Filed under Privacy

May 21 2013
Privacy

Next Steps for the Firefox Cookie Policy

Consumers neither expect nor approve of web tracking.1 Mozilla has been a frequent advocate for its users, advancing technologies that signal preferences (Do Not Track), lend transparency (Collusion), and facilitate privacy-friendly web services (Persona and Social API). Last fall, the Mozilla community began a concerted effort in a new direction: technical countermeasures against tracking.2 One of our first projects has been a revision of the Firefox cookie policy.3

Cookie policies are inherently imprecise. Some unwanted tracking cookies might slip through, compromising user privacy (“underblocking”). And some non-tracking cookies might get blocked, breaking the web experience (“overblocking”). The challenge in designing a cookie policy is calibrating the tradeoff between underblocking and overblocking.4

The patch that I developed is an intentionally cautious first step: it aims to substantially reduce underblocking with little (if any) overblocking. The revised policy is so cautious, it isn’t even new: it’s drawn directly from Safari.5 Almost every iPhone, iPad, and iPod Touch user is already running the revised Firefox cookie policy. Web engineers are already familiar with designing to accomodate the policy. The notion is simple: start by raising Firefox to the present best practice among competing browsers, then iteratively innovate improvements.

Firefox’s revised cookie policy landed in the pre-alpha build in late February. Since then, Mozillans and I have carefully monitored bug reports. It appears that we achieved our aim: there are only two confirmations of inadvertent breakage.6 We did not hear any novel concerns when the patch advanced to alpha in early April. This past week, Mozilla’s CTO requested a hold on the revised policy for an extra release cycle to measure its performance. At the same time, he reaffirmed that Mozilla is “committed to user privacy” and “committed to shipping a version of the patch that is ‘on’ by default.”

I agree that we should be quantitatively rigorous in our approach to iterating the Firefox cookie policy. An extra six-week release cycle will allow us to further validate our hypothesis that the patch delivers improved privacy without breakage,7 as well as lay the groundwork for future updates. Going forwards, our challenge will be to understand and improve the underblocking and overblocking properties of the Firefox cookie policy.
Continue reading

Feb 22 2013
Privacy

The New Firefox Cookie Policy

The default Firefox cookie policy will, beginning with release 22, more closely reflect user privacy preferences. This mini-FAQ addresses some of the questions that I’ve received from Mozillans, web developers, and users.
Continue reading

Jan 28 2013
Economics, Privacy

Electronic Privacy and Economic Choice

Critics of consumer privacy protections frequently invoke revealed preference as a justification for laissez-faire policy. If users really cared about their privacy, the argument goes, we should expect to see revolts against intrusive practices. A number of scholars have demonstrated pervasive information asymmetries1 and bounded rationality2 in consumer privacy choices; the decisions that users actually make about online privacy can hardly be expected to reflect their actual preferences.

But let’s suppose that consumers and online firms are fully informed and completely rational. The economic story that consumers value their privacy less than the marginal income from privacy intrusions is certainly consistent with market behavior.

We should not, however, conclude that the status quo is optimal. There is another congruent economic story, where privacy intrusions are inefficient but nevertheless result owing to transaction costs and competition barriers. This post relates the alternative economic story with two possible examples, then closes with policy implications.
Continue reading

Nov 01 2012
Anonymity, Measurement, Privacy

Presidential Identifying Information

Sunday’s New York Times included a story about how the presidential campaigns are making extensive use of third-party web trackers. In response to privacy concerns, “[o]fficials with both campaigns emphasize[d] that [tracking] data collection is ‘anonymous.’”1

The campaigns are wrong: tracking data is very often identified or identifiable. Arvind Narayanan has previously written a comprehensive and accessible explanation of why web tracking is hardly anonymous; my survey paper on web tracking provides more extensive discussion.

One of the ways in which web tracking data can become identified or identifiable is “leakage”—data flowing to trackers from the websites that users interact with. Leakage most commonly occurs when a website includes identifying information in a page URL or title. Embedded third parties receive the identifying information if they receive the URL (e.g. referrer headers) or the title (e.g. document.title). Even a little identifying information leakage thoroughly undermines the privacy properties of web tracking: once a user’s identity leaks to a tracker, all of the tracker’s past, present, and future data about the user becomes identifiable.

Web services frequently fail to account for information leakage in their design and testing; a study I conducted last year found that over half of popular websites were leaking identifying information.2 More than a few website operators have made inaccurate representations about the information they share with third parties; in just the past year the Federal Trade Commission settled deception claims against both Facebook and Myspace for falsely disclaiming identifying information leakage.

The Times coverage piqued my curiosity: Are the campaigns identifying their supporters to third-party trackers? Are they directly undermining the anonymity properties that they are so quick to invoke?

Yes, they are. I tested the two leading candidate websites using the methodology from my prior study of identifying information leakage. Both leak. The following sections describe my observations from the Barack Obama and Mitt Romney campaign websites.
Continue reading

Aug 10 2012
Do Not Track, Privacy

The Trouble with ID Cookies: Why Do Not Track Must Mean Do Not Collect

Original at the Stanford Center for Internet and Society.

