The Efficacy of Google’s Privacy Extension

Over four years ago, Google launched a Chrome privacy extension. Keep My Opt-Outs arrived with a media splash, and it presently has over 400,000 users worldwide.1

It’s a top result on the Chrome Web Store,2 and it’s even endorsed by a faux celebrity.

Unfortunately, the Keep My Opt-Outs extension isn’t nearly as effective as Google claims. It hasn’t been updated for years, resulting in only half of the promised coverage. Keep My Opt-Outs also doesn’t work in Chrome’s private browsing mode, despite the user’s explicit permission.

If you’re currently running Keep My Opt-Outs, I’d encourage switching to Disconnect or Privacy Badger.3 Adblock, Adblock Plus, and Ghostery are also excellent privacy tools, when configured properly.

In this post, I’ll explain why Google emphasized the Keep My Opt-Outs extension, how the code works, and what went awry.

History

Google was in a bind.4 It was late 2010, and consumer web tracking had come under extraordinary pressure. The Federal Trade Commission issued a report calling for easy consumer choice, and legislators were readying responsive bills. The Wall Street Journal was in the midst of a blistering investigative series. Microsoft had introduced new blocking features for Internet Explorer. An eclectic group of academics, advocates, and Mozilla engineers were coalescing around “DNT: 1,” a Do Not Track HTTP header.

Google had to do something. A contingent of Chrome engineers favored the Do Not Track approach; it was easy to implement, easy to use, and on a path to standardization.5 Google’s advertising team was opposed to Do Not Track, and wanted to stick with the industry’s existing opt-out cookies. Externally, it expressed concern that Do Not Track was not sufficiently defined. Internally, it worried that Do Not Track might become too protective or too popular. (Opt-out cookies only prevent advertising personalization, not tracking, and are rarely used.) The policy group, for its part, was deeply divided. Making matters even more complicated, none of these three factions had decision-making authority.

And so Google arrived at a stopgap compromise. It would feature a Chrome extension that simply persisted and updated opt-out cookies. For the Chrome team, it was easy to build, involved no changes to the browser, and provided users with a real (albeit small) privacy gain. For the advertising team, it was essentially equivalent to opt-out cookies. And for the policy team, it was a useful prop when interacting with Washington and media critics.

That alignment of interests resulted in a prominent rollout.6 Google featured the extension in written submissions to the Federal Trade Commission and the Commerce Department.

Design

The architecture of Keep My Opt-Outs is straightforward, and essentially equivalent to prior opt-out extensions. If I were teaching an undergraduate computer science course, it would make for a nice project. (Google still filed for a patent.)

The extension includes a list of advertising firms and associated opt-out cookies. When initialized, Keep My Opt-Outs sets those cookies. It then monitors the browser’s cookie store for changes. If any of the cookies gets modified or deleted, Keep My Opt-Outs simply reverts the change. That’s all.

Shortcomings

Keep My Opt-Outs is only as effective as its internal cookie list. If a business isn’t included, it isn’t covered by the extension. Given how quickly the online advertising ecosystem has grown, regular updates are a must.

The extension doesn’t include a special mechanism for updating its cookie list. In order to revise which businesses are included, Google has to release a new version.

Over the past several years, Google appears to have… forgot. The latest revision of the cookie list was in October 2011.7

That’s a huge blow to the extension’s efficacy. It only limits personalized advertising for about half of the businesses that offer a self-regulatory opt-out setting. Several large industry players, including Facebook, aren’t covered.

What’s more, if a user enables Chrome’s private browsing mode—to protect their privacy further—they lose the extension’s opt-out protection.8

That’s even though a user has explicitly authorized Keep My Opt-Outs in private browsing mode.

Even Google’s own opt-out preference stops working properly.

The reason is that Keep My Opt-Outs doesn’t account for the separate private browsing cookie store. It doesn’t initialize all the opt-out cookies in its list, and it doesn’t properly handle missing opt-out cookies.9

Parting Thoughts

There’s an undeniable irony here. In the interest of avoiding Federal Trade Commission action, Google appears to have violated the FTC Act. According to Google, Keep My Opt-Outs covers “all companies that offer opt-outs through the industry self-regulation programs.” And, “as more companies adopt the industry privacy standards . . . their opt-outs will be automatically added to Keep My Opt-Outs.” Those statements are untrue, exposing Google to consumer deception liability.

As for privacy technology, the lesson of Keep My Opt-Outs is that future-proofing is essential.10 The web changes quickly. Any consumer control technology—and promises surrounding that technology—must be built to last.


I write shorter stuff at @jonathanmayer.

1. This post is focused on the Chrome extension, since it is far and away the most prominent version of Keep My Opt-Outs. There are also Firefox and Internet Explorer variants; according to Google’s download statistics, they have very few users.

2. In informal tests, the extension appeared as a top-three result for “advertising” and “opt out.”

3. Disclosure: I’ve helped out with the Privacy Badger project. I don’t recommend the advertising industry’s Protect My Choices extension since it doesn’t stop tracking, just personalized advertising. Also, Protect My Choices is derived from Keep My Opt-Outs, and has the same updating issue. The extension’s list of opt-out cookies appears to have last been revised in July 2014.

4. The above narrative is drawn from conversations with a number of Google employees, during the height of Do Not Track negotiations. It’s an attempt to capture the zeitgeist and the aggregate views of particular teams. Individual employees, of course, held diverse perspectives. I’d like to particularly emphasize that I have no insight into what the author of Keep My Opt-Outs was thinking. Past comments reflect that he believed in the privacy value of the extension, and I have no reason to doubt his sincerity.

5. In one memorable (and odd) conversation, a couple of Chrome developers bragged about how few lines of code were required.

6. It’s entirely possible that the extension would have existed regardless of external pressures and internal politics. This much is certain: the extent of fanfare surrounding Keep My Opt-Outs was a direct result of those phenomena.

7. The following figure is drawn from Internet Archive data. Not all Digital Advertising Alliance member companies offer an opt-out setting, resulting in the discrepancy between these counts and counts on opt-out webpages.

8. Private browsing mode does not frustrate tracking within a private browsing session. It also doesn’t impact tracking with stateless (“fingerprinting”) technologies.

9. Specifically, Keep My Opt-Outs iterates only the main cookie store, when the extension loads. While the extension does include some logic for handling altered or deleted opt-out cookies, that logic is only triggered by a modification to a valid opt-out cookie.

10. The GitHub page for Keep My Opt-Outs suggests that Google is planning to retire the extension. While that may be a sensible product direction, Google’s representations oblige it to maintain the extension until its retirement.