Research on Privacy Issues in Internet Advertising

Overview

Online advertising systems like Google or Yahoo! increasingly violate your privacy. They gather information about you, such as the websites you visit and your location, and use it to profile you and target ads to you. This has led to increasing complaints and calls for regulation from privacy and consumer protection groups.

We are proposing an advertising system that is far more private. This system, called Privad, is based on two main principles:

• Most information about you is kept on your own computer and not leaked out.
• The information that does leave your computer is proxied through an intermediary. Neither the intermediary nor the advertising company obtain enough information to violate your privacy.

Rather than watch what you do from the cloud, as advertising companies do today, with Privad you run software directly on your computer. This “software agent” monitors your web activity to build a profile that is kept local to your computer. The profile information never leaks out. The software agent is also responsible for showing you ads. It anonymously gathers and stores the sorts of ads you might be interested in. When you browse a website that has advertising space, the software agent on your computer selects an ad for you to view, and locally inserts it into the advertising space.

Unfortunately, your software agent cannot operate without transmitting some information. The advertising company needs to know which ads have been viewed or clicked, so that it can charge the advertiser accordingly. The advertising company also needs to know which websites provided advertising space, so that it can pay the websites accordingly. Fortunately, the reports containing this information can be anonymously delivered.

We propose an intermediary that mixes the reports from many users so that the advertising company cannot tell where the reports come from. The intermediary can be operated by an organization that has your privacy interests at heart: a privacy advocacy group like the EFF or ACLU, or a government agency like the FTC. The intermediary’s costs can be paid through a levy imposed on the advertising company.

The intermediary cannot see what is in your reports. In other words, you don’t need to trust the intermediary, just as you don’t need to trust the advertising company. This is because the reports are encrypted in such a way that only the advertiser can decrypt them. The intermediary knows that you sent a report, but not what is in the report. The advertiser knows what is in the report, but not who sent it. The intermediary is also used to anonymously deliver ads to you. As with the reports, the intermediary cannot see what ads you receive, and the advertising company does not know who got what ads.

The only way the advertiser or intermediary can learn what websites you have visited is by colluding with each other. By using a privacy advocate as the intermediary, we shrink the chances of this collusion to near zero. If this is still not enough, we can introduce a third intermediary, thus requiring collusion between three organizations.

Papers

• Serving Ads from localhost for Performance, Privacy, and Profit ( slides)
• Privad: Practical Privacy in Online Advertising
  • More detailed experimental evaluation
  • More detailed privacy analysis

FAQ

Q: How can I be sure that this “software agent” isn’t sending my profile to the advertising company?

A: The software agent is built in such a way that all communications in and out can be monitored by trusted third-party software. So, for instance, your anti-virus software could be modified to insure that the software agent is not sending out additional information.

Q: If the reports from the “software agent” are encrypted, how do I know they don’t contain private information like my name, gender, religion, and so on?

A: The encryption is done in such a way that the third-party software can validate the contents of the encrypted reports while still preventing the intermediary from seeing the contents of the reports.

Q: Can’t this third-party software see my private information?

A: Sure, but if you can’t trust your anti-virus software, you are in trouble anyway. More generally, anybody who can get malware running on your computer can pretty much learn what they want. The software agent doesn’t change this one way or the other.

Q: If the intermediary is a government agency, can’t it just legally order the advertising company to show it the decrypted reports?

A: Yes, but if it can do that, it can just as well legally wiretap you from your ISP.

Q: Why would anyone install this software agent?

A: The software agent, or indeed a collection of competing software agents, could be supported by your browser in much the same way your browser toolbar supports multiple competing search engines today. The browser could provide basic protocol support and a framework for running Privad. Advertising companies could install their software agents into this framework, and compete with each other for advertisers, website ad space, and website profiling information.