Sophos Cloud Optix
Do Not Track, the privacy standard that’s supposed to address one of the biggest issues of the 21st century internet – how you control who can track what you’re doing online – isn’t in the news. Again.
That’s no surprise though – despite its importance, Do Not Track hardly ever does anything remarkable or exciting enough to count as actual news.
That doesn’t mean it’s not there or that things aren’t happening, it’s just that they happen so slowly it’s hard to tell.
Do Not Track, or more specifically the Tracking Preference Expression and Tracking Compliance and Scope specifications, is an internet privacy standard that allows users to signal their preferences for being tracked or not online.
The standard is a mess, an epic farrago unfolding in slow motion. It’s unfinished and the subject of fundamental disagreement, but also, strangely, in active use.
It’s never actually failed but it can never succeed. Like a giant glacier it’s slowly melting away beneath us. Eventually we’ll notice we’re stood on bare rock and it’s gone completely but until then we’ll wake up each day with nothing more interesting to wonder at than an occasional dampness in our shoes.
A process in trouble from the start
The idea for a standard crystalised about five years ago as a result of pressure from US and European legislators.
They wanted a way for consumers to indicate that they didn’t want to be tracked by advertisers – an internet equivalent of the ‘do not call’ lists that consumers can use to opt-out of unwanted telephone advertising.
The industry was challenged to agree to a standard, and if it couldn’t it was made clear that laws would be drafted instead.
United around the idea of avoiding ham-fisted government interference, the great and the good – a collection of privacy advocates, advertisers, and tech giants like Google, Microsoft and Mozilla – sat down with the common objective of creating a standard by which a browser can tell a server not to track it.
What actually happened was that they got together to arrange a series of conference calls to decide a round of meetings to endlessly repeat a set of arguments that frame a disagreement about a standard by which a browser could tell a server not to track it.
Deadlines were missed, lines were drawn in the sand, and companies did their own thing.
A year ago, in July 2013, privacy advocate Jonathan Meyer left the Tracking Protection Working Group with a stinging resignation email in which he exposed just how behind schedule they already were.
We first met to discuss Do Not Track over 2 years ago. We have now held 10 in-person meetings and 78 conference calls. We have exchanged 7,148 emails. And those boggling figures reflect just the official fora.
The group remains at an impasse. We have sharpened issues, and we have made some progress on low-hanging fruit. But we still have not resolved our longstanding key disagreements, including: What information can websites collect, retain, and use? What sorts of user interfaces and defaults are compliant, and can websites ignore noncompliant browsers?
Our Last Call deadline is July 2013. That due date was initially January 2012. Then April 2012. Then June 2012. Then October 2012. We are 18 months behind schedule, with no end in sight.
A process designed to fail
DNT was supposed to protect users’ privacy but I think it’s had the very opposite effect.
It’s kept major players occupied for years while simultaneously failing to protect users’ privacy and acting as a roadblock to privacy legislation.
I don’t believe that those outcomes are unconnected to the fact that the companies who stand to lose the most from a DNT standard are part of the working group defining the DNT standard.
It made sense to include the advertising companies in the group drafting the standard but it’s also a decision that made inaction an attractive and achievable outcome.
All the time that DNT is being drafted, is in conflict or remains unfinished the behavioural tracking industry continues to grow without the yoke of an official standard.
I am not privy to the motivations of those involved in drafting the standard but it seems to me that there is a clear conflict of interest at work and that limbo and glacial inaction is by far the best outcome for the behavioural tracking industry.
A standard designed to fail
DNT’s great conceptual flaw is that it’s cooperative rather than coercive.
In HTTP, the language of the web, browsers don’t exert control over servers, they make requests. DNT is a request; “Don’t track me, OK?”
The balance of power in a request/response conversation lies with the responder. Responders can choose to comply with requests or not and there’s absolutely no way to tell if your DNT requests are being honoured.
So you have to trust the people you’re asking not to track you.
That’s right – you’re using DNT because you don’t want to trust a server but the mechanism you’re using to assert your distrust relies upon the server being trustworthy.
I guess what’s supposed to make Do Not Track work is that advertisers have incentives to play along – they’re big commercial organisations with reputations to protect and they’re offering a product, tailored advertising, that users might prefer to the alternative.
Unfortunately, major tracking companies like Clearspring, QuantCast and KISSmetrics have been caught out using unfriendly, reputation-damaging techniques in the past.
The only sensible course of action, the only one that doesn’t put your privacy in the hands of a promise from somebody you don’t know, is to assume that servers are lying to you.
