Embed Size (px)
Citation preview
![Page 1: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/1.jpg)
10.06.2019 | Technische Universität Darmstadt | 110.06.2019 | Technische Universität Darmstadt | 1
Max Maass, Stephan Schwär, Matthias Hollick – Secure Mobile Networking Lab, TU Darmstadt
PrivacyMail:
Towards Transparency in Email Tracking
![Page 2: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/2.jpg)
10.06.2019 | Technische Universität Darmstadt | 210.06.2019 | Technische Universität Darmstadt | 2 Slides & Paper: https://maass.xyz/talk/apf2019/
Time to check Emails?
![Page 3: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/3.jpg)
10.06.2019 | Technische Universität Darmstadt | 310.06.2019 | Technische Universität Darmstadt | 3 Slides & Paper: https://maass.xyz/talk/apf2019/
Three reasons to keep listening
![Page 4: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/4.jpg)
10.06.2019 | Technische Universität Darmstadt | 410.06.2019 | Technische Universität Darmstadt | 4 Slides & Paper: https://maass.xyz/talk/apf2019/
Wait, Email tracking?
![Page 5: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/5.jpg)
10.06.2019 | Technische Universität Darmstadt | 510.06.2019 | Technische Universität Darmstadt | 5 Slides & Paper: https://maass.xyz/talk/apf2019/
Tracking views
• Remote images
• Remote style sheets
Tracking interactions
• Personalized links
Linking identities
• Email is used on multiple devices
• Allows linking the advertising profiles
Wait, Email tracking?
![Page 6: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/6.jpg)
10.06.2019 | Technische Universität Darmstadt | 610.06.2019 | Technische Universität Darmstadt | 6 Slides & Paper: https://maass.xyz/talk/apf2019/
What’s the big deal?
Tracking highly prevalent: between 24% [3] and 85% [1] of Emails
contain tracking.
The website knows [2]:
• If you opened the eMail
• When you opened the eMail
• Which device you used
• Potentially linking it to other profiles online
• Which software you used
• Where you were (IP-based geolocation)
This data can also be shared with others using HTTP redirects for
cookie syncing [1].
![Page 7: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/7.jpg)
10.06.2019 | Technische Universität Darmstadt | 710.06.2019 | Technische Universität Darmstadt | 7 Slides & Paper: https://maass.xyz/talk/apf2019/
How can we detect it?
Static Analysis Dynamic Analysis
Used in: [2, 3] Used in: [1]
![Page 8: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/8.jpg)
10.06.2019 | Technische Universität Darmstadt | 810.06.2019 | Technische Universität Darmstadt | 8 Slides & Paper: https://maass.xyz/talk/apf2019/
Three studies on Email privacy:
• Englehardt et al. [1]: Dynamic analysis of newsletters of popular websites. Find wide-spread
tracking, information leakage. Also evaluate defensive measures.
• Xu et al. [2]: Static analysis of their own Email accounts and newsletters from top websites.
Evaluated privacy risks. Also performed study about user acceptance of tracking.
• Hu et al. [3]: Static analysis of large corpus collected from disposable Email services. Also studies
risks of using disposable Email systems.
