 flickering to start my talk off. Hello again, I'm Marco Zuber. I'm with the St. Burton University of Applied Sciences where I started this year. I'm trying to establish research into privacy there and the talk today is about trackers and how to get rid of them. So yeah that's that's I think our mission as privacy people trackers we should get rid of them yeah it's like and in this talk I show you some research on how you can effectively block trackers and and also another project I'm working on where we try to to make this tracker blocking protection a little bit more more usable. First off and I don't know how many of you have seen the talk on privacy patcher anybody on the first day yeah a few hands I was obviously because I'm very obsessed by the topic I went there and watched it and this is also why I'm I'm only briefly speaking about the threats of of online tracking to start off my my talk. I mean this picture is the classic and I mean you see it in you saw it 10 years ago in presentations and it's it's this old cartoon from the New York Times and on the internet nobody knows you a dog and obviously 20 years later this is this is not true at all so what I'm gonna do is like in my future talks this is gonna be the the new cartoon I will use for all my presentations on tracking I think and privacy on the internet by the tech of joy or the joy of tech it's really cool I think it summarizes the whole tracking problem pretty well so in the old days you were reading your newspaper at home in front of your chimney and then you were happy nobody happy and nobody was watching you nowadays when you when you browse the web it's like you're reading the news online it's like it's Facebook is tracking you the articles you're reading the NSA might track what you are reading Google obviously tracks the whole ecosystem so you're leaking a lot of personal information nowadays when you surf the web I think them the literally sickest example for this online tracking is is from from Austria this year so Austria the country I'm coming from this is a translation by the guy into English maybe it's it's not obvious to you but the story behind behind this is Daniel Knapp and a fellow Austrian unfortunately got cancer and he started googling his symptoms and his diagnosis and he ended up getting advertisement for funerals by Facebook yeah so this is I think as a sick as he can get there so he was targeted for for funerals and see this here bestatung and win yeah so I think this is the most epic fail with with targeted advertisement the other thing except from from companies like Facebook or advertising companies tracking your online behavior it's also governmental organizations yeah so what we learned recently through the snow disclosures is that the NSA luckily picks up tracking cookies so they are basically piggybacking on all the tracking advertising companies to because they have they have select us and it's very nice for them so they have these unique identities created by advertising companies and social networks which uniquely uniquely identify you so one thing they used it for was to reveal the identity of door users so this was a very special case this is for people who use their browser both for serving normally in the internet and then use some kind of heck or a door proxy to access store so they can basically just link the advertising cookies and they know exactly who you are no matter if you're using to or not the other thing is they use it for target selection so they're listening to this huge stream of data and they want to attack this is admin at this this company or somebody at belgacom they want to target they very exact person they want to exploit and this is where tracking is very handy for them yeah so they also piggybacked on mobile tracking yeah so things leaking through a mobile smartphone apps yeah so I think this is like the biggest threats with tracking nowadays companies making profiles about your what you serve online about your medical history and so on and governmental organizations on the other hand and the second part of my talk focuses I give some insights into this this arms race between trackers and and blockers yeah so because you you didn't I mean I'm gonna talk about this extensions later on I think what what's the most effective defense at the moment a browser extensions there are so many of them as this is those are the most the most popular ones I don't guess most of you use use some of the the blockers on this list and I will go into into detail about them in the in the next few slides yeah so the most popular one is is adblock plus and we see that a number of extensions are basically building on the the filter rules of of adblock plus and then we have costary which is very popular and a new one a new a new where browser extension which I quite like is is you block and then privacy patcher so I will because not so many people maybe saw the talk I will explain privacy patcher in in a few sentences as well yeah so this is and we see that it's like adblock plus is used by by 20 million people so this is this is some a really widespread use of such a protection measure the thing though with adblock plus is they have the rules that is pretty good the the controversial thing they started in 2012 was this acceptable ads program so they have some agreements with certain companies including Google and Amazon to not block their tracking code or the advertisement yeah so basically if you're using adblock plus and you're not aware of this opt out of this feature yeah so wherever you've installed it just remove the acceptable ads adblock is very similar to adblock plus it basically just filled the gap for Chrome because the adblock plus people were too too slow to board the extension there you block I said is a is a a new browser extension which builds on on some of the rulesets of of adblock plus such as easy list easy privacy and also a DNS list which are quite like by Peter Lover and so there are no acceptable ads and the focus is on performance and privacy and it's all open source on github so this is this an extension I would highly recommend you yeah the other thing is is extension so the first ones we're all focusing on advertising other blocking tools are dedicated to blocking trackers yeah so maybe the most popular one is grocery how many people here have grocery installed yes a lot of people the thing is grocery for us it works pretty well for the for the layperson the problem is you have to opt into blocking yeah so some people just install the extension it shows these nice little bubbles about about trackers but you're not actually blocking them I guess everyone sitting in this stamp already did this so just as a word of caution the other thing is disconnect me which is very similar similar to to grocery and it's also included in in Firefox right now so this is an optional feature in Firefox I built in a tracker blocker which you can enable and privacy patcher the really nice thing is and I suggest you to also watch the talk from the first day but privacy patches it doesn't depend on rule files so it doesn't