Most of them probably aren’t lying but you can’t tell who is and who isn’t.
And if you assume that servers are lying to you then DNT can’t work.
The only technology that can work in an untrustworthy environment is coercive technology that prevents the server from acting against your best interests.
A standard overtaken by events
It’s impossible to talk about web privacy without mentioning Edward Snowden.
The DNT programme was kicked off before Edward Snowden brought to our attention that our data, in bulk, was of intense interest to the NSA (and let’s not delude ourselves – every other intelligence agency in the world with hackers and hard drives).
DNT was never intended to stave off the interests of attackers or intelligence agencies so it wouldn’t be fair of me to criticise it for failing to do so.
The reason that Snowden is important to DNT is that DNT is a reflection of our thinking and priorities four years ago. We thought that our privacy was under threat from a bunch of ad men who had something to lose by not playing along.
We now know that even if DNT was fully implemented by the entire online advertising industry, our privacy would still be fatally compromised.
What Snowden showed us is that, conceptually and technologically, we were preparing to turn up to a gun fight with a stiffly worded letter.
The idea of governing internet privacy based on a sort of glorified gentlemen’s agreement now looks staggeringly dated.
The standard losing support
It seems that recently some technology companies have felt the ice shifting beneath their feet and have decided to climb off the glacier before it melts. Yahoo made the jump to dry land first, back on 30 April 2014:
As of today, web browser Do Not Track settings will no longer be enabled on Yahoo ... we have yet to see a single standard emerge that is effective, easy to use and has been adopted by the broader tech industry.
The announcement goes on to say that its users can use the Yahoo privacy center to configure their privacy preferences.
Just a few days ago AOL followed suit, changing its privacy policy to state that Gravity, its personalisation technology, will not honour DNT headers from 15 September 2014.
Previously, Gravity provided users with the ability to use the browser "Do Not Track" signal to opt out of certain personalization. AOL has consolidated and simplified many of the preferences and opt-outs we offer, and as a result, "Do Not Track" browser signals will no longer be recognized.
AOL goes on to say that users can still opt-out of Gravity’s personalisation.
Use coercive protection
Responsible online advertisers all operate their own processes for opting out of online tracking and behavioural advertising but managing your privacy with their many and various opt-outs is wildly impractical.
Even if you could find them all and even if you could discover easily when they change their privacy policies, or when a new vendor enters the market, you still have to trust them.
The opt-out approach has the same fundamental flaw as DNT, it’s cooperative, it’s another request – “Don’t track me, OK?”
The only technical solutions that can provide any kind of assurance are coercive.
Coercive technologies work by withholding or disrupting the information that tracking relies on, such as cookies, Flash cookies or local storage. They aren’t a guarantee of success but they do at least understand the nature of the battle they’re involved in.
Modern browsers come with private or incognito modes. You can supplement those modes with a number of useful browser plugins such as noscript and ghostery.
All modern browsers also come with an easy to enable Do Not Track feature. It doesn’t hurt to turn it on but don’t expect it to make any difference to your privacy.
“Do Not Track – the privacy standard that’s melting away”
Hmmm…Funny you should bring this subject up, considering just landing on Naked Security.com gets you 65 tracking requests from seven different locations.
You can read about the cookies and scripts, why we have them, what they are and how to block them on our cookies and scripts page.
https://nakedsecurity.sophos.com/cookies-and-scripts/
Whilst this page is valuable and an example to others, it is not really a “solution”.
The problem is an erosion of trust. I suspect that most readers of this block have various privacy/security addins in operation to try and take back control or prevent potential threats to security or privacy. (Heck I suspect you can even monitor which addins we are using!). But this disables some of the features that developers are trying to deliver to us (as well as to advertisers).
Is the long term solution to be found in new protocols which can be designed to prevent transmission of certain data (possibly in conjunction with compatible client software)? Then we need to stop rogue addins from permitting the transmission of that data – in exchange for some spurious added functionality.
Meanwhile do we need the noscript tag type functionality to be extended, so that for instance if I load a naked security page with an audio element, I get prompted that I need to allow specific scripts and cookies (soundcloud is fairly obvious, but scorecardresearch and xiti !) to listen to the audio – and then be able to permit them for just that page*.
* If (in noscript 2.6.8.36 on FF31) I permit “getpocket.com” (only partly referenced in the cookies and script page), this page will reload as will “Duping the machine – the cunning malware that throws off researchers” page which I have open awaiting reading.
The ideal long term answer may well be new protocols or some sort of legally mandated switch to opt-out by default but neither looks likely.
