 Hello everyone as you just heard this is privacy badger and pan out the click versus the trackers round one so As a quick introduction to As soon as we figure out how slideshows work, we'll give our talk. I use a different slideshow software than Cooper does so Okay, cool as an introduction to me. My name is Bill buddington. I work at the EFF on various projects One of which is HTTPS everywhere which you might know another of which is pan up to click which we'll talk about in a minute Now I'm Cooper Quinton. I'm also a technologist at EFF. I work on privacy badger I'm running a CTF free FF here at Hope which you should check out if you haven't and I do security research as well So wait, oh, that's that's me so what is EFF how many people here have not heard of EFF? All right, somebody has not heard of EFF awesome and that's good because the next part of this talk won't work Otherwise if everybody has heard of EFF so Earlier this year my colleague Jeremy Galula Did some tests which proved that T-Mobile was throttling traffic for all video streams if the customer had been John service enabled We got on Twitter We published a blog post and then we got on Twitter to ask the T-Mobile CEO John Leger about this And he had this lovely response for us. I think that these questions are actually important So I want to take a minute to respond to him So Who the fuck is EFF anyway? Well He could have looked at our Twitter profile. He could have googled it. He could have asked a hacker But that's okay. I can explain it to him We're a nonprofit which has been around for 25 years our mission is to make sure that when you get online your rights come with you and we do this in a few different ways We have an amazing legal team which has been involved in many legal cases against the National Security Agency For their unconstitutional spying on Americans and civilians all over the world the legal team Yeah, round of applause for them. They're amazing The legal teams involved in dozens of cases each year which range from filing amicus briefs to testifying in front of the Supreme Court Also members of the legal team run our coders rights project Which focuses on keeping security researchers and hackers from getting into trouble due to their research and defending them when they do I should take a note here to also mention that we are not lawyers and none of this constitutes legal advice If you need legal advice go find one of our lawyers So why are we stirring up so much trouble? Well one because it's our job. It's what our members expect us to do And secondly because there's a lot of broken legislation a lot of bad tracking technology out there And if we didn't do this we would be remiss we Our members really count on us to to help the internet keep the internet safe and and secure So So we do things with the activism team on at EFF like fly blimps over the NSA pointing downwards Saying illegal spying happening here That was great Parker was on that blimp. You can talk to him about the EFF booth The blip was loaned to us by Greenpeace. So we got to give them credit too for sure And we have campaigns against things like the computer fraud and abuse act Which you might know of which, you know, basically categorizes all sorts of activity as criminal hacking and Makes it very easy to prosecute hackers very vulnerable Hackers on any number of accounts. This was enacted to note In 1986 after a Hollywood craze of you know around the war movie war games so this kind of shows you how Hollywood and Congress kind of line up when they're prosecuting vulnerable populations We also have an international team which works on things Like the Vasanar agreement, which is an international multilateral treaty Which makes a possession of hacking tools illegal So there's a lot of great international work that we do as well so John's final question who pays us It's a good question and it turns out that the bulk of our budget comes from our 20 over 25,000 amazing members Some of whom have been with us for over 25 years Our members took to Twitter to inform John Legere of this fact and Let him know that if they had to choose between T-Mobile and EFF they would happily choose EFF After all this John Legere quickly backpedaled Apparently he does know who EFF is after all so hey, that's great We also have a technology projects team which both Cooper and I are a part of Which makes the internet more secure? We do this in two ways We do it from the client side and from the server side for the clients We get end users to install things like HTTPS everywhere, which as I said I work on Which makes it make sure that it's an add-on available for Chrome and Firefox Which makes sure that if there is a secure endpoint On the web that you're actually accessing that secure endpoint for a website that you're going to and On the server side where you work on things like cert bot, which is formerly called let's encrypt and This makes it really easy and free and fast and automated to get Certificates that are recognized by browsers on a site that you may run So enough with the intro to the EFF let's talk about surveillance Before you you see the schematic for the penopticon, which is where penopticlick derives its name this was first conceptualized by Jeremy Bentham in 1787 and It's a way to kind of keep tabs on all prisoners and watching their every movements from this kind of central node here in the middle and We thought of this as a great analogy for how online trackers try to really view your every movement as you're Traveling and browsing through the web So the story of how online trackers Started begins in the 90s and really hits the spotlight by 1999 this New York Times article written by Glenn Fleischman of that year laments the fact that browser cookies can be added can be used as a way to