Research finds that privacy tools don’t work


attracting_buyersSteve, a medical illustrator, was looking to spend a little money on an electronic drawing device as a tax write-off before year’s end. After looking at one such device online, he noticed that related marketing was following him around like a homeless puppy. Everywhere Steve browsed, ads for Wacoms followed.

It was a little creepy, he said.

We’ve all been there. We browse, and companies find ways to follow us, serving up advertising based on what they think we were looking at. As a Type 1 diabetic, I get ads for continuous glucose monitoring devices or for flower decals I can stick over the tubing that continuously drips insulin into my abdomen.

Some people like the ads. Most of us do not.

In fact, according to a 2009 study from Carnegie Mellon University’s CyLab, if given a choice, 68% of Americans “definitely would not” and 19% “probably would not” allow advertisers to track them online even if their online activities would remain anonymous. The researchers found that 64% of their respondents found the idea of targeted ads invasive.

Of course, there are plenty of tools to protect our privacy if we don’t like companies looking over our shoulders online: every major Web browser includes a privacy option in its settings. There are opt-out tools that allow users to set opt-out cookies for advertising networks, and there are tools that allow users to block domains or patterns.

The problem, according to new research from CyLab, is that none of these tools work.

“We found serious usability flaws in all nine tools we examined,” according to CyLab’s report, “Why Johnny Can’t Opt Out.”

“The online opt-out tools were challenging for users to understand and configure,” the report continues. “Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference. Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking [online behavioral advertising] when they had not properly configured it to do so.”

complex mazeWho can blame them for improperly configuring these Byzantine tools? You may well have thought that Facebook’s privacy controls are unfathomable. These privacy tools, including the settings on common browsers Internet Explorer and Firefox, are torturous.

Case in point: According to Lorrie Cranor, director of CyLab, one study participant spent 47 minutes going through all the opt-out instructions for one tool alone. He had to use Google translation services because they were in Japanese, Cranor said in an American Public Media podcast.

Take, for example, TACO. It’s one of the nine tools that CyLab put its hapless guinea pigs to work on. Simply accessing the configuration interface for TACO’s blocking and opt-out features took four steps. Once a user finally gets to the configuration screen, she’s presented with three tracking categories: “Targeted Ad Networks,” “Web Trackers,” and “Cookies.”

The difference between these categories was an utter mystery to the study’s participants. To enable blocking, a user has to click on three separate “Not Blocked” pieces of text that don’t even appear to be clickable. Even if a user is slick enough to figure out that the three buttons are clickable, he’s informed that he’s blocking “some” of 630. None of the study’s 46 participants managed to block all 630 targets.

How much does it all matter? In an interview with American Public Media, Sophos’s Chester Wisniewski said the threat is minimal—similar to that of a frequent shoppers card you’d use to buy groceries. “[It] allows a store to get an idea of what products you buy, and they can tailor their marketing and their placement of products in the store to their customer base. The worst that could happen is that advertisers are able to sell a profile of your information to one another in a way that you lose control of your private information.”

If it’s not a big deal, why do we care so much? In fact, the CyLab study showed that 87% of people didn’t want to be tracked or were concerned that somebody was building an online dossier on them.

People are right to be concerned. There is precedent to presume that marketing is less benign than a frequent shopper card. Back in 2007, rogue anti-spyware software that pushed fraudulent PC scans worked its way onto DoubleClick and legitimate sites, including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies. More recently, malware has been delivered by Yahoo, Fox and Google ads.

AvastMalAds_500x320 from CNET article

There’s a term for this: malvertising. It doesn’t even need a user to click on the malware ad; instead, malicous ads entail drive-by download with the use of flash scripts.

This isn’t an easily solved issue. As CyLab points out, the privacy tools have shifting targets in their sights in the form of advertising networks.

So perhaps the biggest takeaway of the study might be this: users should never assume they’ve secured online privacy. The more we learn, the more the term seems inherently contradictory.