The Basics of
Data Security:
Companies
CC-BY
Fabian M. Suchanek
Overview
2
•
What the big companies know
•
What the data is used for
•
Societal questions
•
Data protection
What the big companies know
3
Your email provider, your social network and/or your search engine know:
• your emails
• your purchases on the Web
• your trips
• your Web searches
• your exact location (if logged in in Maps)
• the people you interact with
• what you like
• when you are online
BUT: The companies deliver a high‐quality, free service in return!
You have to find a balance that works for you!
What Facebook may know
4
depression
political orientation
impulsivity
values
sensational interests
field of study
substance use
physical health
gender
age
education level
relationship status
“mother type”
wants to buy a car
age of car
how much money will spend
balance on the credit card
types of clothing
heavy buying of alcohol
pain relief buyers
type of restaurants
receptivity to online insurance offers
likely moving soon
type of vacation
personality type
blue =
what advertisers can target
Try it out with
Cambridge tool
>more
Facebook allows targeting ads
5
ProPublica
The NGO ProPublica
bought ads and asked
to exclude African
Americans, mothers
of high school kids
people interested in
wheelchair ramps,
Jews, expats from
Argentina and
Spanish speakers.
ProPublica
>more
How Facebook puts ads
6
Each Facebook user in the US generates 112 USD of revenue per year.
Even if you log out,
Facebook’s cookies remain
.
>more
How Facebook puts ads
7
Go check your privacy settings!
>more
What WhatsApp knows
WhatsApp
shares
your phone number, contact list, and usage data
with Facebook. The online time is also
publicly
available, and can be
used to build profiles
. The messages themselves are private.
https://www.onlinestatusmonitor.com
8
>more
What WhatsApp & Facebook share
9
>more
WhatsApp collects or can collect
• User phone numbers
• Profile pictures
• when a user was last online
• Purchases
• Location
• Contacts
• Identifiers
• Usage data
Facebook can now share this data with
its family of companies.
[Ars Technica]
In particular, WhatsApp sends your address book to the company.
A German court ruled that this infriges the rights of your contacts [
Zeit.de
]
What Google knows
10
http://google.com/dashboard
>more
What Google knows
11
http://google.com/dashboard
Go check your privacy settings!
>more
What Google knows
12
(Real example in my family, deduced automatically by Google)
>more
Check what profile Google has deduced for you:
https://adssettings.google.com/
What Google knows
13
If you chose to synchronise your browsing history (or do so in the future),
all your history is sent to Google.
This automated sign-in was introduced without warning — what if other
changes are introduced the same way?
If you use Android, Chrome sends Google your location every time you do a search.
Signing in
to Gmail...
...automatically
signs you in to Chrome
>more
And Apple...
14
https://appleid.apple.com/
Go and download your data!
>more
Google pays Apple ca. 10b USD/year
to be the standard search engine on
iPhone. This is 15-20% of Apple’s
revenue and 50% of Google’s traffic.
(According to a complaint by the US government)
Fingerprinting
15
User visits:
Server connects to:
...to deliver ads at runtime
Google knows: The same person visited these two Web sites. If the person
ever logs in to their Google account, Google knows who they are.
Facebook’s LIKE button has the same function.
>more
16
User visits:
Server connects to:
...to deliver ads at runtime
Tracking works either by IP address, or by cookies, or by “fingerprinting”
the configuration of your browser and system.
See how companies can track you:
https://browserleaks.com/
Fingerprinting
>more
Browser Referrals
17
Via the
referrer header
, the browser tells a Web site which Web site you
came from. This may include
form data
.
https://www.healthcare.gov/see-plans/85601/results/?
county=04019&age=40&smoker=1&parent=1
&pregnant=1&mec=&zip=85601&state=AZ
&income=35000
& &step=4?
Login extraction
18
Login extraction
uses a third‐party script on a Web site to inject an invisible login form.
The browser will then auto‐fill the emial address and password of the user.
The email address can be used to track the user across sites.
Breaking news:
Scripts extract
logins!
Login: ________
Password: ____
MaliciousSite.com
1. malicious site injects invisible login form
into good site
2. browser fills out form
3.
malicious site
retrieves login
The Economist used just as example
Disable automatic
form filling in the browser!
[Freedom to Tinker, 2017/12/27]
Overview
19
•
What the big companies know
•
What the data is used for
•
Societal questions
•
Data protection
Some data is used to fight crime
20
In an arson case, police asked Google for all people who searched for
the specific street address, then found the suspect also searched for
“buy a custom machine gun”, “witness intimidation” and
“countries that don’t have extradition with the United States”.
Google, Facebook and Microsoft also turn over child pornography sharers
to the police — by checking their communication.
CNET, 2020-10-08
The data is used for advertisements
21
>more
You get unsolicited advertisements from companies whom you never
told about your life — even before the event happens.
(real examples in my family)
The data is used for advertisements
22
>more
You get unsolicited advertisements from companies whom you never
told about your life — even before the event happens.
(real examples in my family)
The data is used for advertisements
23
>more
You get unsolicited advertisements from companies whom you never
told about your life — even before the event happens.
(real examples in my family)
24
You get unsolicited advertisements from companies whom you never
told about your life — even before the event happens.
(real examples in my family)
...and faster than governments.
The data is used for advertisements
>more
Instagram makes around
$200 from each user per year.
The Economist, 2024-03-13
The data can be used against you
25
The service providers may also know if you are
•
planning a divorce
•
having a medical problem
•
having an uncommon sexual preference
•
under‐age and pregnant
This can
influence
the ads you see, even if Google explicitly
disallows
it.
Dubious services providers may sell your information to
data brokers
,
feeding feeds background checks for
•
credit scores
•
insurance fees
and
insurance claims
•
advertisements
•
hiring decisions
See
story
of
pregnant daughter
>more
The data can be used to survey you
26
•
a US-based group of conservative Catholics bought dating app data
to
track
homosexual
clergymen
•
the US agencies
buy
data from telecommunication providers
for tracking
locations and other data about citizens, used by
the marine, the Department of Treasury, and the FBI
>more
[Wired, 2023-06-12]
27
Data Breaches
In 2017, name, birthdates, home addresses, phones,
religious affiliations, ethnicities & political biases
of 60% of the entire US population
leaked to the public
.
If such data is out
•
somone can impersonate you
•
someone
can blackmail
you
•
your credibility
suffers
•
it facilitates phishing
The data can be used by criminals
28
Overview
2
•
What the big companies know
•
What the data is used for
•
Societal questions
•
Data protection
The Ad industry
29