 Hello, everyone. I am Noah Swartz. I am a staff technologist at the EFF, the Electronic Frontier Foundation. For those of you who don't know, the EFF is a non-profit set in the US, which defends online digital civil liberties. So we do a bunch of things. We do litigation, which is we fight court cases to try to affect free speech laws and civil liberties laws that deal with the digital realm. We do some activism. We'll, you know, get people organized, you know, write their congresspeople or other government officials to change the law. And we also write a bunch of technology, which is the group that I'm in. So you may be familiar with our browser plug-in HTTPS Everywhere, which redirects you to the HTTPS version of a given site, or our upcoming project, which is Let's Encrypt, which will be an automated certificate authority, or our fingerprinting website, Panopticlick, which I'll talk about later in this talk, and I'm here to talk to you about Privacy Badger, which is our newest browser extension. We released it last Thursday. But I want to remind everyone that I am a technologist at the EFF, and I am not a lawyer, so I cannot give you legal advice, but feel free to ask me technology questions. So we're going to talk about browser tracking, how ubiquitous it is on the web, and what a big problem it is, why your privacy matters, who's doing it, how are they doing it, and what you can do to protect yourself, which is where Privacy Badger will come in. So you may have noticed when you've loaded a website recently that not all of the content on that website came from one source. When you go to websites, there's a lot of third-party information on these various websites. So basic things like images or sometimes CSS files can be stored on CDNs, so you get like a cached version of the website, or the images are cached closer to you, so they load faster. But also now we have things like web fonts, or you'll get like Google Maps tiles on a certain website, so you'll have some service that's being provided by a third-party. A lot of websites use analytics engines, where third-parties sort of try to track what you're doing on a website to provide analytics about clicks on a single domain. News articles, a very prevalent one, are these sort of social media widgets, so share this on Facebook or tweet this link, and those images are being sourced by third-parties. So when that loads, it goes to Facebook for the image of the Facebook share button, and it even loads JavaScript from Facebook. And then obviously the most noticeable, if you're not running an ad blocker, are ads. So when you go to the New York Times, it's got a bunch of ads, they're CNN.com. They all have a bunch of ads, and these are all sourced by third-parties on the fly, often targeting you specifically, so people are doing real-time bids on these ads to make sure they're showing you the right one. So how is your browser being tracked? These requests can write and read cookies in your browser. So just like you would have a cookie for a login for Facebook or for Google, these third-parties are writing a cookie to your browser when you go to the New York Times. So every ad service that loads an ad, every distinct one, goes up to your browser and it says, hey, do you have a cookie from us? You know, we're doubleclick.net, do you have a double-click cookie? And if your browser doesn't, it says, okay, great. Now your user, you know, 7,438. And then the next time you go to a website that loads a double-click ad, it asks if you have a cookie and it says, oh, great, your user 7,438. I remember that, you know, you were looking at these websites last week and they build up this big profile of you as you browse across different sites, anything where their third-party is being loaded. But they can also use other sort of distinctive elements about your browser, such as this canvas element in HTML5, which does stuff with your GPU to get a fingerprint. They can also write these things that are called super cookies, which are storage options in other libraries. So HTML5 has a local storage option and they can store things in that HTML5 local storage and then read it back when you go to other domains or you load the site again. And then in addition to having these trackers on visible ads, they have these things called tracking pixels, which are sort of one-by-one images that load and then serve these cookies as well. So even if you don't see a visible ad on a website, it's still possible for a third-party to be tracking you. Obviously, this is a big business. Ads and tracking are everywhere on the web. But we've seen a big move recently from visible ads to this sort of tracking of users and monetizing of user data. So this is an image of the EFF project panopticlic, where you can go to it and it will tell you how unique your browser looks to us. So it has a big database of browsers and information about them and then it checks your information against the other information on the browser and it tells you how unique you are. So this is me from earlier this morning and I am completely unique out of the five and a half million users who have ever gone to panopticlic. So these are a bunch of ways that someone can figure out things about your browser, but imagine an advertiser doing that on a site with only a few of them, you're still probably unique out of all of the visitors to that site, because most sites don't have five million unique visitors. And so this is the problem. This is