track users as They browse the web through page views so the old model of the web as a simple lookup table from URLs to their contents was kind of becoming a thing of past where Instead of this kind of unidirectional Server to client model a lot of more information by clients was being sucked up by the servers as well Of course, I pH wrestlers were already sucked up But like a lot of different information about browsers and browsing habits was was, you know try starting to take hold here so Cookies let us have what's called third-party tracking and there's a graph above here The way third-party tracking works is that when you visit a site say for example, New York Times You're not only visiting the New York Times Many other domains also get loaded along with the content from NYT So for example, you have advertising you have analytics You have things that are The sole purpose is just to track you And all of these get loaded on New York Times They all get to set a cookie in your browser and they all get to see that you're visiting the New York Times Then when you visit another site like CNN a Bunch more third parties load and they all get to set cookies and they all get to see that you're on CNN Some of these third parties are loaded on New York Times and the third parties are represented by triangles here Are loaded on New York Times? CNN and every other site you visit these third parties get to put together a picture of All of the sites that you've been to because they keep getting to read your cookie and they keep getting to see what site You're getting that cookie on So this lets people track you around the web and breaks this sort of first-party Origin of the web where you think that you're having this one-to-one conversation But you're actually having a one-to-one conversation with many people listening in So why are we focused on third-party trackers in this talk? Well, there's a few things one is that they're non-consensual like I said when you go to New York Times You're not expecting to talk to double-click Scorecard research and a bunch of other people you're expecting to talk to the New York Times Also, they're ubiquitous almost every website has third-party trackers And there was a study that showed that almost 90% of news websites had third-party trackers They're hard to avoid most people don't even know that this exists or if you do notice it It's because you shops for something on Amazon and then ads for that thing followed you around for the next month They're hard to avoid It's not always intuitive how these things work and installing things like ad blockers doesn't always do the trick And there's a strong financial incentive Third-party tracking is big business. It's a multi-billion dollar industry and It's been around for a few years and it's only growing So who do we see doing this third-party tracking? There's some key players something you've heard of like Facebook and Google double-click You've probably heard of ad this right Google and double-click. They're doing it for ads Facebook is Doing it for ads and who knows Add this is yeah doing it for money and there's invisible ones like scorecard research scorecard research is on a bunch of websites and I Still can't figure out what service they provide Axiocom isn't on websites, but they're a data broker They buy data from all these guys and then sell it back to other people about your browsing habits What you're buying? Etc etc So third-party tracking is also useful for spies From the Snowden documents. We've seen that the NSA Really likes piggybacking off of Google and Yahoo tracking cookies to help them track people around the web so It's a pretty big problem so you could see that you know previously we had this model of Of you know certain sites having cookies on you know just like you know tracking them and and You know, that's that's you know great. Maybe you can actually just clear that your browser. So You know, maybe that's sufficient So the the model you know before You know all the cookies all the time just gather them all just like Cookie Monster, right? But in 2009 ten years later from the original article I showed The situation had gotten so bad and the methods so advanced but that this article by Ed Felton in freedom to tinker Nostologically reminisces on the good old days when trackers would just use cookies to track you Instead of all the other things that they're doing now The sentiment that if you're is that if you're going to track users at least be transparent about it The view of cookies being this transparent way to track users shows how bad things had gotten just by this point So what happened? How did things get this bad over the span of a single decade? Well, new techniques were being developed that utilized the pervasive inclusion of browser plug-ins such as flash Java and silver light as persistent stores of data And they do this in a very underhanded and covert manner In addition to being new stores or percent persistent data Which are called super cookies by the way They're also very difficult to purge because they circumvent the normal mechanism is built into the browser for purging your cookies So you'll have to for instance and flash you have to go to you know Flash settings internal flash and delete them that way. And so there's all these different different plugins that have much more Find access and much, you know much more privilege on the browser would ordinarily give add-ons say which is the distinction add-on and plug-in What's worse these plug-ins can collude with one another and Responding cookies if they're not deleted simultaneously on every single one of them in 2010 security researcher Sammy Comkar came up with this idea of the ever cookie and what the ever cookie is is Say you delete cookies on Flash and silver light, but not