Resources for the global digital safety training community.
Credits
Last Updated 2016-06In this session, participants learn that advertisers (and others) may know more about us than we think, due to the data that we produce when surfing the web.
This Input offers the opportunity to continue onward with several different Deepenings, depending on the needs and circumstances of trainees - the legal status of encryption where your participants live and work is important to be aware of. For some participants, it may be more appropriate to look at using an HTTPS browser plug-in like HTTPS Everywhere; for others, looking at Tor Browser Bundle may be a better option.
As with many digital security topics, it’s important to make sure everyone has a common language before moving forward. Definitions also indicate some of the risks and mitigations that you’ll go into more detail later.
To avoid presenting the content solely as a lecture, and to get a better sense of your participants’ knowledge, you can present this section by asking participants how they would define the following terms, then correct their definitions as needed:
A web browser is software that navigates websites - Firefox and Chrome are examples.
Designed to be a mechanism for websites to remember useful information about a user’s current session on a website, their functionality can be over-extended to remember all kinds of information about users, across individual sessions and entire sites.
These are a kind of software designed to add functionality to an existing web browser. They are also referred to as browser “extensions” or “add-ons”.
Refers to any information that is retrieved, sent, stored or can be accessed using a web browser or plug-in software.
Refers to the entire content of a web page, including the URL, text, images, and any hidden content.
Also known as website visitor tracking (WVT), this is the monitoring of visitor behavior on a website - for example, page views, duration of visit, clicks, and referral sources. This can also extend across other sites, multiple sessions, and even long periods of time depending on how the tracking is done. Tracking for advertising purposes seeks to build user identity profiles (age, gender, race, income, location, etc.) in order to refine user targeting.
This includes information about a browser’s software, including version, configuration and plugins. Additionally, this can extend to data on system fonts, installed applications, operating system, preferred languages, etc.
Usernames, passwords and sometimes mobile numbers and other authentication information that is associated with a user’s online account with a given service, company, or other entity.
The detailed log of the websites you have visited and when, often maintained by a browser unless directed to do otherwise via configuring its settings.
Stands for Global Positioning System, which offers precise location information gathered by a global positioning system device - this is what powers the functionality of many websites, apps, and devices known as geo-location.
Each Internet-connected device has a public IP address, assigned by its ISP, that it uses to request and receive data. Approximate geolocation and ISP information is implicit.
Now that some key terminology has been defined it would be a good time to check in with the group, to see what they know about what is really going on behind the scenes when they browse the Web.
Set up some flipchart paper and ask participants what kind of data is available to the websites they view. You can also add things they may have missed:
When you visit a website, your intention is to have confidential communication with the server that hosts the website – and only that server. You might also intend to share webpages with social media when you click a button that says “like” or “share”.
Refer back to your notes on the type of data created while browsing. Connect and explain these vulnerabilities - the table below outlines some of the vulnerabilities and how they connect back to certain types of data.
At this point, you may wish to demonstrate some of these vulnerabilities by opening a browser and visiting Panopticlick and an IP query site such as What Is My IP.
Because of the way web browsers are designed to work with website code to improve user experience, it is surprisingly difficult to protect our privacy. The diversity of this data we’ve mentioned, and the diversity of techniques that can be used to capture it, calls for a diversity of mitigation tactics. There are a variety of fixes for each kind of vulnerability.
The number of countries where the use of encryption is illegal has decreased, but legal concerns are still very real for some participants. Before a training, review the laws of where your participants live and work, as well as the laws of where you’re conducting the training, to confirm that the use of technologies highlighted in this section and in Deepening sessions, including the Tor Browser Bundle, is allowed.
Because browser fingerprinting is made easier by customizations to browser settings, the simplest solution is to use Tor Browser without additional plugins and using default configurations.
At this point, you may wish to demonstrate the benefit of using the Tor Browser Bundle. Open the Tor Browser Bundle and re-visit Panopticlick and What Is My IP to illustrate that the browser is no longer leaking information.
HTTPS (Secure HyperText Transfer Protocol) ensures that a connection between a user and a website is authenticated and confidential. It uses a strong encryption system called SSL (Secure Sockets Layer) to create a special encoded connection between a computer and the web server, into which nobody can see.
Some websites always provide a protected SSL (HTTPS) connection; for instance, Google services offer session-wide (from log-in to log-out) HTTPS. However, some websites will have a SSL connection available but won’t force users to connect through it – it may very well not even be obvious that it’s there.
Advise participants that in order to prevent someone from reading their browser history, they can change their browser settings to not store browsing history, clear existing browsing history, or browse in an “incognito” tab or mode where history is not recorded.
Change your browser settings to never allow your browser to store sensitive information like passwords, addresses or credit card details. In Chrome, for instance, this setting is located under Settings -> Show advanced settings -> Passwords and Forms.
Change your browser settings to enable “Do Not Track”, in order to notify websites you don’t want to be tracked for (strictly) advertising purposes. It’s modeled after “do not call” lists for telemarketers in some countries.
Change your browser settings to clear cookies after you end a session, block cookies from specific websites or even disallow cookies completely. If you find that certain websites require your browser to accept a cookie in order to log into an account, you can give those sites permission just for your current session. In Firefox, for instance, this Exception list is located under Tools -> Options -> Privacy (tab) -> Exceptions.
Turn off GPS capability on your mobile device, or restrict applications’ access to this data.
Privacy Badger, developed by Electronic Frontier Foundation (EFF), is a browser plug-in that can be used to block user data from being sent to a number of known, third-party servers.
Configuring browser settings to disable javascript from running on all sites by default can be accomplished through the use of one of several browser plug-ins. Javascript is a widely used protocol for generating web-based content, that can also gather potentially identifying information from users.
Keeping browser software up to date prevents malicious code embedded in websites from collecting data. See Safer Software Updating here on LevelUp for supporting training material on this topic.