SecurityEngineering/Jan2013WorkWeek/04-Collusion Roadmap
The future of collusion (roadmappy things)
1/15 at 11:15 am
Session Lead: Dethe
Hypotheses:
- Users would like to see the benefit from their data
- Users would like to share their graph easily
- Users would like to see the benefits of profiles from each tracker
- Users would like to use it as a tool in their every day use
Working on making collusion easier to use, more understandable. Working on a public database where people can upload their graph (so Mozilla can build a bigger picture of tracking on the web). We are working on a public server that uses that database for mash-up experimentation. Maybe a reputation system for crowdsourcing tracker info. Doing all of this in a really public way we might be able to get a higher quality data set.
Reworking collusion to gather richer data without compromising privacy.
- Gathering data over time (right now graph is showing most recent stuff) -- timestamps in milleseconds, rounded off to 5-10 minutes.
- Getting more granular data about URLs (not just ETLD+1, but actually FQDN).
- Storing a list of every connection you make to third party sites.
- Grabbing path depth (number of slashes, not the path, but the size) and query term count.
- Much can be stripped out before exporting since the data is a bit "safer" on the local machine.
Open question:
- How can we use the add-on to compare what you're seeing compared to what others see (over time)?
Getting ready to wire in new UI and visualizations.
Forward Direction:
- Working on pulling in chrome/safari version changes back in-house.
- Trying to identify potential ports to Android or Firefox OS.
- Want to eventually support leak detection (find out who's leaking stuff).
- Want to make visible other types of tracking -- not just cookies.
- Want to be view-source: of privacy!
Goal for end of February: New version of collusion with back-end and server support! Q&A:
- Do you have plans to expire data over time? Yeah, especially since we're gathering more. Will time-box and space-box collection.
- Delete data from server? Maybe, but we're only exposing an API that allows aggregate data access (no individual data sets).
- Do you see a way that the majority of people can benefit from collusion directly? Right now it's tough for many people to understand/care about the visualization.
- Have the student designs been shown to "ordinary users" to see how things resonate? Students have shown their work to novices, but nothing formal.