This document provides an overview of how personal data is tracked online through third party cookies and discusses some options for protecting privacy. It begins with an introduction of the presenter and their company, SecureState. It then explains how advertising companies use third party cookies to track browsing habits across many websites to display targeted ads. The document reviews some browser configuration and add-on options for blocking cookies and tracking, as well as opt-out services that can remove your information from certain advertiser databases. It concludes by emphasizing the need to understand one's own risk tolerance and the limitations of privacy protections.

1. Data Mining, It's Your Data
May 14, 2011

2. Agenda
• Intro
– About Your Presenter
– About SecureState
• Who is Tracking You
• Legality
• How to (try to) Protect Yourself
– Browser Configurations
– Browser Add-ons
– Opt-Out Services
• Closing
– Q&A
2

3. About Your Presenter
• Jake Garlie
• Security Consultant at SecureState
• Specializes in External, Internal and Wireless Penetration
Tests, Web Application Security Assessments
3

4. SecureState Overview
A Management Consulting Firm Specializing in Information Security
• Founded in September 2001
• Payment Card Industry Certified (PCI)
• Qualified Security Assessor (QSA)
• Approved Scanning Vendor
• Qualified Payment Application
Security Company
• Largest dedicated security company
in the Great Lakes
• Number of Employees 47
4

5. The Company We Keep We Keep
The Company
Key Industries: Retail , Financial Services, Healthcare, Critical Infrastructure, Professional Services,
Service Providers, Education, Food Service, Entertainment and Government

6. SecureState Overview
Audit and Compliance
•PCI (Payment Card Industry)
•ISO 27001/SAS 70
•SOX, GLBA, HIPAA, TR-39, NERC/CIP etc.
•INFOSEC (Information System Security Risk Assessment)
Profiling and Attack
• Web Application Security (WAS)
• Attack and Penetration Services (internal, external, client, physical, wireless)
• Wireless Audits
• Training
Risk Management
• Security Program Manager (SPM)
• StateScan
• SecureTime
• Architecture Reviews
Business Preservation Services
• Data Forensics/Incident Response
• Business Impact Analysis
Advisory Services
• CISO Advisement
• Risk Management
• Special Projects
6

7. Terminology
• Cookie
– Piece of data (usually a text file) stored in the browser
– Can be used for authentication, shopping carts, and more
• First-Party cookie
– Cookie issued by Yahoo.com while viewing Yahoo.com
• Third-Party cookie
– Cookie issued by SecureState.com while viewing Yahoo.com
• Flash Cookies
– Can be first or third-party cookies
– Outside of browser’s control
– Remain after “clearing cookies”
7

8. Who is Tracking You?
8
http://onlinehomebusinessidea.com/wp-content/uploads/2010/02/targeted-visitors-with-niche-blueprint-300x225.jpg

9. Advertising Companies
…and many, many more
9

10. Why?
10
http://www.decidetostayfit.com/blog/wp-content/uploads/2010/11/make-money-beachbody-coach.jpg

11. How it Works
• Advertising companies contract with businesses
• Businesses allow advertisers to place content on
their web sites
• Your browsing habits and search criteria can be
tracked and sent to these advertising companies
• Next time you go to a website with the same
advertising scripts, they will display relevant ads
11

12. 12

13. Legality
EU Safe Harbor law governs European Union nations
1. Notice
2. Purpose
3. Consent
4. Security
5. Disclosure
6. Access
7. Accountability
13

14. Legality (cont.)
• U.S. has no law enforcing online privacy policies
• FTC has the “Do Not Track” initiative
• Companies can be reported/fined if not abiding to
their policy
14

15. Privacy Policies
• Not required in the U.S.
• Many large sites/organizations have them
• Adding “/privacy” or “/policy” to find policies quickly
• Explain what information is stored, tracked and
transferred
15

16. Privacy Policies (cont.)
www.facebook.com/policy.php
www.google.com/privacy
16

17. Privacy Policies (cont.)
www.amazon.com/privacy 17

18. How to (try to) Protect Yourself
18
http://www.lindaforpresident2011.com/wp-content/uploads/2011/02/protection-order-stop1.jpg

19. Options
• Browser Settings
– Private Browsing
• Browser Add-ons
• Opt-Out Services
19

20. Browser Settings (Internet Explorer)
Tools > Internet Options > Privacy
Advanced Settings
20

21. Browser Settings (IE cont.)
21

22. Browser Settings (IE cont.)
IE Privacy Settings affect
other applications too!
Cisco’s SSL VPN Client 22

23. Browser Settings (Firefox)
Tools > Options… > Privacy
Recommended settings
shown, but may hamper
browsing due to blocking
third-party cookies.
23

