Identifying Personal Information in Internet Traffic

Users today access a multitude of online services---among the most popular of which are online social networks (OSNs)---via both web sites and dedicated mobile applications (apps), using a range of devices (traditional PCs, tablets, and smartphones) that are connected via a variety of networks. The resulting infrastructure makes these services conveniently available anytime and anywhere, enabling them to become an integral part of daily life. As a consequence, users explicitly and implicitly provide a wealth of Personal Information (PI) that reflects several aspects of their life. Service providers monetize this information by selling to third parties (e.g., advertisers). Unfortunately, today, it remains difficult for end users to fully understand the amount and nature of the collected data. Our goal in this paper is to bring visibility into PI collected when accessing online services such as online social networks. This is a major challenge because PI is transferred in a proprietary way by each service. We develop a novel method that can automatically discover various types of PI carried within protocol fields of network traffic; the method includes techniques to filter out potential "containers" that do not actually carry PI and extend the set of containers initially found with additional ones. We evaluate the false positive/negative rates of our proposed method and show examples of interesting findings, including what kind of web sites or apps are more likely to transmit PI and which types of PI are most commonly collected.