ANALYST BRIEF Web Browser Privacy: In Search of a Unicorn DO NOT TRACK Authors Randy Abrams, Jayendra Pathak Overview Consumer rights advocacy groups have requested legislative action to protect privacy for the past several years, with the advertising industry predictably responding that the industry will regulate itself. The staunch refusal of online organizations to implement any privacy protections resulted in the Children s Online Privacy Act of 1998 (COPPA). To address the privacy rights of human beings over the age of 13, Senator Ernest Hollings proposed the Online Personal Privacy Protection Act of 2002, but this act was never voted upon. Neither was a 2005 online privacy bill, the Consumer Privacy Protection Act. In 2007, the idea of a Do Not Track (DNT) privacy list, similar in concept to the Do Not Call list, was put forward to the Federal Trade Commission (FTC), but the FTC did not act on this proposal. In 2010, the U.S. Senate Committee on Commerce, Science, and Transportation met to discuss online privacy, and the DNT proposal was revived. Security researchers, Dan Kaminsky and Christopher Soghoian, developed the foundation for the current DNT browser implementation and collaborated with researcher Sid Stamm, to create a functional prototype. DNT is an advertising technology and not a privacy technology, as it is generally considered. The current implementation of DNT does not ensure privacy, but instead allows advertising consortiums to claim that the industry is working on technology to promote privacy. There is little that the average consumer or corporation can do to effectively eliminate tracking and DNT adds nothing to assure privacy.
NSS Labs Findings Consumers do not want to be tracked without permission. The U.S. lags behind the EU with regards to consumer online privacy rights. Legislation is required for DNT to be of any value, with respect to privacy. The Internet will grow and thrive, even with strong laws concerning privacy and online tracking. The current advertising/tracking model is at odds with the fundamental basis of a free market economy. Private browsing modes do not prevent tracking. Ubiquitous offline tracking methods are not affected by DNT legislation or technologies. NSS Labs Recommendations Support legislation to enhance privacy rights. Enable DNT in browsers, even if the current results are negligible Block third- party cookies and consider third- party privacy products to prevent and eliminate some forms of tracking. Have security products audit DNT settings and prompt users to express their intent, particularly when using Chrome, Firefox, Safari, or other browsers that map poorly to user intent. 2
Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 Follow the Money... 4 Microsoft Outs the Industry... 5 What Do Users Want and Know?... 5 Ulterior Motives and the Delay of Do Not Track... 6 Private Browsing... 7 Do Not Track in the Browser... 7 Do Not Track on the Server... 7 Does It Matter?... 9 The Business Implications... 10 Preventing Tracking... 10 Contact Information... 12 3
Analysis Privacy is the unicorn of the Internet: while there have been reports of such a creature, there has never been a verified sighting. Technologies, such as the blocking of third- party cookies by browsers, have been circumvented through the use of Adobe Flash, HTML5 technologies, and other means. Privacy rights for U.S. Internet users lag significantly behind the legal protections offered in Europe, which are recognized as basic human rights by the European Union. DNT appears to be an attempt to enable advertisers to be made aware of a user s preferences with respect to privacy, but because the specification is still a work in progress, DNT can be described with little authority. DNT is an ambiguous standard with little meaning and no power. This much was stated in a letter from consumer privacy advocates to FTC Secretary Donald S. Clark: A right that is selectively enforced, or that is without effective enforcement, is not a meaningful right. 1 DNT is not a technological block to tracking, and it does not have the might of federal or industry enforcement. This means that DNT does not make any significant difference in privacy, nor can it in the near future. Follow the Money Rarely is anything that is worthwhile on the Internet completely free. Either it is paid for directly via a subscription model, or indirectly via advertising (or sometimes both). In this way, the Internet mimics the different models of software distribution. Many security companies follow a freeware model, allowing free access to information on their blogs, since they understand that this translates to valuable advertising. Such sites do not covertly collect or sell user data. Internet sites that do not collect personal information, do not display advertising, and do not seek profit are rare. Shareware is offered directly to the customer, free of charge. Wikipedia exemplifies a shareware model, since it does not sell advertising or require a subscription, and it is not thought to sell visitor information. Wikipedia does, however, request voluntary contributions to remain operational. The adware model is best illustrated by the unwanted advertising pop- up windows that appear when a user visits a website, and may continue to appear even after the user has left the site. Today, a negative brand association with such tactics, as well as a user s ability to adjust browser settings and install add- ons to block such pop- ups, has made the adware model less prevalent. However, advertisers, such as Trip Advisor, still aggressively circumvent browser settings to display pop- ups. The advertising- supported model is typical as most web sites include display advertisements. Most users understand that they will see advertisements on a site because the site operator is paid to display them. However, considerably fewer users understand that these advertisers track their movements across the web, even after they leave the site. Some advertising- supported websites may not display advertising, but will use the requirement for free registration as part of their revenue model. 1 https://www.cdt.org/privacy/20071031consumerprotectionsbehavioral.pdf 4
