As part of my PhD at Princeton’s Center for Information Technology Policy (CITP), I led the development of OpenWPM, a tool for web privacy measurement, with the help of many contributors. My co-authors and I first released OpenWPM in 2014 with the goal of lowering the technical costs of large-scale web privacy measurement. The tool’s […]
No boundaries for Facebook data: third-party trackers abuse Facebook Login
by Steven Englehardt [0], Gunes Acar, and Arvind Narayanan So far in the No boundaries series, we’ve uncovered how web trackers exfiltrate identifying information from web pages, browser password managers, and form inputs. Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from […]
No boundaries for credentials: New password leaks to Mixpanel and Session Replay Companies
In this installment of the “No Boundaries” series we show how wholesale collection of user interactions by third-party analytics and session replay scripts cause inadvertent collection of passwords. By Steve Englehardt, Gunes Acar and Arvind Narayanan Following the recent report that Mixpanel, a popular analytics provider, had been inadvertently collecting passwords that users typed into […]
No boundaries: Exfiltration of personal data by session-replay scripts
This is the first post in our “No Boundaries” series, in which we reveal how third-party scripts on websites have been extracting personal information in increasingly intrusive ways. [0] by Steven Englehardt, Gunes Acar, and Arvind Narayanan Update: we’ve released our data — the list of sites with session-replay scripts, and the sites where we’ve […]
I never signed up for this! Privacy implications of email tracking
In this post I discuss a new paper that will appear at PETS 2018, authored by myself, Jeffrey Han, and Arvind Narayanan. What happens when you open an email and allow it to display embedded images and pixels? You may expect the sender to learn that you’ve read the email, and which device you used […]