Research finds that privacy tools don’t work

Filed Under: Data loss, Featured, Privacy

attracting_buyersSteve, a medical illustrator, was looking to spend a little money on an electronic drawing device as a tax write-off before year's end. After looking at one such device online, he noticed that related marketing was following him around like a homeless puppy. Everywhere Steve browsed, ads for Wacoms followed.

It was a little creepy, he said.

We've all been there. We browse, and companies find ways to follow us, serving up advertising based on what they think we were looking at. As a Type 1 diabetic, I get ads for continuous glucose monitoring devices or for flower decals I can stick over the tubing that continuously drips insulin into my abdomen.

Some people like the ads. Most of us do not.

In fact, according to a 2009 study from Carnegie Mellon University's CyLab, if given a choice, 68% of Americans “definitely would not” and 19% “probably would not” allow advertisers to track them online even if their online activities would remain anonymous. The researchers found that 64% of their respondents found the idea of targeted ads invasive.

Of course, there are plenty of tools to protect our privacy if we don't like companies looking over our shoulders online: every major Web browser includes a privacy option in its settings. There are opt-out tools that allow users to set opt-out cookies for advertising networks, and there are tools that allow users to block domains or patterns.

The problem, according to new research from CyLab, is that none of these tools work.

“We found serious usability flaws in all nine tools we examined,” according to CyLab's report, “Why Johnny Can't Opt Out.”

“The online opt-out tools were challenging for users to understand and configure,” the report continues. “Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference. Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking [online behavioral advertising] when they had not properly configured it to do so.”

complex mazeWho can blame them for improperly configuring these Byzantine tools? You may well have thought that Facebook's privacy controls are unfathomable. These privacy tools, including the settings on common browsers Internet Explorer and Firefox, are torturous.

Case in point: According to Lorrie Cranor, director of CyLab, one study participant spent 47 minutes going through all the opt-out instructions for one tool alone. He had to use Google translation services because they were in Japanese, Cranor said in an American Public Media podcast.

Take, for example, TACO. It's one of the nine tools that CyLab put its hapless guinea pigs to work on. Simply accessing the configuration interface for TACO's blocking and opt-out features took four steps. Once a user finally gets to the configuration screen, she's presented with three tracking categories: “Targeted Ad Networks,” “Web Trackers,” and “Cookies.”

The difference between these categories was an utter mystery to the study's participants. To enable blocking, a user has to click on three separate “Not Blocked” pieces of text that don't even appear to be clickable. Even if a user is slick enough to figure out that the three buttons are clickable, he's informed that he's blocking “some” of 630. None of the study's 46 participants managed to block all 630 targets.

How much does it all matter? In an interview with American Public Media, Sophos's Chester Wisniewski said the threat is minimal—similar to that of a frequent shoppers card you'd use to buy groceries. “[It] allows a store to get an idea of what products you buy, and they can tailor their marketing and their placement of products in the store to their customer base. The worst that could happen is that advertisers are able to sell a profile of your information to one another in a way that you lose control of your private information."

If it's not a big deal, why do we care so much? In fact, the CyLab study showed that 87% of people didn't want to be tracked or were concerned that somebody was building an online dossier on them.

People are right to be concerned. There is precedent to presume that marketing is less benign than a frequent shopper card. Back in 2007, rogue anti-spyware software that pushed fraudulent PC scans worked its way onto DoubleClick and legitimate sites, including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies. More recently, malware has been delivered by Yahoo, Fox and Google ads.

AvastMalAds_500x320 from CNET article

There's a term for this: malvertising. It doesn't even need a user to click on the malware ad; instead, malicous ads entail drive-by download with the use of flash scripts.

This isn't an easily solved issue. As CyLab points out, the privacy tools have shifting targets in their sights in the form of advertising networks.

So perhaps the biggest takeaway of the study might be this: users should never assume they've secured online privacy. The more we learn, the more the term seems inherently contradictory.

, , ,

You might like

7 Responses to Research finds that privacy tools don’t work

  1. Ruth · 1077 days ago

    Maybe the threat really is similar to that of a frequent shoppers card. But it's very simple to avoid having one of those in the bricks-and-mortar world of grocery shopping and I always know whether or not I've used one for a particular transaction. The problem with anything I do online is that I don't know what's tracked and what isn't. So as much as possible I continue to buy from real, physical shops, and in cash, instead of online. I wonder if I'm the only one.

  2. Mike Smith · 1077 days ago

    If a tree falls in the woods...
    If I use adblock plus and flash block for firefox, and I don't see the ads (malvertising or not), do they know what I'm searching for? Probably, but I don't care becasue I'm not bothered by it.

    • Actually, a lot of the tracking is done by matching image access to your IP address, and cross referencing against cookies. If you use AdBlock Plus and FlashBloc or NoScript, the advertisers often won't be able to track you because they never saw you... your browser never visited their website where they could log your IP and set a cookie.

      I've tried most of the tools mentioned in the article, and while I do use Albine (has TACO built-in), I actually find that AdBlock Plus and NoScript do the best job of preventing tracking.

  3. rob · 1077 days ago

    funny how many people won't go on FB because a lack of 'privacy' little do they know

  4. Nigel · 1077 days ago

    Thanks for another great article, Lisa!

  5. Jake Steeley · 1077 days ago

    Good article to help people understand the importance of this increasingly critical topic but stating that malware is delivered by Yahoo, Fox and Google ads and then referring to a CNET article published 18 months ago (conducted by a AV company in Prague no less) seems to miss the mark.

    Blogs and affiliate marketing groups are far more guilty of not securing information and directing users to infected links.

    With the explosion of mobile device usage in corporate environments in particular, people should beware of clicking these so-called 'friendly' URL's that distribute malware extensively, much more than ads from any search engine.

    Interesting to see Chrome was not evaluated in the Carnegie report either. Maybe Google is trying harder than anyone else when it comes to protecting user information..?

  6. Bob · 1066 days ago

    Host file blocking known malicious sites that updates on a frequent basis, Ad-Blocker add-in, and an encrypted connection to a proxy server with IP blacklister software blocking known malicious IP's and Adware.

    That is secured, but not impenetrable. You can only make it harder to get the information, not prevent it entirely.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.