[tor-commits] r24683: {projects} Remove some header whitespace and tweak some wording. Still (projects/articles/browser-privacy)
Mike Perry
mikeperry-svn at fscked.org
Wed Apr 27 06:11:23 UTC 2011
Author: mikeperry
Date: 2011-04-27 06:11:22 +0000 (Wed, 27 Apr 2011)
New Revision: 24683
Modified:
projects/articles/browser-privacy/W3CIdentity.tex
projects/articles/browser-privacy/usenix.sty
Log:
Remove some header whitespace and tweak some wording.
Still need to lose about a paragraph or two...
Modified: projects/articles/browser-privacy/W3CIdentity.tex
===================================================================
--- projects/articles/browser-privacy/W3CIdentity.tex 2011-04-27 05:43:55 UTC (rev 24682)
+++ projects/articles/browser-privacy/W3CIdentity.tex 2011-04-27 06:11:22 UTC (rev 24683)
@@ -19,7 +19,7 @@
\title{Bridging the Disconnect Between Web Privacy and User Perception}
-\author{Mike Perry \\ The Internet \\ mikeperry at torproject.org}
+\author{Mike Perry \\ mikeperry at torproject.org}
%\institute{The Internet}
@@ -52,28 +52,21 @@
to the current user.
The cost of this incentive structure is that user privacy on the web is a
-nightmare. There is
-ubiquitous tracking, unseen partnership agreements and data exchange, and
-surreptitious attempts to uncover users' identities against their will and
-without their knowledge. This is not just happening in the dark, unseemly
-corners of the web. It is happening everywhere~\cite{facebook-like}.
+nightmare. There is ubiquitous tracking, unseen partnership agreements and
+data exchange, and surreptitious attempts to uncover users' identities against
+their will and without their knowledge. This is not just happening in the
+dark, unseemly corners of the web. It is happening
+everywhere~\cite{facebook-like}.
-The problem is that the revenue model of the web has incentivized companies to
-find ways to continue to track users against their will, even if those users
-are attempting to protect themselves through currently available methods.
-Starting with the infamous ``Flash cookies'', we have progressed through a
-seemingly endless arms race of secondary identifiers and tracking information:
-visited history, cache, font and system data, desktop resolution, keystroke
-timing, and so on and so forth~\cite{wsj-fingerprinting}.
-
-These efforts have led to an even wider disconnect between users'
-perception of their privacy and the reality of their privacy. Users simply
-can't keep up with the ways they are being tracked.
+The efforts towards ever increasing amounts of web tracking have led to a
+growing disconnect between users' perception of their privacy and the reality
+of their privacy. Users simply can't keep up with the ways they are being
+tracked~\cite{wsj-fingerprinting}.
%
When users are being coerced into ceding data about themselves without clear
understanding or consent (and in fact, in many cases despite their explicit
attempts to decline to consent), serious moral issues begin to arise.
-%
+
To understand and evaluate potential solutions and improvements to this status
quo, we must explore the disconnect between user experience and the way the
web actually functions with respect to user tracking.
@@ -82,23 +75,23 @@
examine how users perceive their privacy on the web, comparing the average
user's perspective to what actually is happening technically behind the
scenes, and noting the major disconnects. We then examine solutions that
-bridge this disconnect from two different directions, corresponding to the
-two major sources of disconnect\footnotemark. The first direction is improving
-the linkability issues inherent with the multi-origin model of the web itself.
-The second direction is improving user cues and browser interface to suggest a
-coherent concept of identity to users by accurately reflecting the
-set of unique identifiers they have accumulated. Both of these directions must
-be pursued to provide users with the ability to properly use the web in a
-privacy-preserving way.
+bridge this disconnect from two different directions, corresponding to the two
+major sources of disconnect\footnotemark. The first direction is improving
+user cues and browser interface to suggest a coherent concept of identity to
+users by accurately reflecting the set of unique identifiers they have
+accumulated. The second direction is improving the linkability issues
+inherent with the multi-origin model of the web itself. Both of these
+directions must be pursued to provide users with the ability to properly use
+the web in a privacy-preserving way.