Similar systems for web privacy:
• PrivacyScore.org [4, 5]
• Webbkoll.dataskydd.net [6]
Prior Work
![Page 9: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/9.jpg)
10.06.2019 | Technische Universität Darmstadt | 910.06.2019 | Technische Universität Darmstadt | 9 Slides & Paper: https://maass.xyz/talk/apf2019/
Registering a Service
“I want to sign up example.com”
“Please use [email protected]”
“Hi, I am [email protected]”
“Please confirm your registration”
“Registration confirmed” (after manual inspection)
“Here’s your Newsletter”
![Page 10: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/10.jpg)
10.06.2019 | Technische Universität Darmstadt | 1010.06.2019 | Technische Universität Darmstadt | 10 Slides & Paper: https://maass.xyz/talk/apf2019/
Dynamic Analysis
Mail server Crawler OpenWPM
AnalyzerDB
![Page 11: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/11.jpg)
10.06.2019 | Technische Universität Darmstadt | 1110.06.2019 | Technische Universität Darmstadt | 11 Slides & Paper: https://maass.xyz/talk/apf2019/
Live Demo
![Page 12: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/12.jpg)
10.06.2019 | Technische Universität Darmstadt | 1210.06.2019 | Technische Universität Darmstadt | 12 Slides & Paper: https://maass.xyz/talk/apf2019/
Results – Third Party Prevalence
Results from 136 newsletters, 10 208 Emails analyzed
# of services Percentage of total
Embeds on view 112 82 %
Embeds on click 104 76 %
Embeds either 116 85 %
![Page 13: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/13.jpg)
10.06.2019 | Technische Universität Darmstadt | 1310.06.2019 | Technische Universität Darmstadt | 13 Slides & Paper: https://maass.xyz/talk/apf2019/
Results – Third Party Prevalence
Results from 136 newsletters, 10 208 Emails analyzed
Third Party Embed Count Type
mailchimp.com 16 Tracker
googleapis.com 12 CDN
gstatic.com 12 CDN
list-manage.com 11 Tracker
srv2.de 10 Tracker
ioam.de 8 Tracker
cloudfront.net 6 CDN
amazonaws.com 6 CDN
exactag.com 4 Tracker
mojn.com 4 Tracker
![Page 14: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/14.jpg)
10.06.2019 | Technische Universität Darmstadt | 1410.06.2019 | Technische Universität Darmstadt | 14 Slides & Paper: https://maass.xyz/talk/apf2019/
1. http://li.fastcompany.com/imp?[...]&e=<plaintext email address>&p=20182
2. http://p.liadm.com/imp?[...]m=<MD51>&sh=<SHA1>&sh2=<SHA256>[...]&dom=<plaintext email domain>
3. http://i.liadm.com/s/h/33013?m=<MD51>&sh1=<SHA1>&sh2=<SHA256>[...]
4. http://i.liadm.com/s/h/33013?sh2=<SHA256>&[...]&m=<MD51>&[...]&sh1=<SHA1>&previous_uuid=<UUID1>
5. http://sync.mathtag.com/sync/img?mt_exid=36&redir=http%3A%2F%2Fi.liadm.com%2Fs%2Fe
%2F33013%2F0%2F<MD53>%3Fmpid%3D7156%26muid%3D%5BMM_UUID
%5D&licd=27296&previous_uuid=<MD53>
6. http://sync.mathtag.com/sync/img?mt_exid=36&redir=http%3A%2F%2Fi.liadm.com%2Fs%2Fe%2F33013%2F0%2F<MD53>%3Fmpid%3D7156%26muid%3D%5BMM_UUID
%5D&licd=27296&previous_uuid=<MD53>&mm_bnc&mm_bct
7. http://i.liadm.com/s/e/33013/0/<MD53>?mpid=7156&muid=<UUID2>
Results – Cookie Syncing
![Page 15: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/15.jpg)
10.06.2019 | Technische Universität Darmstadt | 1510.06.2019 | Technische Universität Darmstadt | 15 Slides & Paper: https://maass.xyz/talk/apf2019/
Results – Email Address Disclosure
Results from 136 newsletters, 10 208 Emails analyzed
Leak Algorithm # Services Examples
MD5 9 Expedia.de, asgoodasnew.com
URLencode 7 spd.de, humblebundle.com
SHA-256 6 Ticketmaster.de, lidl.de
Plaintext 5 spd.de, suedkurier.de
Base64 3 Expedia.de, booking.com
SHA-1 2 Fastcompany.com
Leak Algorithm # 3Ps
MD5 15
URLencode 12
SHA-256 10
Plaintext 8
Base64 3
SHA-1 2
![Page 16: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/16.jpg)
10.06.2019 | Technische Universität Darmstadt | 1610.06.2019 | Technische Universität Darmstadt | 16 Slides & Paper: https://maass.xyz/talk/apf2019/
Decoding hashed Emails is hard, right?