what we want to prevent advertisers from being able to do so that you can browse the web anonymously and not be followed around. So the question is who is tracking you online? As I said, it's a bunch of advertisers, but it's also these sort of data aggregators. So Axiom on this list is just a data aggregator and they build up profiles of people and then other marketers can go up to them and ask for certain subsets of the population. They can say, you know, I want to look for single dads in the Denver area and Axiom will give them a big list of people to advertise to you and that's the people who are selling your data. And then you see also Facebook is a big advertiser in addition to being a social media network. So when they're reading things about your browsing, especially on news sites, they're using that to sell to advertisers as well on your Facebook site. So the problem with these trackers is that they're all third parties. They're not the site you were trying to go to. So when you go to the New York Times, you know, you expect New York Times content to be served to you. And when you go to Facebook, maybe you expect Facebook to track things about you on Facebook but not on other sites. And so a lot of these first party websites, you've probably at some point agreed to an user license agreement with them. You've clicked through some agreement. So at least there's sort of a standard of what you expect them to do with your data. Whether or not, you know, you read it or you understand it or if it's even reasonable, but at least there's something there. For these third party trackers, there's nothing. So they have this data on you, which they can use however they want. And you have no idea how they're going to use it. As I mentioned, you know, it's completely ubiquitous. It's on basically every site. It has some sort of social media button or some ad or probably an analytics engine. So it's all over, which makes it really hard to avoid. And these companies have very strong financial incentives to keep doing this. We can't just ask them politely to stop because they've built, you know, multi-billion-dollar businesses on this. So you may say, like, oh, but I like targeted ads. You know, I hate it when I get ads for things I don't care about. It's really nice to have targeted ads. But these third parties, as I said before, there's no rules that what they do with your information. So they don't need to anonymize it and they can store it for however long they want. They can sell it to whoever they want for whatever they want. And you have no idea what they have and what they're going to do with it. So it's completely out of your control, which is scary enough to me, especially when advertisers have gotten into hot water previously with selling data to the U.S. military to search for terrorists. But you can imagine someone hacking one of these databases and getting a lot of information about you. And then they can also misuse this targeted advertising for a bunch of things. So there's two pictures at the bottom. One is about how the office supply store staples was finding people who were close to their competitor, OfficeMax, and offering them better prices if they clicked through one of these ads that was targeted specifically based on their location. And maybe you don't care about office supplies, but you can imagine it being for something higher stakes. You can imagine it being something more fine-grained than location. So we have this two-tiered or multi-tiered system where advertisers are giving different people way different versions of their websites based on all this tracking data. And then the second image is from this report about the housing crash, the subprime loan crash in the U.S. around 2008. And these advertisers went out and they wanted to direct market to people who hadn't bought mortgages before. And so they used all this data to find people in communities that didn't have mortgage lenders and they specifically targeted them with online mortgage ads. And it turned out that these were the people selling the subprime loans. And it turns out that the people who lived in areas that didn't have brick-and-mortar places to get loans were people in the African American community in the U.S. So they got sold all these subprime loans and when the housing market crashed, they all lost their houses. So it disproportionately affected a very serious group of people in the U.S. who were not concerned about the effects of targeted advertising on U. I think it's easy to see that it can have really bad effects for society if it's unstoppable. But don't worry, it's not just advertisers who are happily reading these cookies. It is also the NSA and lots of other spying organizations. Many of these tracking cookies are transmitted over HTTP. They're not encrypted and anyone in between you and the advertiser's server gets to read all this information, including your unique ID for that website. So if you look at some of the slides the NSA has, they're very excited about these cookies. This is an actual NSA slide where they're just like, yes, cookies. And they break it down and it says, you have a unique identifier for a person that's distinct from their IP address and we can use it to correlate their traffic between multiple things. So even if you move around and the NSA gets your X-key score, like collects things in X-key score between multiple browsing sessions of you, as long as your browser hasn't been cleared and you're