The Web's Bushiest Site

Last week Facebook enabled a new level of preference sharing, in which the site shares information about the music you’re listening to and the movies you’re watching on certain services that allow you to login via Facebook. As is common, the change has a number of people concerned about privacy, since it pushes a new and unexpected set of information about people into the public. Among these concerns, the Numbers Rule Your World blog at Junk Charts has argued that Internet researchers are among the few groups that will benefit from these changes.

I have to disagree with the idea that Facebook’s forced sharing is for the benefit of researchers. For starters, Facebook has never cared about appeasing researchers. They have usually been cold to the academic community, and the codes of their site (computer and legal) make it nearly impossible to gather data from the service for research.

Lets put aside Facebook’s relationship with research, and instead focus on the ethics of research. Ethical researchers won’t be very happy with this arrangement. It violates the research ethic of keeping information private and anonymous unless there is a compelling research interest to do otherwise. Ethical researchers wouldn’t be happy with forcing the information into the public so it can be observed, since it violates the core of research ethics: respect for individuals. While there are web researchers who don’t adhere to this ethic, there are many who do and apply it to their own research and the work of others. Even when data is out in the open, this ethic causes researchers to question the morality of collecting and analyzing public data without user consent, as seen in the case of Harvard’s 2006 Facebook study.

If Facebook actually wants to provide data to researchers, it would do so in a way that respects the ethics of research. Provide researchers with a means to request anonymous, private data about users who have consented to this form of searching. Don’t shove individuals’ data into the spotlight.

A couple of weeks ago the Interactive Advertising Bureau, one of the largest industry groups and self-regulatory bodies in online advertising, instated a new code of conduct for its members. In summary, the new code requires any IAB member site that collect information about users to display the logo to the right as an indication to users that collection is occurring, and to provide users with information about what is being collected and why.

While the new code of conduct has taken flack for not actually providing clear notice, this latest action by the IAB does bring some attention to the organization’s (beta) Opt-Out page. The Opt-Out page provides users with a way to request that IAB members not collect information about them for advertising purposes. The page, located at http://www.aboutads.info/choices/, is pretty simple to use: all you need to do is visit the page, make sure you are on the “All Participating Companies” tab, select the companies that you don’t want to have track you (or click “Select All Shown” to opt-out of tracking from all IAB advertisers), and then click Submit Your Choices at the bottom. Once you submit your choices, a cookie will be placed on your computer informing the companies you selected that you do not wish to be tracked. Aside form the Opt-Out page, the site includes information about online advertising (with an industry spin of course) such as how to adjust the privacy settings in your browser and the self regulatory principles of the IAB that are worth checking out.

Does it Work?

So the page is easy to use, but does it actually increase your privacy? Well, there are a few factors to consider that show the weaknesses of the opt-out page:

It applies to IAB members – which are a lot of advertisers to be sure, and includes most of the biggest advertising companies. Still, there are a lot of other companies and sites out there that are not IAB members, and thus are not affected by this Opt-Out page.

It relies on companies respecting your decisions – Between the IAB’s own enforcement and the threat of FTC legal actions, IAB companies have plenty of reason to not track you if you tell them not to. Unfortunately, the history of Internet privacy is full of examples of sites or companies not respecting the wishes of consumers, even when they have said they would. For that reason, some skeptisim is reasonable here, and personally I’m not yet ready to trust the intentions or ability of the IAB to respect my privacy decisions. This opt-out page allows you to ask that companies shutoff their tracking, which is different from the approach tools such as Ghostery take, which actually blocks information from being sent, and is an approach I’m more willing to trust right now.

It uses cookies – If you are concerned about privacy on the Internet, you probably have your browser set to not accept cookies/delete cookies when you close the browser/or delete cookies often. That means the Opt-Out page is pretty useless to the privacy concerned, since any choices set via the page will be lost within a short amount of time. This is a problem that engineers and policy makers have been discussing since Do-Not-Track became a big deal, and in my opinion it reveals a problem with how cookies are managed by browsers. The current cookie management model of the major browsers is built on an all or nothing choice – either have all cookies on and retained, or have all cookies off and deleted. Despite years of messaging about how bad cookies are, the IAB’s Opt-Out page shows that not all cookies are bad. Browsers need a more sophisticated cookie management system that allows a user to select which cookies can be kept for a long time and which should be deleted right away. Until that happens, the Opt-Out page might as well not exist, and users should instead use opt-out plugins like TACO.

It only applies to one browser on one machine – This limitation applies to many privacy protection tools, but it is an important one. If you submit opt-out requests in Firefox on your home PC, then tracking will still occur on IE on that PC, or Firefox on your laptop.

So Should I Use It?

The short answer is no.

Unfortunately, the Opt-Out page isn’t a reliable tool for privacy protection, mostly because of the cookie problem discussed above. This is especially unfortunate since this page is likely the result of hours of discussion involving IAB companies, the FTC, and consumer groups, and represents what I would like to believe is an honest effort by the industry to address privacy concerns.