download it doesn't have subscription to rules but it uses some heuristics to block trackers yeah so it's while you serve it the next that's strange I'm going to all these different websites and I'm always loading content from Google this might be a block a tracking domain so I block it so privacy patcher is a really really nice idea and the thing we and I say we as researchers were interesting is on on how effective are these tools really so I mean with grocery you have these little bubbles or or with with ad box plus you just see okay the advertisement disappeared so this seems to be working quite well but we were interesting and how effective they really are so this is some joint work I have done with Georg met stoffnik so get met stoffnik is a very gifted programmer who implemented this and so we crawled 200,000 websites and different sub pages of them so roughly half a billion web requests and we are automated browsers to to analyze the traffic and we collected the network traffic to see how effective they are and who is actually tracking people so the next few slides what you're going to see is so to say bleeding edge research which means the graphs maybe not easy to read and not as polished as we wanted to but they give you a general idea of our findings so the first thing you see here is who are the most prevalent trackers so what are really the companies that that track you the most and if you look at this this table on the right hand side upper corner you see that Google is really the biggest player in the game so it's Google analytics Google's ad provider double click and so on Facebook is also very popular and the graphs basically show you why for us it made sense to to to really analyze a big big sample so some researchers previously they analyzed I don't know the top 100 websites so really really wanted to have a big sample and as you can see here with a small spike by do obviously is is in Asian in Asia has a bigger bigger market share yeah so you see that some of the Google services are declining while by do for some popular websites is is a bigger player the other thing that this is unfortunately a table which is very hard to read maybe with the with the huge project that is the the thing is that this is really the top tracking domains and we wanted to see how effective the different tools are and to our surprise or not to our surprise actually grocery is really really leading the field yeah so you can see that so you're the first column is like how many if you don't use any extension who is who is tracking you and then with grocery you can see that some of the domains go to 0% yeah so grocery is effective effectively blocking the tracking domains you might also notice that there are some domains which grocery doesn't block this is for example APIs so font APIs from Google so third party content which you can't easily block but which is also not not really tracking you so this was all kind of setting setting the the stage for the for the last part I want to talk about this so I showed you all these these extensions and what I really want to to do or what we want to do in this this project is make tracker blocking a little bit more more usable and I'm gonna talk about certain drawbacks and and but also advantages of the solution and yeah and this project is called the usable privacy box or you repox in in short it's an open source project and I got I was very lucky to get funding by the Internet Foundation in Austria yeah it's the funding is called net today and so the idea is to use a commodity hardware so basically a Raspberry Pi with a with a Wi-Fi dongle and make some kind of privacy enhanced Wi-Fi hot spot and make it make it as zero configures as possible yeah why why the Raspberry Pi I don't know it's like I think this Raspberry Pi hype always goes in cycles and there are so many geek friends who bought like I don't know five Raspberry Pi's and now they're just lying at home unused or maybe you're using it to watch television or something with your media center setup I really want you once the software is out take your your buy of the shelf and put our software on so we'll be very happy if people gave it a try the first prototypes on the left side this is this on my my desk in in back in st. Burton on the right hand side as this was as a live and willing in metal up this is where I stayed at the camp it's a very awesome village if you have time go go by there and check it out and yeah basically just use some cable binders to to deploy my hotspot there you could also try it out if you wanted to they actually want to go next is want to create a nice case and actually work on the on the software which brings me to the next point what is what is it what is it actually doing so it's a first of all it's blocking trackers so I'm using some kind of DNS blacklist which redirect certain domains so for example Google analytics is resolved by the urebox and redirected to a different host and it resets the cookies from this tracking domain so basically you connect to the Wi-Fi once and you also get rid of of some old cookies it also uses the transparent proxy called pre-voxy I guess most of you know the project if not Google it it's quite nice it's maintained by some German developers this also injects CSS into the the website so advertising is not displayed and what I ultimately want to do is block advertising and tracking in on websites and also in applications on your mobile phone yeah so if you connect your mobile phone I want these little tracking ads to be gone network blocking door is is is tricky yeah so I mean the network blocking the nice thing is you cannot you connect to the Wi-Fi and and most of the trackers are gone so it works with most of the devices which have Wi-Fi so if you're old old feature phone with Wi-Fi it works the same way as with your Android or iPhone however it's not very easy or it's quite tricky to do network blocking for one you can't reliable detect third parties so if you have a browser extension this is something which you can easily do like privacy better does this is very tricky to do on the network the other thing is and this is might be a privacy paradox on or at least for my project is the growing number of websites which are using TLS or HTTPS by default which is very good because you don't leak any information but obviously the box can't can't intercept it it's a very it would be a very very bad idea for a privacy project to to open up the HTTP traffic so this is something I'm definitely not doing so certain trackers are harder to block so for example this Facebook like button because it's all encrypted you and it's on the same domain the tracking is on the same domain as the main Facebook website you can't just block the domain yeah I would love to but then people would get annoyed if they want to surf the the Facebook account the other thing is onion routing with with door we decided to deactivate this feature it works quite nice so it filters advertisement and you route your whole traffic over door the thing though is that there's no magic there's no magic door boxes yeah you're