in Java then there's this Java code that Uses and immediately Re-propagates the cookies to the other two platforms and maybe even your browser cookies on your on your browser itself in this way These super cookies turn into these very you know persistent ever cookies and they achieve the level of persistence That's very very difficult to break In addition to actual data stores trackers started to rely on these little bits of information left by your browser every time you access a site such as Fonts and also the headers that you send upon every web request You're able to they're able to basically combine these bits of information Into a cohesive whole or this unique fingerprint of your browser these so basically if you use both cookies and fingerprinting then Trackers can really you know have this kind of pervasive View of your of your actual presence on the web. They can actually you know follow you in a very fine-grained way So we were confident at EFF that browser fingerprinting was possible and as data driven technologists We wanted to gather more concrete statistics and learn more about the information left by users browsers So in January 2010 we asked volunteers to participate in this Experiment that we branded a pen up to click the site when you visited it did these fingerprinting techniques, you know in an opt-in way and Users were able to determine What exactly their fingerprint looked like and it also allowed us to gather statistics about web trends in general and have fingerprintable users browsers are So a quick math detour here I might lose you, but I'll bring it back So a uniqueness property when we talk about uniqueness that's measured in the form of entropy Entropy is a quantity measured in bits So it's log-based to in order to know how many bits you need to uniquely identify someone you take the log base to you from the population that you're measuring from so for instance to Determine how many bits of entropy you need to Find out the identity of someone on earth you while you need 32.7 bits of entropy because Two to the 32.7 is 7.1 billion or about how many people there actually are on earth the so the change in entropy is this quantity that's or this term that's called surprise all because It's basically measuring how surprising a new bit of information is when you learn something new about someone How much entropy does that level of entropy change over time or like when you learn something new about someone So that's called a surprise all and it's determined from this equation here Now this is kind of best illustrated by example The surprise all or the the amount that the entropy changes if you learn that someone is born on Or is a Capricorn is log base to you of the proportion of the population That's a prop PR parentheses that actually is a Capricorn or about log base to of 112 or about 3.5 8 bits the You know change an entropy when you learn someone is born on January 2nd is log base to of 1 out of 365 Or about 8.51 bits. So you can chain together independent facts about someone to really kind of To add up this these bits of entropy and get a good idea of how of what the exact identity is These need to be independent facts about someone in this case These are not independent facts if you know someone's born on January 2nd You already know that they're Capricorn. So it's not adding anything new to your knowledge about that person so with pen-opticlic the independent facts that we measured were a combination of headers and JavaScript detected properties and The population size being measured was everyone that ever took the test The pool of all volunteers basically Users that had JavaScript turned off were obviously better protected in this study In that case we only had to rely on the header information that was being delivered upon the web request In May 2010 we published our findings in this paper by our chief technology Technologist Peter Eckersley and we described how the overwhelming majority of users browsers had this Uniquely identifiable fingerprint. In fact 84% of people's browsers had uniquely identifiable fingerprints Along with if you had flash installed on your browser this number actually jumps to 94% so this was kind of a good way to drive home the point that Users really needed to take concrete steps in order to protect their browsers and their ability to Feel safe against trackers in their browsing if this wasn't bad enough and the intervening years since we originally published the pen-opticlic findings We've seen more and more advanced forms of tracking appear shove hands. How many people know what this illustration means? So this is something called canvas fingerprinting And it basically renders text onto an HTML5 canvas element And even little changes in your fonts Or your operating system configuration things like anti-aliasing or kerning or whatever Result in different images being rendered here and if you take that image and Serialize it and run a hashing function over it and that's a pretty good metric of how unique your browser is using a study With mechanical Turk. They were able to determine that 5.7 bits of entropy are determined by this this alone and This was first this is I think that first premiered on a paper called pixel perfect in 2012 And since then and even in by 2014 it was widely widely implemented by trackers You can see here that this is an example of canvas fingerprinting by a library open-source library called fingerprint fingerprint to So in order to maximize the chances of the generated image being unique You can see this kind of complex overlay of different shapes colors fonts UTF characters And this you know increases the chances of you having a unique canvas fingerprint based on this image Over time canvas fingerprinting has really gotten only smarter and smarter And it