Usable Security

http://cups.cs.cmu.edu/soups/2007/proceedings/p52_krishnamurthy.pdf

Diffusion of private information to third-party sites is a growing issue.  Such diffusion occurs without direct knowledge of the users (done by browser).  Third-party sites gain knowledge about users (e.g.  IP addresses, cookies), and knowledge allows user access to first-party sites to be aggregated and correlated.  Primary goal of this work is to examine techniques to limit diffusion of private information and examine trade-offs of these techniques in providing privacy protection versus impacting page quality.

Currently available options:

• disable cookies
• disable JavaScript
• filter ads
• block images

Not directly available yet, but doable:

• filter all third-party objects
• remove JavaScript content entirely
• filter requests with identifying URLs (i.e.  URLs with queries)
• filter objects from top aggregation servers
• remove Web bugs

What happens when we do some of these things?

• error occurs - explicit message and no page content
• warning occurs - explicit message with possibly modified page content
• nothing explicit occurs, but the page is deformed, corrupted, or otherwise less usable

The study examined over one thousand websites to examine first and third-party of changes in settings for cookies, javascript, and URLs in which some query param is uniquely identifying (Google Analytics used as an example of this last type of identifying info).  The findings indicated that the average web page incorporates 2.9 third-party accesses, with 41% of those going to one of doubleclick.net, 2mdn.net, atdmt.com, google- analytics.com, 2o7.net, googlesyndication.com, akamai.net, advertising.com, hitbox.com, and questionmarket.com. 

The results include a very interesting chart showing how much usability is lost for each technique, a chart of the cumulative privacy risks of the various technologies, followed by graphs visualizing the privacy vs.  usability trade-offs.

This entry was posted on Thursday, July 19, 2007 at 10:42 under General. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.