads. It may mean that their ads are less relevant to you, but they are protecting your privacy. I'm wondering that there is no Chrome in that list, the secure browsing. Sorry? The secure browsing, there's no name of Chrome. Is there a specific reason for that? In Chrome? Yeah, Google Chrome. In the other slide, you mentioned Firefox, Safari. Yes, because Google Chrome uses the browser itself to track you around everywhere. Granted, you can turn those settings off if you want to, but it does track you. They are actually doing a lot of debate around this topic recently that they are actually against all of this. They are in favor of providing you with better ad experience because that's where most of their money comes from. Thank you.