The paid software model is used where access to content is provided only through paid subscription or membership. NSS follows a hybrid model of paid subscription and free registration, for example, as well as making available some free content that is used to promote awareness of the NSS brand. Permitting advertising networks and other companies to track a site s users increases the value of advertising for advertising- supported websites. The information gleaned from this tracking creates a rich information set that is used for demographic profiling (for example: race, age, gender, sexual preferences, income, and property ownership), which in turn is used for target advertising, and/or harassment. While recalling the origins of the current DNT, Christopher Soghoian related that after he had released the Firefox TACO add- on, Dan Kaminsky suggested he add information to DOM (window.tracking- opt- out=explicit) and to HTTP requests ("X- No- Track: user- opt- out=explicit"). These additions to the request header would form the foundation of the current browser implementation of DNT. Kaminsky s idea behind DNT was for it to be a pivot, for web sites to say If you don t want ads, pay us. The idea was never that DNT would prevent tracking; instead, the technology was intended to facilitate a user s choice to either pay for content by submitting to advertising, or to avoid advertising by providing a different form of remuneration, or simply to do without the content. Kaminsky insists that DNT must be an explicit choice by users, but his approach is flawed since a user cannot make a choice without knowing that choices actually exist. Microsoft Outs the Industry In 2012, Microsoft announced that it would ship Internet Explorer with DNT enabled by default. The response from several large retailers and advertising alliances was clear: they had never intended to accept a DNT system if it was to be widely adopted. Many companies announced that they would ignore the DNT requests from Internet Explorer, but not necessarily for the reasons they specified. Yahoo blogged that they would not honor the DNT request, claiming Ultimately, we believe that DNT must map to user intent not to the intent of one browser creator, plug- in writer, or third- party software service. However, if Yahoo and most critics of Microsoft were to be frank, they would admit that turning on DNT by default has a much higher mapping to user preference than does a default, neutral, or off setting. A 2010 Gallup poll shows that the majority of users do not want to be tracked. Yet Internet Explorer remains the only major browser to default to DNT- enabled. The anti- malware industry strives for ways to add value to their offerings; demonstrating the ability to notify users if DNT is not set, or is turned off, is a low- cost implementation that can increase trust and satisfaction. Companies specializing in patch management, such as Secunia, should also validate that DNT settings match the user s preference. What Do Users Want and Know? Privacy and Modern Advertising, a publication from The Berkeley Center for Law & Technology, examines user knowledge, beliefs and desires. 2 Analysis of the findings reveals that turning DNT on by default provides the highest possible passive correlation of mapping to user intent and desires. 2 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2152135 5
The Berkeley researchers compiled data from polls showing that 87% of their respondents had not even heard of DNT prior to being polled, while another poll cited in the study showed this number to be 81%. Organizations such as P&G, Walmart, and Yahoo are supporting a technology of which that they know most users remain unaware. As long as the vast majority of users do not know that a choice exists, DNT is not a threat to these organizations. Berkeley research also reveals that 60% of their respondents want DNT to prevent websites from collecting information about users. The DNT proposal that is currently in review with the World Wide Web Consortium (W3C) does not prevent websites from doing anything. When presented with three choices of how DNT might work, only 14% of the Berkeley poll participants chose a model that most closely matches how the advertising industry proposes privacy considerations be addressed. Berkeley researchers have historically found that many consumers believe they are protected by privacy laws that either do not exist in the United States, or are significantly less protective of privacy than is commonly believed. Ulterior Motives and the Delay of Do Not Track Completion of the World Wide Web Consortium (W3C) DNT specifications will not serve the interests of those who are involved in the collecting, buying, and selling of tracking information. Key industry players have long argued that they are able to self- regulate and yet have done little to address privacy concerns. In 2011, in the wake of Senator Jay Rockefeller s introduction of legislation to limit online tracking, several online companies did undertake to create a DNT method that would address tracking concerns. In 2013, with still no headway made, Senators Jay Rockefeller and Richard Blumenthal introduced the Do- Not- Track Online Act of 2013. 3 Many in the user data trafficking market will use the W3C DNT initiative as proof that the industry can indeed regulate itself. However, the current W3C DNT initiative, with a mandate of DNT not being set, practically guarantees that the choice to express a preference with regard to tracking will be obscure enough to ensure that the most desired settings will be used by the least possible number of people. In fact, if the specification is completed prior to legislative debate, proponents of the Do- Not- Track Online Act of 2013 could offer proof that the W3C DNT specification guarantees none of the protection that legislation proposes. History demonstrates that the advertising industry does not respect user choice over its own objectives. When users blocked third- party cookies and used opt- out cookies, the advertising industry switched to stealthy Flash cookies and frequently re- spawned deleted browser cookies. HTML 5 allows for other tracking mechanisms; the setting to block third- party cookies makes clear the intent. Advertising consortiums will outwardly support DNT, all the while ensuring that it remains incomplete until the outcome of the privacy legislation is known. If the legislation succeeds, browser DNT may be a valuable mechanism for conveying intent. If the legislation fails, the industry will water down the standard by eliminating prohibitions on tracking most activities and then ignore the DNT setting because it is only a statement of preference. 3 http://www.commerce.senate.gov/public/?a=files.serve&file_id=501f3af0- c9be- 464f- 8f4d- 0c4e0e77a7c8 6