developer.myacxiom.com/code/api/endpoints/hashed-entitydatafinder.com/products/email-recovery
![Page 17: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/17.jpg)
10.06.2019 | Technische Universität Darmstadt | 1710.06.2019 | Technische Universität Darmstadt | 17 Slides & Paper: https://maass.xyz/talk/apf2019/
A/B testing detected by comparing
related eMails (time, title, …)
3 sites use A/B testing, all of them
online shops
Results – A/B Testing
![Page 18: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/18.jpg)
10.06.2019 | Technische Universität Darmstadt | 1810.06.2019 | Technische Universität Darmstadt | 18 Slides & Paper: https://maass.xyz/talk/apf2019/
• Lack of awareness in the general population [2]
• Useful defense mechanisms are missing
• “Asking nicely” probably won’t work
• Ad-blocking lists have bad coverage for Email tracking [1]
• “Just use plaintext mail only” works for experts, but does not
work for entire populations
• “Don’t load remote content” defends against view-tracking, but
not click-tracking
• We attempt transparency for online tracking [4], but had mixed
success rate in the past [5]
Lessons Learned from Prior Email Privacy Research
![Page 19: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/19.jpg)
10.06.2019 | Technische Universität Darmstadt | 1910.06.2019 | Technische Universität Darmstadt | 19 Slides & Paper: https://maass.xyz/talk/apf2019/
• Web tracking is only part of the online privacy picture
• Email tracking should be considered a threat
• We provide a transparency system
• Feel free to use it:
https://PrivacyMail.info/
• Problems? Ideas? Pull Requests?
https://github.com/PrivacyMail/PrivacyMail
• Want access to the data? Contact me!
mmaass [at] seemoo.tu-darmstadt.de
Conclusion
![Page 20: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/20.jpg)
10.06.2019 | Technische Universität Darmstadt | 2010.06.2019 | Technische Universität Darmstadt | 20 Slides & Paper: https://maass.xyz/talk/apf2019/
[1] Englehardt, S., Han, J., Narayanan, A.: I never signed up for this! Privacy implications of email tracking. Proc.
Priv. Enhancing Technol. (2018)
[2] Xu, H., Hao, S., Sari, A., Wang, H.: Privacy Risk Assessment on Email Tracking. In: IEEE INFOCOM. (2018).
[3] Hu, H., Peng, P., Wang, G.: Characterizing Pixel Tracking through the Lens of Disposable Email Services. In:
IEEE Security & Privacy. (2019).
[4] Maass, M., Wichmann, P., Pridöhl, H., Herrmann, D.: PrivacyScore: Improving Privacy and Security via Crowd-
sourced Benchmarks of Websites. Lect. Notes Comput. Sci. 10518 LNCS (2017).
[5] Maass, M., Walter, N., Herrmann, D., Hollick, M.: On the Difficulties of Incentivizing Online Privacy through
Transparency: A Qualitative Survey of the German Health Insurance Market. In: 14. Internationale Tagung
Wirtschaftsinformatik (2019).
[6] Andersdotter, A., Jensen-Urstad, A.: Evaluating Websites and Their Adherence to Data Protection Principles:
Tools and Experiences. In: IFIP Advances in Information and Communication Technology. (2016).
Part of this research was funded by the DFG as part of subproject C.1 within the RTG 2050 “Privacy and Trust for Mobile Users”. Image source: pixabay.com (public domain images)
Literature and Acknowledgements
![Page 21: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/21.jpg)
10.06.2019 | Technische Universität Darmstadt | 2110.06.2019 | Technische Universität Darmstadt | 21 Slides & Paper: https://maass.xyz/talk/apf2019/
Meet the Trackers – LiveIntent
Source: liveintent.com/advertiser-solutions/
![Page 22: PrivacyMail: Towards Transparency in Email Tracking · 2019-10-06 · • Ad-blocking lists have bad coverage for Email tracking [1] • “Just use plaintext mail only” works](https://reader034.dokumen.tips/reader034/viewer/2022042205/5ea757ab7b9c2b6b1460fac2/html5/thumbnails/22.jpg)
10.06.2019 | Technische Universität Darmstadt | 2210.06.2019 | Technische Universität Darmstadt | 22 Slides & Paper: https://maass.xyz/talk/apf2019/
Meet the Trackers - MediaMath
Source: mediamath.com/brands/
![Plaintext Information In Network Protocols-2 · Network Protocols [1/2] • Still a great deal of network protocols are plaintext or carry plaintext information • Computers - and](https://img.dokumen.tips/doc/110x75/5f8ab326f9c62403f8711127/plaintext-information-in-network-protocols-2-network-protocols-12-a-still-a.jpg)
![Leadership and Alumni Tracking System - [email protected] Home](https://img.dokumen.tips/doc/110x75/613d4759736caf36b75b70ac/leadership-and-alumni-tracking-system-emailprotected-home.jpg){kind=tracking}
