Web Tracking: Mechanisms, Implications, and Defenses

This articles surveys the existing literature on the methods currently used by web services to track the user online as well as their purposes, implications, and possible user's defenses. A significant majority of reviewed articles and web resources are from years 2012-2014. Privacy seems to be the Achilles' heel of today's web. Web services make continuous efforts to obtain as much information as they can about the things we search, the sites we visit, the people with who we contact, and the products we buy. Tracking is usually performed for commercial purposes. We present 5 main groups of methods used for user tracking, which are based on sessions, client storage, client cache, fingerprinting, or yet other approaches. A special focus is placed on mechanisms that use web caches, operational caches, and fingerprinting, as they are usually very rich in terms of using various creative methodologies. We also show how the users can be identified on the web and associated with their real names, e-mail addresses, phone numbers, or even street addresses. We show why tracking is being used and its possible implications for the users (price discrimination, assessing financial credibility, determining insurance coverage, government surveillance, and identity theft). For each of the tracking methods, we present possible defenses. Apart from describing the methods and tools used for keeping the personal data away from being tracked, we also present several tools that were used for research purposes - their main goal is to discover how and by which entity the users are being tracked on their desktop computers or smartphones, provide this information to the users, and visualize it in an accessible and easy to follow way. Finally, we present the currently proposed future approaches to track the user and show that they can potentially pose significant threats to the users' privacy.Comment: 29 pages, 212 reference

A survey on web tracking: mechanisms, implications, and defenses

Privacy seems to be the Achilles' heel of today's web. Most web services make continuous efforts to track their users and to obtain as much personal information as they can from the things they search, the sites they visit, the people they contact, and the products they buy. This information is mostly used for commercial purposes, which go far beyond targeted advertising. Although many users are already aware of the privacy risks involved in the use of internet services, the particular methods and technologies used for tracking them are much less known. In this survey, we review the existing literature on the methods used by web services to track the users online as well as their purposes, implications, and possible user's defenses. We present five main groups of methods used for user tracking, which are based on sessions, client storage, client cache, fingerprinting, and other approaches. A special focus is placed on mechanisms that use web caches, operational caches, and fingerprinting, as they are usually very rich in terms of using various creative methodologies. We also show how the users can be identified on the web and associated with their real names, e-mail addresses, phone numbers, or even street addresses. We show why tracking is being used and its possible implications for the users. For each of the tracking methods, we present possible defenses. Some of them are specific to a particular tracking approach, while others are more universal (block more than one threat). Finally, we present the future trends in user tracking and show that they can potentially pose significant threats to the users' privacy.Peer ReviewedPostprint (author's final draft