24. Browser Settings (Google Chrome)
> Options > Under the Bonnet > Privacy > Content Settings
24

25. Browser Settings (Safari)
> Preferences… > Security
25

26. Private Browsing
26
http://ngiley.com/wp-content/uploads/2010/03/private-browsing-laptop.jpg

27. Private Browsing (cont.)
• Can also be referred to as Incognito or InPrivate
• Prevents history, cache files, searches and cookies
from being stored after exiting Private Browsing, or
closing your browser
• Does not prevent websites from storing on their end
• Prevents many add-ons from functioning
• Meant to protect against other users on a system
27

28. Browser Add-Ons
• Ghostery
• BetterPrivacy
• Tor (TorButton)
• NoScript
• AdBlock Plus
• TrackerBlock
• Advertising Cookie Opt-Out
28

29. Ghostery
• http://www.ghostery.com/
• Created by the folks at Evidon
• Pros:
– Cross Platform
– Easy to Install/Configure
– Blocks Flash/Silverlight
Cookies
– White-listing of sites
• Cons:
– Advanced Settings may be
confusing
29

30. Ghostery (cont.)
30

31. 31

32. Ghostery (cont.)
Deleting Flash/Silverlight
Cookies Provides Extra
Security
32

33. BetterPrivacy
Pros:
• Cleans up Flash Cookies
(Local Shared Objects, LSO)
• Can alert when LSOs are created
• Can schedule deletion while
browsing
Cons:
• Firefox only
• Functionality is also in Ghostery
33

34. 34

35. 35

36. Tor (The Onion Router) Project
• https://www.torproject.org/
• "Tor is a network of virtual tunnels that
allows people and groups to improve
their privacy and security on the
Internet." Pros:
•Very Anonymous
•Exit node changes often
Cons:
•Slower Browsing
•Confidentiality goes out the
window
•Technical to configure
36

37. Before
37

38. After
38

39. NoScript
Pros:
• Blocks untrusted JavaScript, Java,
Flash
• Can prevent attacks
• Highly configurable
Cons:
• Firefox only
• Takes time and patience to tune
effectively
• Easy to become desensitized
39

40. 40

41. AdBlock Plus
Pros:
• Can block Iframes, scripts, and Flash.
• Uses Filter Subscriptions to block content
• “EasyList” filter has over 4 million subscribers
• Replaces advertisements with whitespace
Cons:
• Firefox and Chrome only
41

42. AdBlock Plus (cont.)
Before
After
42

43. TrackerBlock
Pros:
• Blocks cookies and deletes Flash cookies
• Based on privacy preferences with PrivacyChoice
• Blocks 300+ advertising companies
Cons:
• May conflict with other browser add-ons
43

44. TrackerBlock (cont.)
44

45. Advertising Cookie Opt-Out
• Available for Firefox, Chrome, and IE at
http://www.google.com/ads/preferences/plugin/
• Permanently opts-out of Google’s DoubleClick
Cookie
45

46. Opt-Out Services
• Network Advertising Initiative
• AboutAds.info
• PrivacyChoice
• Evidon
46

47. AboutAds.info
• Collaboration of many organizations in media and
marketing industry
• Self-Regulatory Program for Online Behavioral
Advertising
• Consumer Opt-Out Page
47

48. 48

49. Network Advertising Initiative
Self-regulatory principles set stage for
FTC’s “Do Not Track” initiative
•Opts-Out of 73 Advertising Companies
•Requires Third-Party Cookies
•Has to be reset every time Cookies are
cleared
•Can be white-listed by Browser Add-Ons
49

50. Network Advertising Initiative (cont.)
50

51. PrivacyChoice
•Created TrackerBlock and the Privacy Bookmark
•Have an Opt-Out page
•Lots of great privacy information
51

52. Evidon
•Selected by the Digital Advertising Alliance (DAA) to power the
Self-Regulatory Program for online behavioral advertising
•Searchable Opt-Out Page
52

53. Evidon (cont.)
53

54. Conclusion
• Determine your own level of acceptable risk
• Don't browse to sites you don't trust
• Read the company's privacy policy
• Web-Browser Protections
54

55. Thank you for your time!
Jake Garlie jgarlie@securestate.com
QUESTIONS
ANSWERS
55

56. References
Browser Add-ons
• http://www.ghostery.com/
• https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
• https://addons.mozilla.org/en-US/firefox/addon/noscript/
• https://www.torproject.org/
• https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
• http://easylist.adblockplus.org/en/
• https://addons.mozilla.org/en-US/firefox/addon/trackerblock/
Opt-Out Pages
• http://www.evidon.com/consumers/profile_manager#tab3
• http://www.networkadvertising.org/managing/opt_out.asp
• http://www.privacychoice.org/trackerblock/firefox
• http://www.privacychoice.org/privacymark
• http://www.aboutads.info/choices/
Other References
• http://www.time.com/time/business/article/0,8599,2058114-1,00.html
• http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
• http://www.reputation.com/
• http://abcnews.go.com/Technology/tracking-online-myths-
track/story?id=12984499 56