Private Browsing The so- called private browsing feature implemented by many web browsers does not prevent tracking. The feature simply deletes a user s history so that different users on the same computer will not see a history of sites visited by other users. For example, if private browsing is enabled for a Google search on the price of a gemstone, Google will inundate a user s inbox and later browser experiences with advertising pertaining to that search. For the advertising world, private browsing has little effect upon user tracking. Do Not Track in the Browser DNT is implemented as a value in the browser request header. When a user navigates to a web site, the browser requests a web page from a server and provides information, as seen below. Figure 1 Do Not Track in the HTTP Request Header In Figure 1, under the Cookies / Login section, DNT: 1 indicates a preference that the user does not wish to have tracking information collected. When no preference is specified, the DNT entry is not present, if a user consents to tracking, DNT is set to 0, either globally, or on a domain- by- domain basis. At least in theory, a user can tell The New York Times that it is not acceptable to track them, and the browser will inform advertisers displaying advertisements through an iframe that they do not wish to be tracked. Do Not Track on the Server NSS engineers navigated Apple Safari to Apple.com, Google Chrome to Google.com, Microsoft Internet Explorer to Bing.com, and Mozilla Firefox to Mozilla.org. It was observed that there is no difference in the kinds of cookies being dropped, whether DNT is enabled or disabled. Further testing revealed that Google Analytics appears to ignore the DNT setting, collecting an ever- growing set of user data. Currently, it is not clear what acceptable data collection and use scenarios would be recommended when the W3C DNT specification is complete, since the advertising industry is working to make the technology irrelevant. 7
Regardless of W3C specifications, no significant privacy protections will result. The most fundamental component of DNT is that the server can completely ignore the request. The Information Technology and Innovation Foundation (ITIF), which opposed DNT, has a rather non- technical implementation of a DNT response. If one navigates to www.itif.org with DNT enabled, the image below supposedly displays. Figure 2 ITIF Intended Response to DNT The server recognized the DNT setting, but rather than handling the indicator of preference on the server itself, the ITIF used client- side scripting to display a message box indicating its rejection of the request. An organization with technical insight would typically handle the request server- side, rather than client- side, since the NoScript add- on for FireFox is popular and causes problems with client- side scripting. Navigating to the ITIF home page in Firefox, with DNT enabled and scripting blocked for itif.org (the default user preference), results in the screen below (Figure 3). 8
Figure 3 ITIF response to DNT with NoScript enabled in Firefox Browser Here, as with most servers, the ITIF server has no visible response to the DNT setting. However, because of the manner in which ITIF web developers handle DNT, they fail to provide their own desired response. Technologically sophisticated organizations will have effective server- side transactions, once the specification is clear enough, in order to create a DNT response. The ITIF is correct in asserting that DNT can t work without legislation, but its predictions of economic collapse are based upon the premise that people cannot innovate when obstacles (such as respecting human rights) force changes in behavior. There is no evidence that DNT will result in significant economic impact to innovative organizations with a value proposition they don t have to hide. Does It Matter? From a philosophical perspective, yes, it does matter. Enabling DNT provides quantifiable information about the preferences of users, and this can be used to bolster the arguments for privacy legislation. If Internet organizations believe that Microsoft s default DNT setting does not in fact map to user intent, there is no technological barrier to informing the user that they must change the setting to access desired content. It may be argued that instructing users on how to change the setting is too complex a task, but with widespread industry support, browser manufacturers will make the settings more prominent. From a privacy perspective, there is little value in enabling DNT. Even with a strict definition of what constitutes tracking. Even if we idealistically assume a widespread respect for the stated preference, there are many ways that tracking will still occur. 9