going to the same websites, you're going to send this HTTP cookie with this advertising unique ID and then the NSA just knows it's you again without having to do any extra work. And so they talk very happily about this Yahoo ID, which apparently has a machine identifying identifier in it. Or a cookie with a machine identifying ID in it. So it doesn't matter where you are or how much you clear your browser, the NSA is going to also get information about you. So these things scare me. This is why I think online targeted advertising is bad and I don't think I need to convince all of you that privacy online is important and there's been a lot of talk about the effects of knowing you're being monitored. So you may say like, oh I have nothing to hide and then as soon as you want to go to a website that maybe is anti-authoritarian or possibly embarrassing, you're going to self-censor and not go to it because you know you're being tracked on all these websites. Which makes it very hard to go about life as you normally would without the fear of surveillance. So how can it be stopped? There's lots of ways people often propose for how to protect yourself from online tracking. A common one that I hear when I tell people about privacy badger is incognito mode. A lot of browsers have this incognito mode where they won't store information between sessions. You'll have these cookies temporarily for a specific browser session and then it will clear them when you close your browser. But that only protects you between sessions, right? So if I leave that session open for a long time or go to a lot of websites in that session you can still correlate at that time because it's not reading cookies. It's just not storing them between sessions. I went to the New York Times and then I went to like an AIDS policy website and they had the same CDN or the same tracking pixels on them then the NSA would know that I'm at both of them in this advertiser would and maybe it gets sold to Axiom, etc. And incognito mode is also hard because it's very cumbersome on you because all your first party cookies get wiped between browsers. So if you use a lot of web services like Gmail or Facebook you have to log in every time which becomes very cumbersome which makes people only use incognito mode when they're looking at these sort of sites that they don't want people to see. So their normal browsing history is still getting captured by these advertisers. And it's still vulnerable to fingerprinting. They can still fingerprint your machine. They can read your fonts and stuff like that. Or there are some zombie cookies where your internet service provider might inject something into your web request header and then they'll remember to resurrect a cookie that you were given previously. Tor browser solves a lot of these issues and it's great for private browsing. Unfortunately a lot of people don't use it all the time. So... And it's not yet sort of a scalable solution for everyone. So I think there still need to be tools that protect people, you know, a normal person who isn't willing to use Tor from this online tracking. Ad blockers are another thing people use a lot but ad blockers are typically focused on visible ads. So they don't necessarily block these invisible trackers and often they'll not block the request to the ad server. They'll delete it from the DOM after it's loaded so this cookie stuff will still get sent between them. And they work on a blacklist. They have a big list of things that they think are ads and advertisers sort of read this list and they make ads that get around this and it's just sort of this arms race they'll blacklist something and advertisers will do something new and they'll blacklist something out and there's no way out for advertisers. There's no way that they can stop being blocked by these ad blockers and sometimes these ad blockers have a financial incentive and they're not always trustworthy. So ad block plus will take sometimes take donations from advertisers to allow their ads through their blacklist. Ghostry by default sells information about what ads you're blocking back to the advertisers so they know what are the sort of creepy ads that people are afraid of. People have done some policy work on this. The W3C adopted a do not track standards. You can send a header with your web request saying that you don't want to be tracked but unfortunately no advertisers really honor this. So you can send it to the advertisers all you want. They're not going to do anything. They're still going to track you and it hasn't really been adopted by anyone. So we would like to see a world where it can be adopted by people to install a third party extension to have advertisers honor your request not to be tracked. The advertisers seeing an opening formed the digital advertisers alliance where they're like, oh, you know, it was really hard for the W3C to regulate us. Let us regulate ourselves. You just tell us you want to opt out and we'll happily stop showing you targeted advertisements but we won't anonymize your data and we won't stop tracking you. We just won't show you the targeted ads. We won't show you the solution either and it's not legally binding and even this very lack standard has only been limitedly adopted. So the FF thinks we have a solution. We have come up with Privacy Badger which was just released last Thursday, as I said. I will tell you what it does and I will try to explain the name to you. So here is the Privacy