became a big problem when trackers add this and ligates implemented it in 2014 As much as 5% of the Alexa top 100,000 sites were found to be tracking users in this manner a White paper released in July 2014 titled the web never forgets Really shown a spotlight on these kind of tracking techniques and after a flurry of media attention The top these chopped to finger canvas fingerprinters actually stopped doing it and stopped doing the shady practice And so quick shout out one of the authors of that paper Ganesh a car actually came and worked on privacy Badger and contributed a patch to detect canvas fingerprinting So this is web audio fingerprinting and it's pretty similar to canvas fingerprinting in that it uses the html 5 web audio API to Create a sound wave and then read that back and serialize it Due to differences in your hardware due to differences in your sound card, etc It will get a pretty unique fingerprint and then there's online to offline tracking and this is sort of the Latest direction the newest trend for the ad tech industry the demand to link devices to Specific real-world identities and link online and offline shopping and viewing habits So this company called silver push took a crack at this They took a frequency which was inaudible to human ears and encoded it in television commercials The frequency even though it was inaudible to you It was not inaudible to your phone or probably your dog Soon So they included a library in Mobile applications which would detect these signals coming from your TV. I know this sounds like I should put on a tinfoil hat and Call back to the silver push servers letting them know that the application had heard this signal So therefore you are watching this commercial and here's all this other data from your phone about who you are Apparently this was a track or too far and the FTC Investigated them and got them to stop using this technology, but they might not be the only ones using this technology or similar technologies Facebook also dabbled in this because it turns out Facebook knows a lot about who you are So they developed this program called atlas which would let them link your The ads that you had seen online to purchases that you had made offline when you use things like loyalty cards or Store accounts associated with your phone number when you use your credit card if that's linked to Facebook They would take that data and link that to the ads you had seen on Facebook letting them know if an ad had caused you to go buy something Offline this as far as I know is still active. Although. I think that I've heard it hasn't been very successful for them as a program But maybe they're just planning to iterate it. We're not really sure so Having heard about all the ways that your browsing habits and devices can be tracked Might leave you with a serious case of privacy nihilism You might be feeling right now that privacy is hopeless and why should you even bother? And I think it's important actually I want to take I think we need to take a minute here to address Some of the common forms of privacy nihilism so one thing I often hear is but I like targeted ads. They're great. They help me find things. I want Really? They don't they don't help me like that, but okay The problem is you have no control over how your information is stored or used These third parties have no obligation to delete the data that they collect They have no obligation to temporarily store the data they collect and they certainly don't have any obligation to make sure that The data is correct The data can also be stolen it can be sold even if you think you trust the company you might not trust the company in the future and It can be misused a Couple of months ago a woman named Sharona coats wrote a story for Rewire about This guy who was selling the ability to geo target Advertisements to women at abortion centers trying to convince them to not get abortions This is hugely invasive And he was able to do this through the standard geo targeting Abilities of Facebook and other ad service providers right using mobile location And then seeing ads as you're browsing Facebook or Tumblr or whatever at the Planned Parenthood I mean, this is so problematic in so many ways and We're just seeing the tip of the iceberg of this sort of thing. I think that there's a lot more Terrible things that could be done with this so I Don't like targeted ads So some people would like to talk about how privacy is dead, which is really interesting because when you look at Who's saying it? It turns out to be this guy You might know But Mark Zuckerberg see a Facebook Like sir declared privacy is dead and yet he like go like turns around and buys 30 million dollars worth of four You know houses that surround his house in order to have just the privacy that he says everyone else shouldn't have So when he talks about privacy being dead, what he really means is that privacy is dead for normal people But not for the ultra-rich tech elite So why should you actually care about privacy? Well, there's kind of a lot of reasons Maybe you want to read articles or download books, which are controversial in nature or maybe just embarrassing Maybe they have to do with a medical condition Maybe you want to protect yourself against little bits of data that when put together Could we be more embarrassing or lead to a more of a cohesive picture of who you are and what your life is? Maybe you want to avoid Geotargeting of ads for instance what Cooper just mentioned the visiting of an abortion clinic Or maybe you just want to avoid The chilling effects of speech entailed when you that you know that someone is always looking over your shoulder and gathering data about you Privacy lets us make mistakes. It lets us play with ideas It lets us grow as individuals who here has