The extent of offline consumer tracking is so pervasive that the real effect of DNT technology or legislation, which covers only online tracking, will not make a substantial difference in consumer privacy. Facebook uses data from brick- and- mortar retailers, such as CVS, to target advertising content to users. This type of offline tracking is completely unaffected by the W3C initiative or by legislation that addresses online tracking. Charles Duhigg provides a sobering expose on retail tracking in his book, The Power of Habit: Why We Do What We Do In Life And Business. An excerpt published on the The New York Times website explains how the retailer, Target, could know that a woman is pregnant before she has told anyone else, simply by tracking her offline shopping habits. In the book itself, Duhigg reveals that companies are compiling and selling information about consumers. Some companies listen on social networks to see what products are being discussed. Duhigg asserts that political leanings, reading habits, the number of cars owned, body size and weight, types of pictures posted online, and an array of other personal data is compiled and sold on a regular basis. In an Orwellian twist, advertising companies are able to track users by outsourcing to advertising soldiers of fortune, such as Facebook and Google. The real opposition to legislation or functional technology is the fear of liability associated with current and intended future privacy abuses. Advertising companies apparently want no part of a world where respect for human rights is part of doing business. Ultimately, Microsoft knows that enabling DNT in Internet Explorer does not impact their ability to collect user data. Microsoft is, however, the only browser vendor to provide a default setting that most closely aligns to user desires. The Business Implications In an environment where any use of collected data is legal, it would be naïve to assume that enterprise users are tracked solely for the purposes of advertising. The correlation of addresses coming from IP blocks can yield information that may be useful to vendors in targeting specific businesses, but there is more at stake than just advertising. Much of the web browsing in the enterprise consists of research; by data mining IP blocks belonging to a specific enterprise and then examining those web pages visited, researchers are able to gain insight into the enterprise s product research and other operations. Pairing information, such as LinkedIn profiles, with browsing habits allows researchers to analyze what a specific researcher may be browsing for. Executives and corporations should be equally concerned with how data is being tracked. Companies such as Epsilon, the world s largest permission- based email marketing provider, are useful to criminals who steal data to profile a target; it would be naïve to assume that an extensive email list is all that was lost when Epsilon suffered one of the larger data breaches in history. Preventing Tracking There are no practical ways to eliminate the potential for tracking and still effectively use the web for commerce. Internet users need to have items shipped to their homes and these users generally need to pay with verified payment methods, such as PayPal, credit cards, or debit cards. Sometimes these users want to include their names on gift cards. There are several technologies available that can reduce the amount of information available to those organizations that traffic user data. 10
The most practical step that a business or a consumer should take to reduce tracking is simply to block third- party cookies, and useful web browser add- ons, such as DoNotTrackME by Abine, will block a wide variety of tracking cookies. However, products such as these have marginal effect, since they are able to reduce, but not eliminate online tracking. A computer s IP address provides a highly effective means to track users across the Internet, without the use of cookies or other tracking tools. Anonymous proxies are able to stop this type of tracking, but use of these proxies is associated with productivity issues and with financial cost. The use of social networking sites can negate privacy, even with various technologies in place to prevent machine- specific tracking. For example, a person s individual writing style can be used to determine the author of anonymous Internet postings. Ultimately, the prevention of tracking will only partially treat the real problem. In order to significantly curb the current abuses, we require meaningful laws concerning what data may be collected, how the data may be used, and informed consent. Contrary to advertising industry fears, the EU directives concerning privacy, data collection, and data use have not caused the collapse of the Internet. As the Online Trust Alliance position paper succinctly declared: Historically the interactive marketing and advertising industries have faced similar challenges. For example in the absence of regulation, the industry deployed technical counter measures which today are on- by default and embraced by nearly every browser and ISP. These include popup blockers and disabling of links and images from unknown senders in email to anti- phishing filters. While admittedly they impact legitimate advertising and marketing, can result in false positives and were disruptive to their operations and practices, industry has evolved and prospered. The Online Trust Alliance found that there is a significant void in the appreciation of the value users receive from the data exchange which funds the content and services they consume. Therein lies the fear and consequent opposition to the implementation of meaningful DNT technology and legislation. In a free market economy, the buyer and seller agree upon a price and business is conducted, but this is contrary to the workings of the advertising industry. The opposition to DNT legislation stems from a fear of disclosing to consumers how much they are being charged. A vendor s confidence in the value they deliver can be gauged by their support of DNT technology and legislation, or by their opposition to it. Internet content providers that deliver an honest value to their users do not fear DNT technology or legislation, while corporations such as Yahoo, Google, Walmart, and P&G that oppose Microsoft s decision to enable DNT by default, acknowledge the belief that if consumers understand the truth of how much they are paying these merchants and advertising networks, they will not see a value proposition. Facebook s Mark Zuckerberg best summed up the advertising industry s contempt for users when he offered a friend access to confidential information from Facebook users. Zuckerberg s friend asked him why people give him their information and Zuckerberg s honest, if ironic, response was They trust me.. 11
Contact Information NSS Labs, Inc. 206 Wild Basin Rd. Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2013 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 12