always gonna screw up if you if you're using one of these privacy boxes with door on them because it's just a very very bad idea so what we do is it's like we point the people to download the door browser bundle what I personally think is the most the most effective way to to block trackers and to increase your privacy so never ever do if you're doing something critical never ever use your normal browser and just route it over the door network the last thing the urebox is gonna gonna offer is a VPN so it it comes with open VPN certificate based we spent quite some time on on trying to get IP sec running there might be some net network guys among you here I just literally hated it working with it but open VPN is very nice and so you can use it use the box even when you're brought so I guess the ccc can would be a good option to use a VPN because of yeah you know all your your colleagues and the friendly neighbor hacker the issues here the the challenge is is zero config is is tricky to set up so you have to somehow do the board for wedding with you PMP or not PMP and of course you have to handle changing or dynamic IPs by your provider somehow yeah the plan for the for the project is that we release it on github using a configuration management tool called uncivil so you can really reproduce the image and we want to release it in the end of this year and yeah there are many many gifted students and people helping me so I'm not doing this by myself there's our on Alex and Anton who are doing mostly the networking staff and the hardening Julian and Tobias I do bachelor students at FHASA which were really good programmers and really obsessed with security as well so we always have interesting discussions and also have some usability people and some people helping me with the case so basically I'm very happy to to to work with a small team of people to get this get this done yeah and this brings me basically to my final slide the take away from this presentation so yeah just just in a nutshell I think we are now entering basically an arms race between trackers and blockers so adblock plus for example had a legal case in Germany now because by blocking advertisement of course it's also you're creating problems for publishers because they lose revenue and so they were suing some German news companies were suing adblock plus for example a former Google employee wants to create a new company now which which works in the opposite direction of browser extensions where he wants to come up with checking and advertisement methods which are harder to block yeah so I think that's that's really a lot of things are happening there basically I think the browser extensions to to some extent to my surprise are quite effective as said I would go with you block this connect is also very nice and privacy better these three applications come all with an open source license which is really nice and then finally I talked about the this usable privacy box project I'm working on where the goal is really to make to make the whole thing zero config so you don't have to install the browser extension on on every browser you use you don't have to configure it and make sure I don't know you enable blocking in grocery and this a disable the feature where you send statistics called ghost rank back to grocery where you don't have to fiddle with adblock plus to disable acceptable ads and so on so basically something I could also give to my parents at home and the connector devices and they're happy yeah and as I said if you have a spare raspberry by I really hope you could turn it into a jewelry box and give it a try and yeah the last one this is a obvious thing for everyone who ever programmed prototyping is very easy product productive setup is hard yeah this is not the user where privacy box there are so many tutorials so if you check out other fruit they have an onion pie there's an other fruit Wi-Fi advertising blocker and so on if you want to go from this this small how to so something really I don't know more stable and useful that's tricky but also that's not a surprise but just to let you know we are we're working hard on the box yeah if you want to stay tuned for the for the public release this is the Twitter account at use of a privacy if you don't have the chance to speak with me today you can always contact me for questions actually there's a there's a typo here so it should be dot org yeah and yeah thank you for listening and hopefully you you learn something new and and you have some interesting questions thank you very much Marcus for your talk as we are running short on time please only short one or two short questions if you have more questions please meet each other outside of the 10 I think it's okay for you to meet yeah yeah okay one or two questions only please so left just one question do you have tried some combination like no script on one of these tools there's no script and request policy I think it's what most people here at the camp use but I think it's it's just not it's it's just not accessible to the average person so the whole thing for me it's also a usability idea I know most people here are fond of no script it's effective but anybody not from the camp would have a hard time using it yeah so this is why we didn't include it yeah did this answer your question I wonder if you had any advice for publishers who are relying on advertising to fund their sites obviously the revenue from targeted ads is much higher than revenue from ads that are just generally broadcast on the internet I wondered if you could you know if you had any advice for them so I didn't really get the question it was the question was about revenue and advertisement so for advice for publishers so people who are trying to keep their site running on advertising revenue it's obviously in their interest to have targeted ads on their website because they get more revenue than they will yeah yeah yeah it's true and I see a real problem here especially I mean some some open source or grassroot campaigns also relying on advertisement to basically fund their project I think one one really nice idea is like things like a micro payment systems like flatter or something where you can directly donate to do a website and you just flatter websites but I think it's it's a very bad idea if you run your website that you enable tracking and enable tracking of people for bigger media houses I'm afraid that once people effectively block block advertisement it's gonna be like like movies nowadays it's gonna be news with product placement so you're basically reading a news article which is funded by company and looks like normal news to you so this is with movies and then TV we got rid of all the advertisement now you're watching a movie a cluttered with products so and I think that's that's for one thing but for smaller websites I would go for for crowdfunding flatter or get Bitcoin donations paypal donations something like this but not rely on advertisement so for more questions please meet Makos outside of the tent because we're running out of time thank you again very very much Makos Huber