 Very good. Thank you for this warm welcome. My name is Amiria and this is Anders. We work with Dotnet, a Swedish NGO that focuses on policy advocacy in the field of data protection. We also do technical development to make sure that it's simple, easy and fast for people to fulfill their data protection obligations as we have enshrined in human rights conventions and the law. So I will start with some paradigms of privacy to give an ideological context to what it is that we're doing. The concept of a right to privacy emerged in the 1870s as the right to be secret and the right to be left alone. Basically, it's a choice of whether you reveal data to the outside world and if you do, you lose control, it's out of your hands, but you should also have the right not to reveal things. Now, most of the legislation we have in place in Europe today is rather based on a 1970s paradigm, which is the right to privacy as control. This means that even if you give away data to somebody else and you put it in somebody else's hands like the government or a company, you still have some basic tools for protection like you should know who collects your data, they should be accountable for collecting the data, you should have insight in how other people are trying to use information about you to exert control or influence the way that you behave. The most recent development, however, is fairly new the past 20 years and it's the right of privacy as a right to identity. Namely, it's not just a way of controlling who you are today or holding somebody accountable for what they're doing right now, it's also a way of ensuring your own identity formation in the future, a right to exercise some amount of influence over who you become. And so, luckily, we have a new data protection regulation in Europe. It was finalized in December of 2015, it will enter into effect in May in 2018, and even though it's mostly still based on this 1970s paradigm of transparency and accountability and control and information to visitors of websites or users of IT systems, it also incorporates some of this thinking on the right to privacy as an identity, that you have the right to object to profiling measures or when people are trying to find out how to most conveniently send you advertisements or political information to influence on how you're voting or what products that you're purchasing. So, we went here last year and we talked about some of the preliminary research that we did in the field of data protection in Sweden and we found these to small numbers. So, for instance, we have only 2 out of 290 municipalities that don't help advertisers more efficiently track user visitors. We also talked last year about the 5 principles of data protection that were under negotiation by the European Parliament and the other EU institutions at the time. And these would be things like the right to know, the right to consent, user centric design and data protection by design, or data minimization, which is mostly what we will be talking about today actually, as well as effective sanctions against people who aren't, or companies that, public authorities as well, that aren't willing to uphold these principles for the users. So, we got funded last autumn to do these tools that help people more easily conceptualize what they're doing wrong now and what they could be doing right in the future. We've made web-call.datakir.net. It's available in Swedish, but also in English, where you can test your own website or the website of somebody else. And you can also get simple technical tips on how you can vastly improve data protection qualities of the website simply and cheaply if you want to ask a webmaster to implement these measures. The code is available open source at the mentioned GitHub address, so if you want to make your own web privacy check tool, that is also going to be possible. This was made with money from the Internet Fund, a Swedish foundation which sponsors technological projects that improve the Internet. And perhaps the main part of our project was to make this mapping of Swedish municipalities. So, unfortunately, it's only in Swedish, but as you can see, we've checked all of the municipalities in Sweden and we've graded them from A to E, with A being the highest grade. Nobody obtained the grade of A or B, and 207 out of 290 municipalities are in the E grade, so there's a lot of work to be done, and the only encouraging news that we have about that is, fortunately, it's not going to take a lot of resources for the Swedish public sector to improve the quality of the websites. The things that we checked for were stuff like data leakage to Internet service providers, schools, the work environment. Basically, when a website is leaking information to somebody who's involved in the infrastructure level of communication and also what you can do to remedy that. I'll give over some of the technical discussions to Anders, who will present the challenges faced by websites and also how you can solve them very easily. So, last year we talked about how HTTPS is important, not just for what you traditional think of as sensitive user data, but that is also important for, well, the mere fact that you're listing a certain page can in itself be sensitive. And while that's still true, we think you ought to stop thinking about this, like, what's sensitive or not, because the fact is that this is a very subjective thing. What's sensitive to one person in one context can be harmless in another context. Some things can