Web Policy

Our recent research on Google’s circumvention of the Safari cookie blocking feature has led to some confusion, in part owing to the company’s statement in response (reproduced in its entirety below). This post is an attempt to elucidate the central issues. As with the original writeup, I aim for a neutral viewpoint in the interest of establishing a common factual understanding.
Continue reading →

Apple’s Safari web browser is configured to block third-party cookies by default. We identified four advertising companies that unexpectedly place trackable cookies in Safari. Google and Vibrant Media intentionally circumvent Safari’s privacy feature. Media Innovation Group and PointRoll serve scripts that appear to be derived from circumvention example code.

In the interest of clearly establishing facts on the ground, this post provides technical analysis of Safari’s cookie blocking feature and the four companies’ practices. It does not address policy or legal issues. (More on that soon.)

Before proceeding further, I want to thank the countless friends and colleagues who provided invaluable feedback on this project. In particular: ★★★★★, whose insights have been vital at every step, and Ashkan Soltani, whose crawling data was instrumental in uncovering PointRoll’s practices and understanding the prevalence of cookie blocking circumvention.

Continue reading →

Original at the Stanford Center for Internet and Society.

Click the local Home Depot ad and your email address gets handed to a dozen companies monitoring you. Your web browsing, past, present, and future, is now associated with your identity. Swap photos with friends on Photobucket and clue a couple dozen more into your username. Keep tabs on your favorite teams with Bleacher Report and you pass your full name to a dozen again. This isn’t a 1984-esque scaremongering hypothetical. This is what’s happening today.

[Update 10/11: Since several readers have asked – this study was funded exclusively by Stanford University and research grants to the Stanford Security Lab. It was not supported by any advocacy organization.]
Continue reading →

Original at the Stanford Center for Internet and Society.

A number of technologies have been touted to offer consumers control over third-party web tracking. This post reviews the tools that are available and presents empirical evidence on their effectiveness. Here are the key takeaways:

1. Most desktop browsers currently do not support effective self-help tools. Mobile users are almost completely out of luck.
2. Self-help tools vary substantially in performance.
3. The most effective self-help tools block third-party advertising.

Following the usage model in the FTC staff’s 2010 preliminary online privacy report, this post is oriented towards the user who wants a simple, persistent, comprehensive solution such that with high confidence no third party collects her browsing history. We assume that some third-party trackers will use non-cookie tracking methods including supercookies and fingerprinting (e.g. Microsoft, KISSmetrics, Epic Marketplace, BlueCava, Interclick, Quantcast).

Thanks to Jovanni Hernandez and Akshay Jagadeesh for assisting with data collection, and to Arvind Narayanan and Peter Eckersley for input on drafts.
Continue reading →

Original at the Stanford Center for Internet and Society.

Despite all the attention they’ve received in the debates around online privacy, cookies are far from the only way to track a user. Broadly speaking, a website can either stash a unique identifier anyplace in the browser (“tagging”)¹ or explore features of the browser until it becomes unique (“fingerprinting”).² Tracking technologies that do not rely on cookies are often referred to as “supercookies,” and they are widely viewed as unsavory in the computer security community because they continue tracking even when a user clears her cookies to preserve privacy. Sometimes a site will use a supercookie to “respawn” its original identifier cookie, creating a “zombie cookie” — the basis of several lawsuits.

In one of our recent FourthParty web measurement crawls we included a cookie clearing step to emulate a user’s privacy choice. We observed that after clearing the browser’s cookies an identifier cookie (named “MUID” for “machine unique identifier”) respawned on live.com, a Microsoft domain. We dug into Microsoft’s cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies. We contacted Microsoft with our observations, and we have collaborated to assist in rectifying the issues we uncovered. Here is what we know.

Thanks, once again, to Jovanni Hernandez and Akshay Jagadeesh for their indispensable research assistance.
Continue reading →

Original at the Stanford Center for Internet and Society.
Jovanni Hernandez and Akshay Jagadeesh are the first authors of this study.

Responding to pressure from the Federal Trade Commission, in mid-2009 the largest advertising industry trade groups joined forces to develop a new self-regulatory program for behavioral advertising: the Digital Advertising Alliance (DAA). Like the parallel self-regulatory program for advertising networks, the Network Advertising Initiative (NAI), the DAA makes no promises about providing privacy choices: DAA members must only provide an opt out of seeing advertising that is based on tracking, not an opt out of tracking itself.¹ As Chris Hoofnagle at Berkeley Law has noted on several occasions, the word “privacy” scarcely even appears in the DAA’s documents.
Continue reading →