The evolution of ISIS in Indonesia

This report looks at the origins and development of the ISIS support network in Indonesia. Introduction Support for the Islamic State (IS, formerly known as ISIS) in Indonesia raises the risk of violence there even though the capacity of violent extremist groups remains low. This could change with the eventual return home of Indonesians now fighting in Syria and Iraq who will have the training, combat experience, and leadership potential now lacking in Indonesia’s extremist community. The 22 September 2014 exhortation by IS spokesman Al-Adnani to kill foreigners linked to the U.S.-led coalition could also provide an incentive to Indonesian ISIS supporters to target Westerners as a way of earning approval from leaders of the self-declared caliphate. The Indonesian translation of that exhortation includes this passage: If you do not have bombs or bullets, and a kafir (infidel) from America or France or one of their allies comes out, hit him in the head with a rock, carve him up with a knife, hit him with your car, throw him off a high building or poison him! Would-be terrorists in Indonesia for the last four years have focused exclusively on domestic targets, mostly the police, and they continued to do so even after the caliphate was announced. The instruction from Al-Adnani, however, could be taken seriously by those who have both pledged allegiance to IS and have already used or attempted to use violence. This report examines the ISIS support network in Indonesia, how it emerged, who joined it and how it has evolved. It also looks at the Indonesian government’s response. While that response has been forceful, the government still needs to translate decrees into action. It has instructed prison officials to step up monitoring of convicted terrorists, for example, yet Al-Adnani’s grim message was translated by one of those prisoners and posted on radical websites within 24 hours of its issuance. President Yudhoyono’s government announced a ban on ISIS on 4 August after the appearance on YouTube of a video called “Joining the Ranks”, in which an Indonesian calling himself “Abu Muhammad al Indunisi” urges others to follow his example and join the jihad in Syria. Abu Muhammad turned out to be an activist named Bahrum Syah with links to an extremist organisation once known as Al Muhajiroun. Al Muhajiroun’s founders, Omar Bakri Muhammad and Anjem Choudary, have gone on to establish a global network of advocacy groups supporting the establishment of Islamic law, if necessary by violent means. The first branch, in the UK where Choudary is based, was called Islam4UK, later Sharia4UK. Each national branch had “Sharia4” in its title; Sharia4Indonesia was established in 2010. A small group of Indonesians inspired by Bakri and Choudary became the engine of the pro-ISIS network in Indonesia. The group runs the website www.al-mustaqbal.net, hereafter referred to as Al-Mustaqbal. It has links to most of the terrorist groups still operating in Indonesia, including the Mujahidin of Eastern Indonesia (Mujahidin Indonesia Timur, MIT) and the Mujahidin of Western Indonesia (Mujahidin Indonesian Barat, MIB). It sponsored most of the ceremonies across Indonesia pledging loyalty to IS after the latter on 29 June 2014 announced the establishment of a caliphate. And its fighters in Syria, including Bahrum Syah, have formed an Indonesian-Malaysian unit of ISIS in Syria that reportedly aims at eventually establishing an archipelagic Islamic State in Southeast Asia, to be called Daulah Islamiyah Nusantara. The report also examines how the announcement of the caliphate has split the Indonesian jihadi community, leading to deep divisions among convicted terrorist prisoners and the splintering of a leading jihadi organisation, Jamaah Anshorul Tauhid (JAT). The individual who has emerged as the most important ideological promoter of ISIS is Aman Abdurrahman, a cleric imprisoned in the maximum security complex on the island of Nusakambangan, off the south coast of Java. It is he who became the mentor of the Sharia4Indonesia group and whose followers constitute the glue that binds disparate elements of the Indonesian ISIS network together. The appearance of ISIS may be a rare example of international developments becoming a direct driver of jihadi recruitment in Indonesia. In the past, the drivers have been overwhelmingly local. When Indonesians went to Afghanistan to train in the mid-1980s and early 1990s, they were spurred by repression at home and the desire to develop the capacity to fight Soeharto. The bombing campaign of Jemaah Islamiyah between 1999 and 2002 was sparked by communal conflict at home, in Ambon and Poso. Despite all the rhetoric about support for Palestine, very few Indonesians have ever gone to fight there. The appeal of ISIS is different, a combination of religious prophecies involving Sham (greater Syria); the string of victories in Iraq in June that gave a sense of backing a winner; the resonance of the concept of the caliphate; and sophisticated use by ISIS of social media. At the same time, ISIS has triggered a bigger backlash than ever seen before in the Indonesian Muslim community, suggesting that support will stay limited to a fringe of the radical fringe. The individuals involved are nonetheless dangerous, and it is cause for concern that inmates of high security prisons continue to be among the most active propagators of ISIS views and teachings. Indonesian prison management has improved in recent years, but there is a long way to go. The incoming Jokowi government will have to decide whether to continue the counter-terrorism policies of the Yudhoyono government or ramp them up, including by pressing for strengthened legal tools. Either way, it is critical that leadership of the counter-terrorism effort be left in the hands of the police, who over the last decade have accumulated all the institutional knowledge of radical networks

Cinephilia and online communities

The accelerated development of digital media over the past few decades has led to a theoretical overhaul of media classification. The rise of the Internet has been designated as a historical dividing point between the age of ‘old’ media and that of ‘new’ media. Old media are unified objects of transmission, and new media are digitally converted and integrated media experiences enabled by the Internet and other digital technology. A debate currently wages over new media’s potential for meaningful positive change. Advocates argue that the transition to digital media signals a force for globalism and democracy, whereas skeptics see little evidence for these claims. However, the progressivism of new media comes into clearer focus when applied to a narrow field of study. The proposed research integrates new media and film studies, focusing on cinephilia, a mode of film consumption that has blended a lofty passion for cinema with intellectual engagement with film history and scholarship. Drawing on the new media concepts of the online knowledge community, weak-tie activism, and peer production, this paper argues that online interactivity, the diminishment of costs for mass organization, and the ease with which films can be digitally circulated have had a substantial progressive impact on cinephilia. The research also touches on the overlooked communal and organizational capabilities of online file sharing, a practice which remains simplistically assessed in terms of its legality.Faculty Mentor: Navarro, Vinicius; Dalle Vacche, Angela - Committee Member/Second Reader; Reilly, J.C. - Committee Member/Second Reade

Navigating Risk in Vendor Data Privacy Practices: An Analysis of Elsevier\u27s ScienceDirect