The only practical answer is coercive tech. The next challenge, which you’ve eluded to, is improving the usability of that tech.
True. And look to the left… See the Facebook icon? That’s served by Facebook.com and, as you request this page, you send them your login cookie which fully identifies you (assuming you to be a Facebook user).
And, wait for it, this type of personal data collection would not be covered by DNT!!! Rather DNT is set to go after pseudonymous cookies from 3rd parties that only know cookie abc123 as a minivan enthusiast not cookies from big first parties who know you as user John Smith – even if that first party is seeing you in a 3rd party context.
“you’re using DNT because you don’t want to trust a server but the mechanism you’re using to assert your distrust relies upon the server being trustworthy.”
It also has not sorted out two different user attitudes:
1) The possibly naive view that I should not be tracked without my permission – so options should be “Track me – fine” & “no expression”
2) Those who believe that they have to actively protect their privacy – so options should be “Track me – fine” & “Don’t track me” – and the global default is set as part of software installation.
Advertisers would hate to have to accept (1).
And it’s all so ironic that everyone talks about browser security and how privacy is eroding… and how tracking cookies and the such are destroying privacy, but then they go on to justify their use of tracking cookies because they would “…never sell the information and it’s not PII… and blah blah blah”. At least those other companies that do sell it tell you (if you can read between the double-speak) that they are selling and sharing it.
I’ve been using Disconnect and Lightbeam on Firefox for some time and it’s very enlightening to see just who wants to know.
This is the typical opt-in or opt-out schemes. Ideally, we want things like tracking to be opt-in, but currently (assuming there is an option at all, some don’t have any) they are opt-out.
Personally, I tend to block traffic to certain domains altogether (quantserve.com, google-analytics.com etc) though this is a bit technical for regular users, it would be nice if there was an easy OS or router level “app” that could provide such functionality.
I had my doubts from the beginning that this would work. Companies that track us have their life’s blood invested in NOT having anything like DNT. It’s like asking Rover to protect that box of steaks all day.
So, it’s down to governments. Getting things done via government is probably the worst possible way to implement it, but since no other method is viable, it’s also the best.
The industry — NOT just the Googles and FaceBooks, but weighted towards the people — need to propose a unified set of standards. It should be modular, so that governments can pick and choose which modules to codify in their laws.
Above all, it needs to be a white list. In other words, all tracking is disallowed unless opted-in by the entity being tracked. Then the modules tell what data is auto-allowed by a government, what data is auto-blocked, and what data is somewhere in-between.
Additionally, the opt-in process should be something by which the Googles of the world can still get data, but not until the users have decided it’s best for THEM. Many will opt in, if sufficiently enticed.
Finally, there must be no legalese. Too much of tracking now is couched in legalese buried under layers of obfuscation. Companies can (rightly, if not ethically) say “yeah, but you agreed right here on page 71 …”. The “entire contract” must fit on one typical screen using 12, 16 (or whatever) point type. Being modular, this should be easy (if painful) for the trackers. Something similar to the GNU license: One size fits all. Companies don’t like it? Then they don’t track.
If governments can choose between a worldwide set of modular standards, it makes the prospect of getting laws passed that actually make sense more likely.
“Getting things done via government is probably the worst possible way to implement it, but since no other method is viable, it’s also the best.”
Well possibly if not the “best”, the “least worst”.
Historically we used to have worries over whether web-pages were Netscape or MSIE compatible. Perhaps, just perhaps we need to go back to that sort of situation, but worry about whether web-pages are compatible with, say:
Firefox+noscript+ghostery+https everywhere+Calomel SSL Validation+Cookie Controller (1st party only, session only), No java, No Flash.
i.e. some definition of a locked down private secure set-up. I don’t see why the likes of Mozilla cannot supply such a configuration as a package (after all linux distributors can do something similar). If enough of us where to adopt such a set-up so it became a sort of default configuration, perhaps developers would write for this configuration – which will probably met the needs of 99.9% of users.
I suspect pragmatically we will have to allow access to “validated” javascript libraries (which might be made more modular) – might the major browser developers maintain validated versions of things like jQuery etc.?
what has had another impact on DNT been ignored is IE11 and windows 8 Auto opting in users into the DNT (who do not know what it means even if they read it 10 times they still not understand it or they Press the box go away button) quite sure most advertisers and sites now ignore the DNT Flag if IE is detected, as 99.9% of them never Opted into DNT
in the UK not sure if it was in the USA was that silly advert on TV about Protecting your privacy on windows 8 by having DNT enabled to protect your kids (or something like that), the ASA in the UK should of removed it as by that time a Apache is configured to ignore IE DNT flag
DNT is like Age restriction feature that has been in IE4 and onwards that no sites use it (apart from some Kid sites)
Yes, Microsoft made DNT: 1 the default in Windows 8. The users is shown a box that’s already been ticked and they have to untick it if they want to turn DNT off.
