Microsoft Explores Privacy-Protecting Personalization
A researcher is experimenting with ways that a Web browser could tighten the limits on information provided to websites.
Today, many websites ask users to take a devil’s deal: share personal information in exchange for receiving useful personalized services. New research from Microsoft, which will be presented at the IEEE Symposium on Security and Privacy in May, suggests the development of a Web browser and associated protocols that could strengthen the user’s hand in this exchange. Called RePriv, the system mines a user’s behavior via a Web browser but controls how the resulting information is released to websites that want to offer personalized services, such as a shopping site that automatically knows users’ interests.
“The browser knows more about the user’s behavior than any individual site,” says Ben Livshits, a researcher at Microsoft who was involved with the work. He and colleagues realized that the browser could therefore offer a better way to track user behavior, while it also protects the information that is collected, because users won’t have to give away as much of their data to every site they visit.
The RePriv browser tracks a user’s behavior to identify a list of his or her top interests, as well as the level of attention devoted to each. When the user visits a site that wants to offer personalization, a pop-up window will describe the type of information the site is asking for and give the user the option of allowing the exchange or not. Whatever the user decides, the site doesn’t get specific information about what the user has been doing—instead, it sees the interest information RePriv has collected.
Livshits explains that a news site could use RePriv to personalize a user’s view of the front page. The researchers built a demonstration based on the New York Times website. It reorders the home page to reflect the user’s top interests, also taking into account data collected from social sites such as Digg that suggests which stories are most popular within different categories.
Livshits admits that RePriv still gives sites some data about users. But he maintains that the user remains aware and in control. He adds that cookies and other existing tracking techniques sites already collect far more user data than RePriv supplies.
The researchers also developed a way for third parties to extend RePriv’s capabilities. They built a demonstration browser extension that tracks a user’s interactions with Netflix to collect more detailed data about that person’s movie preferences. The extension could be used by a site such as Fandango to personalize the movie information it presents—again, with user permission.
“There is a clear tension between privacy and personalized technologies, including recommendations and targeted ads,” says Elie Bursztein, a researcher at the Stanford Security Laboratory, who is developing an extension for the Chrome Web browser that enables more private browsing. “Putting the user in control by moving personalization into the browser offers a new way forward,” he says.
“In the medium term, RePriv could provide an attractive interface for service providers that will dissuade them from taking more abusive approaches to customization,” says Ari Juels, chief scientist and director of RSA Laboratories, a corporate research center.
Juels says RePriv is generally well engineered and well thought out, but he worries that the tool goes against “the general migration of data and functionality to the cloud.” Many services, such as Facebook, now store information in the cloud, and RePriv wouldn’t be able to get at data there—an omission that could hobble the system, he points out.
Juels is also concerned that most people would be permissive about the information they allow RePriv to release, and he believes many sites would exploit this. And he points out that websites with a substantial competitive advantage in the huge consumer-preference databases they maintain would likely resist such technology. “RePriv levels the playing field,” he says. “This may be good for privacy, but it will leave service providers hungry.” Therefore, he thinks, big players will be reluctant to cooperate with a system like this.
Livshits argues that some companies could use these characteristics of RePriv to their advantage. He says the system could appeal to new services, which struggle to give users a personalized experience the first time they visit a site. And larger sites might welcome the opportunity to get user data from across a person’s browsing experience, rather than only from when the user visits their site. Livshits believes they might be willing to use the system and protect user privacy in exchange.