ever had a thought that they don't want shared with the world Yeah, I Really is like thinking of their thought now and shamed Privacy gives us the space to grow and define who we are and it's hugely important to a free society so Don't give up hope. Yeah, hope get it. That's the conference right Um So we can actually categorize the privacy Protective efforts into three distinct categories The good the bad and the ugly So for the good a flash is dying and it's dying really quickly Yeah, and good riddance In the last five years the appearance of flash has gone from just below 50% to just above 20% And it's likely this trend will continue and it's not just flash Across the board the old plugins that had that system level access that browsers didn't want to give Are going the way of the dinosaurs So that means at least theoretically the browser APIs can be utilized to rein in some of the worst abuses of the past Other good efforts to stop tracking include the tour browser Which makes your browser look like every other instance of the tour browser that's using using it currently? this This basically makes trackers data collection ineffectual completely Caveats are that it's not the most intuitive thing to use it's also that You know it might be slow for some people we've heard that and On the upside a lot of the privacy Protective measures that have been included in the tour browser are making their way upstream to Firefox There's an active effort to bring those patches back to Firefox. So there's there's good news on the horizon Also Firefox tracking protection is a great way This is on by default within private browsing mode And this uses the disconnect add and tracker blocking mechanisms in order to protect you when you're using private browsing mode Also research projects like open WPM Are great open WPM basically tracks first parties and their inclusion of third-party trackers across time and gathers that data and Basically, you know scrapes the Alexa top X number of sites Every month to figure that out and get those web trends so more research in this area is really needed and The more data we have about trackers the more effectively we can combat them Then we have efforts that are Bad at stock being trackers like incognito mode in Chrome To be fair incognito mode is not really intended to be used against trackers It's intended to prevent local data about your browsing from being stored on your own computer Add blockers Yeah, and it doesn't really prevent those pesky fingerprinting techniques that we saw earlier Add blockers are also a pretty bad method Generally at preventing trackers although there are some exceptions since most of them don't even block trackers directly and They don't block them at all sometimes Especially the invisible ones Sometimes add blockers Don't even block ads from being loaded on the page They simply stop them from being displayed on the plate on the page that you're viewing So in that case the ads are still able to track you just as well as they were before and Often they have questionable business models Such as some that will remain unnamed And also the W3C's do not track policy Gives users a way to kind of flag that they do not wish to be tracked by two trackers But there's no enforcement mechanism whatsoever with this Policy, so there's no way for trackers actually I mean they could have a but there's no there's no incentive for them to do so so then we have the ugly and these are incentives by the ad industry and Yeah, totally feel free to boo these guys so there's the ad choices program by the Digital Advertisers Alliance and What this does is basically advertisers have proposed to self-regulate The Digital Ad Alliance offers members an opt-out But the opt-out isn't actually an opt-out from Tracking it's only an opt-out from seeing targeted advertisements So you still get tracked you just don't see the results of it There's still no requirements on what data they can or cannot collect in store. It's not legally binding it doesn't address any of the security concerns like malvertising and it's Still only has limited adoption the other oh too far the other Advertising initiative is from the Interactive Advertising Bureau and they have two initiatives one is called deal And this is sort of the ad blocker blocker You might have gone to wired or Forbes and seen this pop-up that says hey, you're using an ad blocker So you can't read our site turn off your ad blocker and then you can come read our site Again, this doesn't address tracking It doesn't address people's privacy concerns and it still doesn't address people's security concerns over things like malvertising It's annoying for users and it's patronizing right? Hey, you're using an ad blocker. You didn't know that that hurts us Yeah, it did but your ads suck It's Annoying for users and maybe it's more like deal with it Lean is the program for less obnoxious ads so Lean still doesn't address the idea behind lean is the ad is the ad industry's attempt that they think okay Your problem with ads is that they're obnoxious. They're full video. They play in the center of the page Yeah, sure, that's kind of a problem But lean still doesn't address privacy concerns It only minimally addresses security concerns by requiring that ads be served over HTTPS So great. We want to encrypt everything, but that's not really the heart of the concern with ads Oh too far too far back So none of these really addressed the concerns that we had at EFF so we did what we always do we combined technology law and activism and We came up with privacy badger pen-opticlick and do not track This is privacy badger. It's a natural habitat Yeah So privacy badger is a browser extension. It's free and open-source software It focuses on completely blocking trackers from even connecting to your