Badger. That's it celebrating its 1.0 release in our office in San Francisco. That is the reason it is named Privacy Badger and what it is is a Chrome and Firefox extension that tries to block all tracking automatically through an algorithm rather than having a blacklist and the idea is to make it very easy for people to use and to not break the web as you're browsing. So it's very low friction. It's GPLv3. You're welcome to submit pull requests but I'll get to that later. And so we also think we have a way to solve this arms race problem which is also coming up. So how it works is it has your browser send this do not track header along with all of your requests and then it watches and sees what third-party is you're loading on a given site. If that third-party is doing something to try to track you, we'll add it to a list and if we see it across multiple first-party domains, we'll block it. So if you go to a website like the New York Times, you may get all these ads that are third-parties that you might expect to see on other websites but you might also get all of the New York Times CDN being loaded to load images for the New York Times. So if you go to CNN.com and you go to maybe Gawker and these ads are all three of them, you'll see the ads across three domains and PrivacyBedge will block it but it won't block any of their specific CDNs. So here's an image of it on New York Times and all of these New York Times CDNs are whitelisted because you haven't seen them on any other sites. So you have a little slider that goes from red to yellow to green. Red means it's blocking the request, yellow means it's anonymizing it by preventing cookies from being red or written, and green means that it's being let through untouched. Which is what you would hope for for the images on NewYorkTimes.com. And so we want to block high-entropy cookies that can uniquely identify you like we showed in the PanoptiClick thing. If it has enough bits of entropy to identify you out of the entire population of the world or all the people who might go to that website, then that's a cookie we want to block and we want to mark as a tracking cookie. So we also want to make it sort of seamless so there are a lot of things that might get blocked because they look like trackers but they aren't. And so we have a gray list of domains that we will only set to be anonymized but we'll still let the content through. And these are things like the Creative Commons button or like Google Fonts and stuff like that that might break websites or make web browsing really difficult. So the things we detect, as I said, are cookies from HTTP and JavaScript, HTML5 super cookies and this canvas fingerprinting where they read the HTML5 canvas element. So this is Privacy Badger on BoingBoing.net and you can see some things are green and the yellow things are sort of things that allow the site to exist. So Fonts.Google and this Creative Commons thing. But here it is on Gawker and you see all these advertisers are being blocked and then Kinja, which is Gawker CDN is being allowed because you would only see it on Gawker. So in addition to all of its automated settings, you as a user have complete control over it. You can override any of these settings either for the whole top-level domain or for any specific sub-domain of it. You can disable Privacy Badger entirely for a site if the site's not working because of Privacy Badger. We also do sort of click-to-play on things that you might want but that are getting blocked by Privacy Badger. For example, all the comments on YouTube are Google+, so there's sort of this warning when you click it, it says, would you like to enable it just for this website so that you can comment on YouTube? So here are some pictures. The left is Privacy Badger Disabled on a site and you see the icons grayed out and there's no information about the trackers and then on the right are some things that I've set and the little arrow allows it to revert control to what Privacy Badger was expecting to do for that domain. So you can kind of use it to debug a site or to block something if you think it's a tracker and Privacy Badger hasn't flagged it as such. Also we block these social widgets, there's a little Facebook-like buttons on websites, so here's a picture from an article talking about Eurovision and you can see they have this little Privacy Badger icon so it doesn't load the image from the third party, it has a local version that it sources and I think you can click-to-play and it will re-enable it but by default you won't be leaking information through the user. So what about third parties that aren't tracking users? Well, they can agree to the EFF's new DNT policy that we just released. You can read it at EFF.org slash DNT hyphen policy but sites can host it and legally agree to follow what it says and then you'll have a guarantee that your data's not being personally identified on their servers and you can know that they are not tracking you. So it says things like they won't start identifying information about you, no unique IDs for users, so it will all be anonymized, so they can keep it for a little bit amount of time so they can store a log of aggregate data but it's not identifying to any specific user and I think the limit's very short. They're allowed to do debug and security things but they won't sell any of this data to people without ensuring that they also agree to this do not track policy. And then sites that adopt it, your Privacy Badger