The working group considered this behaviour beyond the pale and determined that since DNT was ticked by default it was not on because users expressed a preference for it and therefore it didn’t count and should be ignored.
In other words the working group think you should opt-out of behavioural tracking not opt-in to it.
Putting aside that DNT is basically useless, Microsoft got this one right.
Which goes back to my post, 4 posts back: White list ONLY, and ecoded into law. It’s the only way it can work.
Unfortunately, trackers will probably move to countries that don’t create such laws. Still, it will make it harder for Google and the like, since they (probably) don’t want to leave the US.
Now, another caveat is that governments will probably add themselves to the white list. But, there’s not much we can do about that. Even if the standard specifies that this should not happen, it’s THEIR law, so they can unfortunately make it say anything they darned well please.
Still, even with all that, standardized white list + governmental regulations and/or laws are the only viable option.
Is Sophos interested in putting forth such a concept?
I don’t feel I can speak for Sophos in regard to that kind of activity, there are a few pay grades between here and there. Personally I don’t hold out any hopes or expectations for government regulation.
I think the European Union and UK’s Information Commissioner’s Office are genuinely interested in protecting individuals’ privacy but they move *slowly*. The US government needs billions to get elected so it will be hard for them to do anything that really hobbles behavioural advertising.
All the while that DNT is stalling I think the behavioural advertising industry is normalising an opt-in by default approach.
Any government wanting to deal with that isn’t setting the rules for an industry that doesn’t exist, they will have to deal with what’s already there. If opt-in by default is the norm then making opt-out the default requires a great deal of unpleasant change (for the politicians.)
As I said in the article I think the only thing that will ever make a big difference and be able to adapt quick enough is technology. Technology in the hands of the users that enforces the will of the users.
Norms in software change and browser vendors tend to follow each other. I can see a situation where the standards you talk about emerge from the grass roots, enshrined in software, but not from government.
I agree that software would be the best answer. Unfortunately, I don’t think it’s practical.
Think about Google. What’s their most valuable asset? Surely near the top are the algorithms that allow them to use customer data for ad targeting while keeping the data itself secret.
For software to work, it has to be able to see those algorithms and the data they use, and that’s just not going to happen. Google (and the like) are going to spend a great deal of resources preventing those secrets from becoming public.
I’m using Google only because they’re well-known. Plus, they’re a very good “corporate citizen”, IMO. They’re pretty responsible with their data; just the kind of company that might follow the rules, should they be written.
There are gobs of other companies and individuals that will do everything in their power to subvert the rules.
That’s why I say nations need to use the SAME set of practices, not just “have similar laws”. Remember old-style spammers? Many just moved off-shore as states and the US Government started making their actions illegal.
It’s a big job in front of us. Industry is incapable of putting aside their profits to fix the problem. Governments will screw it up or knuckle under to industry lobbying. Software would be nice, but it’s a pipe-dream.
So, we’re back to a nation-independent and industry-independent entity that has worldwide scope. Can it be done? I doubt it. But, I’m afraid it’s the only game in town.
they do not even see the tick its express option that 99% will go with whatever they see, custom is to complicated for most users (most miss the language settings and leave it on english US when it should be UK)
not sure how MS got it right DNT should never been enabled by default and there advert on TV is massive misleading that you be protected from tracking when its not implemented or the site ignores DNT flag if IE11+ is detected (as the user did not Choose to use DNT it was ticked by default so advertisers should ignore IE11+ if DNT is flag is on as the user did not understand what they was opting into as they do not when Java has mcafee scan ticked by default )
Actually, France could be the first country to enforce the usage of DNT. We’ll find out shortly.
The link in your article (sorry, we remove links from comments as a matter of policy) was about the EU cookie law which is entirely separate from DNT.
The article mentions that users should be able to use a service without accepting ad cookies which is actually an application DNT would be well suited to though.
And don’t forget that some users are OK with tracking, even knowing the risks. For example, I’m OK with it FOR CERTAIN ENTITIES. I trust Amazon. I’ll let them track me because they really do enhance my shopping experience with their ad technology. I trust other companies as well.
But, there are far more that I don’t trust. And even the ones I do trust aren’t necessarily entirely above-board. So, I think we need something.
Here’s another approach: AdNauseam. Click on every single ad you see…
Nice!