This presentation was provided by Eric Hellman, President, GlueJar for the NISO Two Part Webinar, Understanding Privacy: What Data Is Being Collected and By Whom, held on March 16, 2016.

1. How Your Website Leaks Privacy
Eric Hellman
Free Ebook Foundation
March 16, 2016

2. signals
When we use the internet, we send many signals to
the services we interact with.
Many services take a great interest in the signals
that users emit.
Sometimes users prefer more privacy.
Privacy zealots agree.

4. Not Encrypted!

5. http://university.edu/vendor_library/libweb/actio
n/dlSearch.do?institution=XXX&vid=XXX&tab=eve
rything&search_scope=everything&mode=Basic&
onCampus=false&displayMode=full&highlight=tru
e&displayField=all&pcAvailabiltyMode=true&bulk
Size=30&query=any%2Ccontains%2Cwhat%20to%
20expect%20when%20you%27re%20expecting

6. Who can see this signal?
traceroute to university.hosted.vendor.com(66.151.7.135), 64 hops max,
52 byte packets
1. wireless_broadband_router (192.168.1.1)
2. lo0-100.nwrknj-vfttp-306.verizon-gni.net (108.5.176.1)
3. t1-0-0-12.nwrknj-lcr-22.verizon-gni.net (130.81.216.46)
4. * * *
5. 0.ae7.gw10.ewr6.alter.net (140.222.231.129)
6. teliasonera-gw.customer.alter.net (157.130.91.86)
7. nyk-bb2-link.telia.net (62.115.134.109)
8. chi-b21-link.telia.net (213.155.136.19)
9. internap-ic-150762-chi-b21.c.telia.net (213.248.81.142)
10. border1.ae0-bbnet1.chg.pnap.net (64.94.32.4)
me
Wifi Router
Vendor-
hosted library
service
verizon
alternet
telia
pnap
?

7. Who can see what I’m searching for?
me
Wifi Router
Vendor-
hosted library
service
eve
NSA
?

8. But it’s just the ISPs, right?

10. OK, so Google knows.
• Google knows who I am
– I’m logged in to google (3 different accounts!)
• But, no cookie, Google might not be tracking
me by id. But who knows?
http://www.google-
analytics.com/r/collect?v=1&_v=j41&a=861561779&t=pageview&_s=1&dl=http%3A%2F%2Funiversity.edu%2Fvendor_library%2Flibwe
b%2Faction%2FdlSearch.do%3Finstitution%3DXXX%26vid%3DXXX%26tab%3Deverything%26search_scope%3Deverything%26mode%3
DBasic%26onCampus%3Dfalse%26displayMode%3Dfull%26highlight%3Dtrue%26displayField%3Dall%26pcAvailabiltyMode%3Dtrue%2
6bulkSize%3D30%26query%3Dany%252Ccontains%252Cwhat%2520to%2520expect%2520when%2520you%2527re%2520expecting&d
r=http%3A%2F%2Funiversityd.edu%2F&ul=en-us&de=UTF-8&dt=what%20to%20expect%20when%20you%27re%20expecting&sd=24-
bit&sr=1440x900&vp=1111x299&je=0&fl=21.0%20r0&_u=AACAAEABI~&jid=1553209123&cid=60565101.1450546423&tid=UA-
52592218-11&_r=1&z=1128496919

11. Who else knows??

13. The covers come from Amazon!
http://images.amazon.com/images/P/0761125493.01._SSTHUM_.jpg
What signals get sent to
Amazon when I do a
search in this library?

14. Referer headers
http://images.amazon.com/images/P/0761125493.01._SSTHUM_.jpg
Amazon gets to know what the
library user is searching for!
Referer:
http://university.edu/vendor_library/libweb/action/dlSearch.do?inst
itution=XXX&vid=XXX&tab=everything&search_scope=everything&m
ode=Basic&onCampus=false&displayMode=full&highlight=true&disp
layField=all&pcAvailabiltyMode=true&bulkSize=30&query=any%2Cc
ontains%2Cwhat%20to%20expect%20when%20you%27re%20expect
ing