browser it unlike most Tracker blocking and ad blocking technology which uses a blacklist privacy badger uses a heuristic to just try to figure out dynamically what's tracking you in particular and It lets honest actors people that aren't actually trying to track you away out Right, we see badger tell sites you do not wish to be tracked by sending the W3C dnt equals one header It then looks for third parties that get loaded as you browse the web If a third party is seen on several different domains and It appears to be tracking you say by setting high entropy cookies Fingerprinting you setting high entropy super cookies then it gets blocked So this is privacy badger running on gocker.com and You can see that it's so all the domains that are in red are being blocked That's the domains to where the sliders to the left if you're red green colorblind and The domains that are green are not being blocked yet because privacy badger hasn't seen them tracking across multiple sites um Yeah, for some sites we for some third parties. We don't want to block them entirely Things like the creative commons image server things like Google Maps things like YouTube embeds People want these as a part of their web browsing experience, but they're still able to potentially track you So for these things we have what we call the cookie block list Where we allow them to load, but we try to prevent as many vectors of tracking as possible So we block them from setting and reading cookies. We block them from certain types of super cookies I mean as many as we can and we block them from as many types of fingerprinting as we can This works pretty well to let people have the web. They want well still not being tracked as much as possible Another of the core tenants of privacy badger is user choice if you don't like the decisions that privacy badger has made We want you to be able to override those so you can enable or disable privacy badger on a given site if it's not working And you can choose to block cookie block or allow any given domain If you disagree with privacy badger's decision Privacy badger also replaces certain social widgets like Facebook button like buttons tweet buttons Soundcloud widgets with a click-to-play button so that the Facebook and Twitter widgets Aren't tracking you around the web, but you still get the usefulness of being able to like things and tweet about them And this work was done by Franzi Rosner So what about third-party sites that legitimately don't wish to track users? But still need to set a cookie for their technology to work or do some other thing for their technology to work So for those we have our policy side, which is our do not track policy. This is different from the W3C's do not track policy so We've written a document which states that users Sending the DNT header won't be tracked and I'll explain what that means in a second It's posted people anybody can post it at a specific location on their website and We think that because you're posting this document on your website if you violate the terms the FTC Can take action against somebody who does this The other side of it. So what it does is it says user identifiers will be discarded Logs will not be kept longer than necessary a specific determined amount of days I think it's like seven or nine in the document Data can be kept for debugging or security until it's no longer necessary than it must be destroyed and data can be anonymized Or aggregated for analytics into sufficiently large buckets of people So the other side of this is that sites that adopt the DNT policy are automatically whitelisted by privacy badger and Other participating tracking protection software Blocking sites what we think our strategy here is that Blocking sites that don't respect people's privacy blocking sites that don't respect DNT Creates an incentive for sites to respect DNT because they want to be able to show their ads Or you know, hopefully not ads but So right now we have a policy up here and it's been adopted by duck. Go ads are mixed panel medium disconnect and a bunch of other people so Last year late last year in December. We launched Panoptic like 2.0 With this second iteration of Panoptic click we focused on bringing a new suite of Tests to show how well your ad and tracker blocking and protection software is actually working in order to get accurate results, we've set up a number of Domains that kind of look like trackers, but are actually just us and See how well your your protection software sizes up against them the resources in Domains that are included in this way Are are kind of included in this way that tries to trigger three different types of Blockers those that use domain blacklisting. So, you know, just full domains that are that are blocked Those that use URL fragments such as like, you know ad underscore URL equals and the URL and also Heuristic blockers like privacy badger If your protection software is triggered and actually blocks the mock trackers that we've set up Then we can know that your tracker blocking and ad blocking software is actually working properly if your production software is misconfigured then we know that you need better protection and We kind of gently nudge you to either install privacy badger or something else that's appropriate for your platform We've indicated also in these test results and the third one is kind of fuzzy. I know But that says Does your browser accept the do not track policy? So do they unblock? Sites and domains that have posted the do not track policy on their on their site And finally, we've radically simplified the fingerprinting results from panoptic like 1.0 to make sure that non technical users Can get a good at a glance look at and see how Unique their browser is But don't worry. We have the full fingerprinting results