Executive Summary As libraries transitioned from buying materials to licensing content, serious threats to privacy followed. This change shifted more control over library user data (and whether it is collected or kept at all) from the local library to third-party vendors, including personal data about what people search for and what they read. This transition has further reinforced the move by some of the largest academic publishers to move beyond content and become data analytics businesses that provide platforms of tools used throughout the research lifecycle that can collect user data at each stage. These companies have an increasing incentive to collect and monetize the rich streams of data that these platforms can generate from users. As a result, user privacy depends on the strength of privacy protections guaranteed by vendors (e.g., negotiated for in contracts), and a growing body of evidence indicates that this should be a source of concern. User tracking that would be unthinkable in a physical library setting now happens routinely through such platforms. The potential integration of this tracking with other lines of business, including research analytics tools and data brokering services, raises pressing questions for users and institutions. Elsevier provides an important case study in this dynamic. Elsevier is many academic libraries’ largest vendor for collections, and its platforms span the knowledge production process, from discovery and idea generation to publication to evaluation. Furthermore, Elsevier’s parent company, RELX, is a leading data broker. Its “risk” business, which provides services to corporations, governments, and law enforcement agencies based on expansive databases of personal data, has surpassed its Elsevier division in revenue and profitability. For these reasons, it is important to carefully consider Elsevier’s privacy practices, the risks they may pose, and proactive steps to protect users. This analysis focuses on ScienceDirect due to its position as a leading discovery platform for research as well as the Elsevier product that researchers are most likely to interact with regularly. Based on our findings, many of ScienceDirect\u27s data privacy practices directly conflict with library privacy standards and guidelines. The data privacy practices identified in our analysis are like the practices found in many businesses and organizations that track and harvest user data to sustain privacy-intrusive data-driven business models. The widespread data collection, user tracking and surveillance, and disclosure of user data inherent to these business models run counter to the library\u27s commitment to user privacy as specified in the ALA Code of Ethics, Library Bill of Rights, and the IFLA Statement on Privacy in the Library Environment. Examples of current ScienceDirect practices found in our analysis that conflict with these standards include: • Use of web beacons, cookies, and other invasive web surveillance methods to track user behavior outside and beyond the ScienceDirect website • Extensive collection of a broad range of personal data (e.g., behavioral and location data) from ScienceDirect combined with personal data harvested from sources beyond ScienceDirect (i.e., third parties in and outside of RELX and data brokers as stated in Elsevier’s Privacy Policy and U.S. Consumer Privacy Notice) • Collection of personal data by third parties, including search engines, social media platforms, and other personal-data aggregators and profilers such as Google, Adobe, Cloudflare, and New Relic, through extensive use of third-party trackers on the ScienceDirect site • Disclosure of personal data to other Elsevier products and the potential for disclosure of personal data to other business units within RELX, including risk products and services sold to corporations, governments, and law enforcement agencies • Processing and disclosure of personal data (and personal data inferred from personal data) for targeted, personalized advertising and marketing In particular, ScienceDirect’s U.S. Consumer Privacy Notice, posted and updated in 2023, raises important concerns. The notice describes the disclosure of detailed user data—including geolocation data, sensitive personal information, and inference data used to create profiles on individuals—both for wide-ranging internal use and to external third parties, including “affiliates” and “business and joint venture partners.” The collection and disclosure of data about who someone is, where they are, and what they search for and read by the same overarching company that provides sophisticated surveillance and data brokering products to corporations, governments, and law enforcement should be alarming. These practices raise the question of whether simultaneous ownership of key academic infrastructure alongside sophisticated surveillance and data brokering businesses should be permitted at all—by users, by institutions, or by policymakers and regulatory authorities. Our analysis cannot definitively confirm whether personal data derived from academic products is currently being used in data brokering or “risk” products. Nevertheless, ScienceDirect’s privacy practices highlight the need to be aware of this risk, which is not mitigated by privacy policy revisions or potential verbal assurances concerning specific data uses. Privacy policies can be changed unilaterally, and denials are not legally binding. To be meaningful, any privacy guarantee a vendor makes must be durable, verifiable, and not limited to a particular jurisdiction. As many of the largest publishers reinvent themselves as platform businesses, users and institutions should actively evaluate and address the potential privacy risks as this transition occurs rather than after it is complete. In closely analyzing the privacy practices of the leading vendor in this transition, this report highlights the need for institutions to be proactive in responding to these risks and provides initial steps for doing so. This report underscores the significant expertise and capacity required for any institution to understand even one vendor’s privacy practices—and the power asymmetry this creates between vendors and libraries. Collaborative efforts, such as SPARC’s Privacy & Surveillance Community of Practice, can plan a key role in supporting future action to address the real privacy risks posed by vendors’ platforms. This report closes with options that institutions may consider to mitigate these risks over the short and longer term

Practical heuristics to improve precision for erroneous function argument swapping detection in C and C++

Argument selection defects, in which the programmer chooses the wrong argument to pass to a parameter from a potential set of arguments in a function call, is a widely investigated problem. The compiler can detect such misuse of arguments only through the argument and parameter type for statically typed programming languages. When adjacent parameters have the same type or can be converted between one another, a swapped or out of order call will not be diagnosed by compilers. Related research is usually confined to exact type equivalence, often ignoring potential implicit or explicit conversions. However, in current mainstream languages, like C++, built-in conversions between numerics and user-defined conversions may significantly increase the number of mistakes to go unnoticed. We investigated the situation for C and C++ languages where developers can define functions with multiple adjacent parameters that allow arguments to pass in the wrong order. When implicit conversions – such as parameter pairs of types ``(int, bool)`` – are taken into account, the number of mistake-prone functions markedly increases compared to only strict type equivalence. We analysed a sample of projects and categorised the offending parameter types. The empirical results should further encourage the language and library development community to emphasise the importance of strong typing and to restrict the proliferation of implicit conversions. However, the analysis produces a hard to consume amount of diagnostics for existing projects, and there are always cases that match the analysis rule but cannot be “fixed”. As such, further heuristics are needed to allow developers to refactor effectively based on the analysis results. We devised such heuristics, measured their expressive power, and found that several simple heuristics greatly help highlight the more problematic cases