\footnotetext{We only consider implementations that involve privacy-by-design.
Privacy-by-policy approaches such as Do Not Track will not be discussed.}
\section{User Privacy on the Web}
-To properly examine the privacy problem, we must probe both the average users'
-perception of what their ``web identity'' is, as well as the technical
-realities of web authentication and tracking.
+To properly examine the privacy problem, we must probe the average users'
+perception of what their ``web identity'' is, and compare their perceptions to
+the technical realities of web authentication and tracking.
\subsection{User Perception of Privacy}
@@ -268,7 +261,7 @@
Unfortunately, all current private browsing modes protect only against
adversaries with access to the local computer and fail to deal with
-linkability against a network adversary (such as advertising
+linkability against network adversaries (such as advertising
networks)~\cite{private-browsing}, claiming that it is outside their threat
model\footnotemark. If the user is given a new identity that is still linkable
to the previous one due to shortcomings of the browser, the approach has
@@ -296,8 +289,8 @@
The other primary source of disconnect between user expectations and reality
on the web is the origin model that governs cookie and other identifier
transmission. The model allows unique, globally linkable identifiers to be
-transmitted for arbitrary content elements on any page, and they can be
-sourced from anywhere without user interaction or awareness. This property
+transmitted for arbitrary content elements on any page, and such elements can
+be sourced from anywhere without user interaction or awareness. This property
enables popular advertising and content distribution networks to have
near-omniscient visibility into all user activity retroactively after any
level of authentication takes place with a cooperating partner site.
@@ -330,14 +323,14 @@
crafted to include an identifier unique to each user, thus tracking even users
who clear normal cookies.
-The Stanford group correctly observed that the problem with origin model
-improvements is that individually, they do not fully address the linkability
-problem unless the same restriction is applied uniformly to all aspects of
-stored browser state, and all other linkability issues are dealt with.
-Behind-the-scenes partnerships can easily allow companies to continue to link
-users to their identities through any linkable aspect of browser state that is
-not properly compartmentalized to the top level origin and bound to the same
-rules as all other linkable state.
+The Stanford group correctly observed that individually, origin model
+improvements do not fully address the linkability problem unless the same
+restriction is applied uniformly to all aspects of stored browser state, and
+all other linkability issues are dealt with. Behind-the-scenes partnerships
+can easily allow companies to continue to link users to their activity
+through any linkable aspect of browser state that is not properly
+compartmentalized to the top level origin and bound to the same rules as all
+other linkable attributes.
Along these lines, the Mozilla development wiki describes an origin model
improvement for cookie transmission written by Dan Witte~\cite{thirdparty}. He
@@ -348,10 +341,11 @@
did not violate the new model were readily available to web designers and
often already in use.
-Similarly, one could imagine this two-level dual-keyed origin isolation being
-deployed to improve similar issues with DOM Storage and cryptographic tokens.
-This dual-origin policy should be considered a must for all future
-origin-bound identifiers.
+Similarly, this two-level dual-keyed origin isolation can be deployed to
+improve similar issues with DOM Storage and cryptographic tokens, so that
+these identifiers are sent only if both the top-level and the third-party
+origins match. This dual-origin policy should be considered a must for all
+future origin-bound identifiers.
With a clear association between third-party cookies and their top-level
origin due to double-keying, it becomes easier to provide the user with more
Modified: projects/articles/browser-privacy/usenix.sty
===================================================================
--- projects/articles/browser-privacy/usenix.sty 2011-04-27 05:43:55 UTC (rev 24682)
+++ projects/articles/browser-privacy/usenix.sty 2011-04-27 06:11:22 UTC (rev 24683)
@@ -66,7 +66,7 @@
\def\@maketitle{\newpage
%\vbox to 0.5in{
- \vbox to 1.5in{
+ \vbox to 0.9in{
%\vspace*{\fill}
%\vskip 2em
\begin{center}%
More information about the tor-commits
mailing list