behind a single click and If you want to be really diligent about it, then you can easily do so In addition to a tracker and ad blocking tests We've rewritten the back end completely in Python flask So you can actually see how what it's doing and how it's working We've you know all these all of our, you know projects at AFR On github and you can easily clone them and you can actually you know set up a really easily set up a Penopticlic instance yourself because we've made it Dockerized and you can you know kind of run Docker in run it yourself We've also added six new fingerprinting metrics on our own pen off to click Canvas finger printing open GL fingerprinting which is kind of similar to canvas fingerprinting also header based Metrics like dnt header language platform and browser touch support which is a JavaScript property And these kind of give you a more accurate idea of your browser's uniqueness So we've we made the fingerprinting results We've also made these fingerprinting results epoch'd so we're basically measuring your browser up against browsers that we've seen recently instead of like the Browsers that we measured you know six years ago when we first started pen off to click That's to get a better idea of how unique your browser is right now rather than everything that we've ever seen So since launch we've seen the tracker test run over 800,000 times which is a great great success for us We've seen ad and tracker protection on You know improve on 15,500 unique IPv4 addresses, which is awesome if this count on the bottom looks Small compared to the top we'll consider that if you change IP addresses between installing a production software and testing again Or if you're using a VPN, it's only counted once or if you're using towards only counted once So there's a lot of things that we can't measure like that So we've seen a lot of success with this tool yay ponies But we're not done yet we have some plans for the future in store first of all we're planning to Open up the anonymized data as best we can because obviously this is dealing with people's private data, too So we want to be very careful about that So we can take advantage of all the data that we've collected over the years in addition we Started using it as a testing framework for privacy badger To make sure that one privacy badger blocks domains is actually acting properly and doing it in the right way And in the future we hope other browsers will Will adopt pen up to click for their testing So in privacy badger and do not track land what we would like To do in the future is improve the heuristic reduce false positives detect and block more types of super cookies and fingerprinting and Get wider D&T adoption So what do we do from here? Oh, sorry, I stole your slide bill so first of all you can help us by actually using privacy badger using pen up to click and if you Have friends or family that you want to be protected encourage them to use it as well It's better to get everyone you know using these tools, right? Because the better protection they have the better the more safe and and private web we have as you know together also If you you know you adopt the D&T policy on your own sites the more the D&T policy is Adopted the bit the more teeth it has really Help us out with code Donatee FF these are important projects, which we would love to continue and only with your member dollars. Can we actually do it? So we need better tools in the browser still I can't we can't do everything in extension land We need better built-in tracking protection Firefox and opera have it. That's great We need double keyed cookies and super cookies. This is a cookie which is keyed Also to the third party and also to the first party that was seen on so the cookie would be keyed to double-click on New York times We need browsers which are hardened against fingerprinting some of this is work is being done in Firefox A lot of it has been done in the tour browser, but it needs to be happening in Chrome It needs to be happening in Safari and it needs to be happening in opera We also need better controls for blocking and clearing super cookies How many of you know how to clear flash super cookies? I can't see hands, but yeah like one or two people probably right? I don't actually know how to do it I think you have to install flash to clear them you have to go to a flash applet on macro media calm It's a nightmare We also need new business models for the web the web until now has been based on Tracking ads, but it doesn't have to be it could be we could try out memberships donations Crowdfunding if a potato salad can get crowdfunded for hundreds of thousands of dollars. I think your website can do just fine Micropayments there's a lot of really cool work going on there that I would like to see take off Or at the very least non-intrusive advertising have display advertising have ads that don't track people So we don't want to leave you with the feeling leaving this room of despair That's not our goal. We want to really tackle a hard problem But like this quote says the situation isn't hopeless as far from it and we're working on tools to make it much better So don't be a privacy nihilist be a privacy vegan. We need to adamant people about out there to you know protect yourself on the web and You know help us do it So is advertising the best way to fund the web? It's hard to say It's certainly here right now. Maybe we can change that maybe we can't But if advertising is the best way to fund the web and if it's what we're gonna live with it It must stop violating users privacy Thank you So I think we have no time for questions. Is there somewhere we could post up to answer questions if people have them Okay, so if you have questions for us come out to the lobby. We'll be out there. Thank you very much