Co-authored by Arvind Narayanan.

The debate over the meaning of Do Not Track has raged for well over a year now. The primary forum is the W3C Tracking Protection Working Group, with frequent sparring in the press and capitals worldwide. There are, broadly, two Do Not Track proposals: one chiefly backed by the ad industry, and another advanced by privacy advocates [1]. These proposals reflect vastly different visions for Do Not Track with vastly different practical consequences. The two sides have unsurprisingly been at loggerheads, with scant movement towards resolution of the key issues.
Continue reading

Jul 24 2012
Do Not Track, Privacy, Privacy-Preserving

Tracking Not Required: Advertising Measurement

Co-authored by Arvind Narayanan.

Measurement is central to online advertising: it facilitates billing, performance measurement, targeting decisions, spending allocation, and more. In a pair of earlier posts we explained how advertisement frequency capping and behavioral targeting are achievable without compiling a user’s browsing history. This post similarly proposes practical, privacy-improved approaches to advertising measurement.

Continue reading

Jul 02 2012
Do Not Track, Privacy, Privacy-Preserving

Do Track: Browser-Based Do Not Track Exceptions

Users hold widely varying preferences on web tracking.1 Some don’t mind the practice. Some object to it entirely. Many trust certain organizations to follow them around the web.

Do Not Track accomodates these divergent preferences in two ways. First, browsers and other user agents include an option for universally signaling a preference against tracking (“DNT: 1”). Firefox, Internet Explorer, and Safari have all integrated this feature, and Chrome will support it by the end of the year. Second, a user can configure exceptions to the universal signal. Some websites may choose to build a proprietary “out-of-band” exception mechanism, using ordinary web technologies, that trumps the “DNT: 1” signal. The Do Not Track Cookbook includes an example of how a Facebook out-of-band exception mechanism might appear.

The W3C Do Not Track standard will provide another option: a simple JavaScript interface that allows a website to request an exception, paired with a signal that some tracking is allowed (“DNT: 0”).

Continue reading

Jun 11 2012
Do Not Track, Privacy, Privacy-Preserving

Tracking Not Required: Behavioral Targeting

Original at 33 Bits of Entropy.

Co-authored by Arvind Narayanan and Subodh Iyengar.

In the first installment of the Tracking Not Required series, we discussed a relatively straightforward case: frequency capping. Now let’s get to the 800-pound gorilla, behaviorally targeted advertising, putatively the main driver of online tracking. We will show how to swap a little functionality for a lot of privacy.

Admittedly, implementing behavioral targeting on the client is hard and will require some technical wizardry. It doesn’t come for “free” in that it requires a trade-off in terms of various privacy and deployability desiderata. Fortunately, this has been a fertile topic of research over the past several years, and there are papers describing solutions at a variety of points on the privacy-deployability spectrum. This post will survey these papers, and propose a simplification of the Adnostic approach — along with prototype code — that offers significant privacy and is straightforward to implement.

Continue reading

Apr 23 2012
Do Not Track, Privacy, Privacy-Preserving

Tracking Not Required: Frequency Capping

Co-authored by Arvind Narayanan.

Debates over web tracking and Do Not Track tend to be framed as a clash between consumer privacy and business need. That’s not quite right. There is, in fact, a spectrum of possible tradeoffs between business interests and consumer privacy.

Our aim with the Tracking Not Required series is to show how those tradeoffs are not at all linear; it is possible to swap a little functionality for a lot of privacy. We only use technologies that are already deployed in browsers, and the solutions we propose are externally verifiable.1

We focus on issues at the center of Do Not Track negotiations in the World Wide Web Consortium. Advertising companies have pledged to stop forms of ad targeting once a user enables Do Not Track, but many maintain that tracking is essential for a litany of “operational uses.” The Tracking Not Required series demonstrates how business functionality can be implemented without exposing users to the risks of tracking.

This first post addresses frequency capping in online advertising, the most frequently cited “operational use” necessitating tracking.

Continue reading

Mar 13 2012
Do Not Track, Paper, Privacy

Third-Party Web Tracking: Policy and Technology

John Mitchell and I have written a new paper that synthesizes research on policy and technology issues surrounding third-party web tracking. It will appear at the IEEE Symposium on Security and Privacy in May.

Abstract

In the early days of the web, content was designed and hosted by a single person, group, or organization. No longer. Webpages are increasingly composed of content from myriad unrelated “third-party” websites in the business of advertising, analytics, social networking, and more. Third-party services have tremendous value: they support free content and facilitate web innovation. But third-party services come at a privacy cost: researchers, civil society organizations, and policymakers have increasingly called attention to how third parties can track a user’s browsing activities across websites.

This paper surveys the current policy debate surrounding third-party web tracking and explains the relevant technology. It also presents the FourthParty web measurement platform and studies we have conducted with it. Our aim is to inform researchers with essential background and tools for contributing to public understanding and policy debates about web tracking.

Older posts