will check this domain and it will white list it. So here's an image where I can't read the things from here but donottracker.org has posted the DNT policy so Privacy Badger is respecting it and not blocking the domain whereas like eviltracker.com is being blocked because it is an evil tracker and so this is an upcoming improvement to our Panopticlic site where you can test your browser for a tracker blocker and so soon it is not yet released but it will look like that. So we drafted this in conjunction with Disconnect which is for a public good company in California and we got adoption from Mixpanel which is like an analysis engine, Medium which is a poster of articles and Adblock Plus which is a different Adblocker. And I think we have about half a million users covered through these four companies who will now get the benefits of these donottracker opt-outs but hopefully more people will agree to it especially these sort of advertisers or online trackers. So that is Privacy Badger and I hope you all install it. I have a few more things to say but yeah you should go to eff.org slash pb and install Privacy Badger and protect yourself from online trackers. There is still some work to be done. There are many more things we could detect. We could have a nicer UI. We have localized it into four languages but we could always use more languages and we would like to see more people adopt our D&T policy. You can help by using Privacy Badger and reporting broken sites. There is a thing you can click and report sites that are broken. You can submit bug reports on our GitHub or make pull requests if you are a developer. Or if you run a website you can respect people who send the D&T flag or the D&T header and you can also host our D&T policy at adopt well-known address. But browsers can also do things to protect against tracking and we would like to see more browsers adopt these so that you don't need extensions. Firefox has been working on this tracking protection thing and we hope to see it released soon. I think I am out of time. That is Privacy Badger and hopefully you all now know how to protect yourself from online tracking. Oh, and I have stickers. If you want some Privacy Badger stickers come find me afterwards. Sounds good. We still have about three minutes left for questions. Line up at the microphones and I think we will do the right one from here first. We have audio. I have one tiny correction actually. It is not Adblock Plus but Adblock who are implementing the D&T policy. Of course we would love Adblock Plus to do it too. Thank you. Yeah. Are these do not track policies audited or verified in any way? Yeah. So EFF posts one on its website and Privacy Badger has a list of hashes of acceptable ones and then when the website hosts it Privacy Badger checks the hash it has locally against the hash of the one hosted on the remote website and if they match then... I mean like if the website claims it does not keep logs is that verified? Do they have to open their logs? If I would be able to track I would just say yeah, yeah, no logs. No, no, no, we are a good tracker. The idea is that they could be sued for all the users that they disrespect with regards to this and advertisers have expressed that they are very concerned about these sort of like market policies but we don't necessarily have a way to compel them to give us information. Thank you. So the other microphone please. Yeah, I have a related question. If you white list or in this case green list tracking a site based on the fact that they claim to respect the do not track policy do you make... give it to the user a visual difference that it's based on the policy and not because they are not using cookies? Sorry, I didn't... So now it is green if they don't use cookies at all and then it's yellow if you load it anyhow so if a site is using cookies but you white listed because of the policy is it then the same kind of green that is no cookies or is there a visible difference that you say okay but it was white listed? Yeah, yeah, it shows this little DNT image. Yeah, here. You see this little DNT image and you know that they've posted the do not track policy. And then it shows that it's sort of like set by privacy better and you can revert it or override it. So next question please. Yeah, hello. I've been using various ad blockers and privacy based browser extensions for forks of the Firefox web browser for several years and recently I've been stumbled upon a fork or a version of U matrix that has been imported over from the Chromium slash Chrome based browser world by Ryan Gorehill and I find that user interface to be very impressive for how much fine grain control it gives you to block cookies JavaScript, CSS images what have you from different domains on the page and I'm wondering if anybody at the EFF has looked at the user interface of this extension to compare how they implement privacy protection? I have not but one of the things we wanted to do in privacy better is make it very easy to use so that someone who didn't really understand all the mechanics of the web could still protect themselves in a reasonable way and I've heard a lot of praise for the sliders but we're definitely always looking for new ways to express these things. So I will go look at you matrix. Yes, please do and thank you for your work. Yeah. Any more questions? Doesn't look so. So, thank you Noah very much for your talk for showing us the privacy better. This is your applause. Thanks.