matter life and death for one person in one country. So to borrow the stance of the US government's CIO council, who published a great website called HTTPS Only Standard, all browsing activities should be considered private and sensitive. If you always use encryption, you don't have to make a judgment call about what's sensitive or not. So HTTPS has three main features. One, it gives you a reasonable certainty that the website you're communicating with is the one you intend to communicate with. It encrypts the traffic, of course, and it makes sure that no one can manipulate the traffic on the way from the server to your browser. This third point is important. There was a great talk by Nicholas Weaver, who's a security researcher at Berkeley. At the USNICS conference earlier this year, we talked about how mass surveillance systems work, how cheap and easy it is to build your own, why the NSA loves ad networks, and he concluded that unencrypted traffic is not just an information leak anymore, it should be considered a vulnerability. If you don't use encryption, you have no idea if someone tampered with the data on the way from the server to the browser. Although sometimes you do know, I sometimes live in Norwegian and with their on-board Wi-Fi, they like so many others to a simple man-in-the-mill attack to inject their own CSS and JS on any unencrypted website that you visit to get their own toolbar. While this might seem harmless, it could just as well have been some douchebag trying to steal cracker details, rewriting login forms, rewriting links, serving malware. It could be ISP or government agency targeting just one specific user, serving modified content to that user only. Last year, you might have heard GitHub had a really bad attack by China, actually. What happened was that... So, Baidu is like the Google of China, and like Google, they have an analytics service. And at this time, one to two percent of all visitors from outside China, who visit the website that used Baidu Analytics, would have the Baidu Analytics JavaScript modified to include some code that would in the background reload two pages on GitHub, two specific pages over and over. So, millions of people admittedly became part of a giant DDoS network. Point being, if you don't use encryption, your website can be used as a weapon against other websites or other users. Also, even if you don't care about privacy or security, the fact is that the web is moving towards HTTPS only. For example, HTTPS brings lots of speed performance benefits, and while the specification doesn't mandate the use of encryption, the major browsers would only support HTTPS over HTTPS. So, in practice, you do have to use encryption to get the benefits of HTTPS. Also, both Chrome and the Chrome team and Mozilla have announced their intent to phase out insecure HTTP. For example, they will make certain powerful browser features impossible to use on encrypted websites. Very recently, it became impossible to use geolocation in Chrome on insecure websites. And if you don't have a certificate already, let's encrypt.org is the place to go. It works very well. So, another positive thing is that the WordPress community and WordPress.com now provides HTTPS and encryption for all of the users of that site. So, that's going to make it a lot easier for a lot of the people who are doing casual websites online to protect their visitors and themselves from this type of attack that we've seen. Now, the second criteria that we looked for was leaks of data to adjacent websites. And this is an old problem where if you go from one website to the other, basically, the previous website that you were at or the website where you go next receives information about what you used to look at in the past. And this provides some really sneaky ways of monitoring the reading behavior of users and seeing in which order they're reading what information, thereby providing valuable information maybe for the individual about how their private life is developing or how they're building their opinions. But I will again leave over to Anders to talk about the technical details of such data leaks and also, of course, what you can do to stop it from happening at your site. Right. So, whenever you click on Link, like if you're on food.com and you click Link to the Facebook page, your browser will normally tell Facebook exactly where you came from. Same thing if page requests is external stuff like CSS or JS, the so-called HTTP refer headers always sent, not always, but usually. And I thought this was maybe because the people who designed this back in the 90s were naive about the privacy implications, but then I read the RFC that specified HTTP 1.0 20 years ago that actually had a note. Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the refer field is sent. This is 20 years ago and, well, this didn't happen. Moreover, most people have no idea what the refer header is or it is sent. Now, 20 years later, we do have the ability to help our visitors not leak data with refer policy. I mentioned this last year, too, but it's very few people still know about it. So I think it's worth repeating. Also, I've seen some development. So with refer policy, you can specify a policy that's applied to all the links clicked and all the resources, connections generated by a page, like all the external CSS or JS, whatever. And with this policy, no refer, it's the strictest one. It kills the first completely. So with this one single line, you can make tangible improvements and stop leaking information today, right this minute, even. It's still a draft, but it's supported by the major browsers. So check it out. The last thing that we checked for was inadvertent data leakage to advertisers, content delivery networks, font posting providers, and so forth. And the reason that we checked for this is that, first of all, you have to remember that the visitor's legal protections when you send off their data to the advertising industry is really much worse than if you send off their data to an internet service provider. In the European Union, when the telecommunications markets were demonopolised in the 1990s, the legislators were very quick with enacting strong, privacy regulations for users. So telecommunications providers are normally not allowed to sell data to anyone. They have to inform the user quite clearly about what information they can access, and they're also not allowed to process it for means beyond billing inside of their own business activities. This is not the case for an advertiser or a content delivery network. Whatever they find out about visitors to your site, they are allowed to sell to companies all over the world, hand over to the public authorities with much fewer safeguards. And even though the legal protection of visitors is very weak, we have this massive spread of these technologies. But we can of course again say luckily there are some simple solutions that you can implement on your sites that enable you to have the analysis that you need while at the same time your visitors don't have to reveal themselves to anyone that wants to influence their political opinions, market beliefs, their family's opinions and so forth. I will leave over to Anders to explain some of the challenges that the community is facing, but also what we can cheaply do and quickly to protect our visitors against this. So we have this situation today where we don't want to be tracked by dozens of entities that are known to us when we visit many web pages. We have to use a multitude of browser plugins to defend from the site we visit, which doesn't have to be this way. You can have a functional website without exposing your visitors' information to lots of other people. Some things like using CDNs for jQuery or whatever or Google Fonts, the privacy leakage can be mitigated by using the aforementioned refer policy. In other cases, like with Google Analytics, you can use PeeWeek, but it's awesome and self-hosted and much like Google Analytics, but a lot more privacy friendly. Same with like share Twitter buttons from, well, with the vendor private code, there's also leaked data. And you can self-host icons yourself, for example. We don't actually have time to go into detail of all of these, but we did compile a small list. You can see .hid.net slash WCEU 2016 to check out some of these alternatives. One thing that people should know more about is content security policy. It's a very powerful tool. It's basically an HTTP header that all the server sends to the browser, telling the browser to act in a certain way. By default, it blocks inline CSS and inline JavaScript, and you can use it to whitelist approved content sources. So with this tool, it says self-host, well, the same domain that the page is on. It says it can load things only for the same domain and also from adddomain.com for scripts. So you can, for example, tell the browser that the page is only allowed to load scripts from this and this website or only images from this site or only images and CSS but no JavaScript at all. This is great for security preventing cross-site scripting and can also be used to prevent accidental information leakage. There's a great site called report-uri.io where you can build these rules and check them. So check it out. It's a really cool tool. Again, even if you don't care about privacy, you might care about security and what's good for privacy is often good for security and vice versa. So yeah, check it out. So going forward, we're looking at more easy ways to visualize website privacy analysis results. What we found out with the grading of the municipalities in Sweden is that even though our grading system is done and we have the methodology for it, it's not always easy for people to conceptualize how data is being spread between different parties online. So this is something that we'll be working with, we hope, in the upcoming year. We're also looking, if people are interested in making similar mappings of the public sector in other European Union countries. Because the thing about the public sector is you should not be required to have five plugins in your browser only to have your government not tell the advertising industry what kind of political information you're looking for. We hope that this talk has been inspirational and that you feel like joining us and also reviewing your own websites. Don't forget to go to our tool and check your website out. We also compiled in both English and Swedish information about all of these tips that we provide and how you can easily implement them for yourself. If you have any further questions, you're very welcome to come to the happiness bar after the talk and we'll be there and answer technical questions or any other questions that you can think of that are related to the field. All of the slides are available at and of course, should you feel like it, you may also drop us emails. Thank you very much for your attention and I wish you a great next of the World Camp Europe Conference.