15. Cookie header
http://images.amazon.com/images/P/0761125493.01._SSTHUM_.jpg
Amazon remembers me!
Cookie:
s_cmpid=em_dd_dealpref_footer_us; dmusic_jsEnabled=1; kdp-lc-main=en_US; lc-main=en_US; aws_lang=en; sc_idetail=577648;
pN=67;
s_pers=%20s_vnum%3D1820603279509%2526vn%253D7%7C1820603279509%3B%20s_ev15%3D%255B%255B%2527AZSOAviewallMa
keM%2527%252C%25271397597821813%2527%255D%255D%7C1555364221813%3B%20s_fid%3D387E58CD97054BBB-
0A903051E8978EFD%7C1483223752935%3B%20s_dl%3D1%7C1420067152938%3B%20gpv_page%3DUS%253AAZ%253A%2520Make%2
520Money%2520Landing%253A%2520Home%7C1420067152946%3B%20s_invisit%3Dtrue%7C1431100131631%3B%20s_nr%3D143109
8331635-New%7C1438874331635%3B;
s_sess=%20s_campaign%3DEM%257CSummit13_E1A%257Cannounce%257Cmarketo%3B%20s_eVar60%3DEM%257CSummit13_E1A%2
57Cannounce%257Cmarketo%3B%20sc_icampaign%3DSummit13_E1A%3B%20sc_icontent%3Dannounce%3B%20sc_iplace%3Dmarketo
%3B%20c_m%3DAZSOAviewallMakeMundefinedAmazon.comundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Damznsrvsprod%253D%2
52526pid%25253DUS%2525253ASC%2525253A%25252520SellerCentralLogin%252526pidt%25253D1%252526oid%25253D%252525A0
%252525A0Sign%25252520in%252525A0%252525A0%2525250A%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; apn-user-
id=5af86f07-1371-43ab-98de-0cce80365f4b; sc_ipage=ibc_landingpage; s_ppv=100; aws-target-static-id=1441899433850-398180;
s_eVar60=em%7Cem_13355%7Cglobal%7Cevent; sc_ichannel=em; sc_icampaign=em_13355; sc_icountry=global;
sc_icampaigntype=event; aws-business-metrics-last-visit=1449413507108; skin=noskin; aws-gz=1; session-
token="jeLgRlubBszDPQXsYQeAE0fhleGl1CVoaxoiRw1hRtlovE70dRrKW5+pRwUEbrXx1SWaznx30XKm9mO9Ualvswwc5Zsi15yFBJdOMQR
X9Uvew8azj5fR5+85NY32RkWINA/cLtz1Coew6S+9YuZHAj2xzvNDGTszaFH0Z4RNTixCTb+8kyVVVSdGAHrf4WF3NI2W3S4Yh8Y0wLcaTlLuZ
ybz7ZbcLWJFh41m3GALM10="; x-main="q?Td@IJwuwMlVBHZiZiWHANGhIUWBaEW"; x-wl-
uid=1T5ZIJ9srYpnK7msnBqBXW0GIadpVHD/H6ch0ws0sq8+WdnQgpCoVkc2yXzfinlIEM0bJDq6Jkif/Aii82Z45f8IDVLp1tRYcqCwv8yIAXi4mz
Brx+CwkWCMITg4XSNIs+m6sxTloLhg=; s_vnum=1825647050840%26vn%3D7; ubid-main=176-2476538-3066565; session-id-
time=2082787201l; session-id=178-6751876-1747438; aws-session-id=189-2051376-8622317; aws-session-id-time=1458335250l; aws-
mkto-trk=id%3A112-TZM-766%26token%3A_mch-aws.amazon.com-1453315552278-34638; aws-target-visitor-id=1426084761553-
357078.25_01; aws-target-data=%7B%22support%22%3A%221%22%7D; s_cc=true; s_fid=49AD8FA9A0599598-30FA44442C927A1A;
s_dslv=1458052161012; s_vn=1489264466108%26vn%3D9; s_nr=1458052161019-Repeat;
c_m=Search%20Engineundefinedwww.google.com;
s_sq=awsamazonprod2%252Cawsamazonallprod2%252Cawsamazonallprod1%252Cawsamazonprod1%3D%2526pid%253DSignup%252
6pidt%253D1%2526oid%253Dhttps%25253A%25252F%25252Fportal.aws.amazon.com%25252Fbilling%25252Flogout%252521doLogout
%2526ot%253DA; aws-ubid-main=177-4032474-5005539; aws-x-
main="fR@dlrH?TlponCnSlbPW1vkKHJicGv2dnaEOgIRA6A7jPsJ0ADZu0XFfU5EEG4VG"; regStatus=registered;
__utmv=194891197.%22fR%40dlrH%3FTlponCnSlbPW1vkKHJicGv2dnaEOgIRA6A7jPsJ0ADZu0XFfU5EEG4VG%22;
__utma=194891197.961563651.1446149352.1458053753.1458053772.98; __utmc=194891197;
__utmz=194891197.1458053772.98.58.utmccn=(referral)|utmcsr=amazon.com|utmcct=/ap/signin|utmcmd=referral

16. This library is betraying me!
(you should see what publishers do!)

17. Become a privacy zealot!
• Switch to HTTPS
• Turn off referer headers
• Think before you link
Details at https://go-to-hellman.blogspot.com/