Given the level of discussion and work going into Do-Not-Track, it is likely that the IAB’s Opt-Out page will merge with a browser based Do-Not-Track manager. Until that happens, privacy concerned consumers will have to continue to rely on third party tools to prevent companies from tracking them all around the Internet.

“… there is no way we should do business with companies that have agreements with stealth provisions and that aren’t intelligible. So how are we going to change the world? Make clarity, transparency, and simplicity a national priority.”

A year and a half ago, Alan Siegel described in less than 5 minutes why the problems of privacy and consumer trust run rampant on the Internet. That legalese that every website presents you doesn’t actually inform you of anything. It is a tool of websites to obtain legal authorizations and protection.

Privacy policies were not meant to be used this way. The FTC originally promoted privacy policies as a tool for informing consumers of the benefits and risks of using websites. Over the years they have evolved into dense blocks of text that are not only useless to consumers, they are harmful to consumers.

Why aren’t clear notices a national priority? Siegel thinks they should be. The FTC has stated again and again that consumer notices should be clear and easy to understand. Unfortunately, industry self-regulation bodies and Congress don’t seem to be as interested in presenting consumers with clear and transparent information.

Why aren’t clear notices a national priority? I think we should ask the DMA’s Consumer, Ethics, and Privacy department, or IAB President Randall Rothenberg. More importantly, we should ask that question to our Representatives and Senators. We might also want to ask, why is it OK for businesses to trick consumers? Why aren’t consumers treated with respect by our businesses and our government?

Chris Hoofnagle of UC Berkeley recently did a Q & A with the San Francisco Chronicle about federal policy regarding online privacy. He highlighted the rapid changes that occur in tracking practices and the great disadvantage most users experience in protecting their privacy online. Noting that when a user performs a privacy protecting action many sites either work around the protection or just completely ignore the user’s desire, Hoofnagle argues that federal policy should turn its attention towards data retention limits as a means of establishing privacy as an online default. I agree that retention limits should be implemented in some form, but I must respectfully disagree with the implied belief that it is time to give up on user involvement in privacy protection.

As new technology continues to challenge our definition and valuation of privacy, our society needs to have a public discussion on how privacy should react to technology and vice verse. In order to match our democratic values, this discussion needs to be as inclusive as possible. To this end, federal policy needs to raise public awareness of online privacy issues and educate citizens about new threats to privacy, as well as the benefits and consequences of lost privacy. If federal policy shifts to focus on regulations defined by law and rule makers, citizens will lose their place in the discussion of privacy and technology. Furthermore, by giving up on the idea that citizens are involved in creating their online privacy environment via choice and consent, they will be deprived of one of the only situations in which citizens are educated about online privacy and asked to think critically about its value. Our society is still coming to terms with the degradation of an important value. It is all the more important that as many people as possible develop a thoroughly considered opinion on privacy and be able to voice that opinion. Defining what privacy means as a social norm in this nation, and how regulation will reflect that norm, needs to be a nationwide effort, not the function of a handful of industry and government representatives.

The fact that companies disregard the voiced privacy choices of users should not be an impetus for removing users from the privacy protection system; it should be the subject of policy initiatives that fix the broken system. Many FTC enforcement actions regarding privacy have punished deceptive actions.  In my opinion, a company action that disregards a voiced privacy choice by a user is just as  deceptive as a company action that contradict its own privacy policy because users have a reasonable expectation that if a company offers opt-outs and accepts P3P or Do-Not-Track messages then it will respect the voiced privacy decisions of a user.  P3P failed not because of technical limitations. It failed because companies were not punished for lying to users via the protocol. This type of behavior should not be tolerated in matters of commercial interaction nor matters of privacy.

So lets keep our focus on P3P and Do-Not-Track. When companies choose to ignore those technical solutions lets not call that a failure of technology. Lets recognize it for what it is, companies hearing consumers and ignoring their voices.

Local Shared Objects, aka Flash Cookies, are pieces of data that Flash enabled websites save to your computer. Like the browser cookies that we are all familiar with, Flash cookies can save your preferences and keep you logged in to websites. Like browser cookies, they can also be used to track where you have been on the Internet – allowing sites to know if you have been visiting their competitors; allowing advertisers to build a data portfolio of your interests; and generally allowing anybody to piece together, to some extent, your browsing history.

Many websites use Flash for functions such as games, streaming video, displaying advertisements, and interactive menus. In addition, many websites use Flash to save backups of their browser cookies via Flash cookies. This is because browsers currently are unaware of Flash cookies, so their privacy settings and cookie deletion functions have no impact on Flash cookies. Additionally, anti-spyware programs currently do not search for these cookies. Thus, if you delete cookies though your browser or anit-spyware program, many Flash enabled websites can simply recreate the deleted browser cookies via the information saved in Flash cookies.

How to Get Rid of Them

Your browser can’t stop or delete Flash cookies. Fortunately, Adobe does provide a way for you to control some Flash cookie settings through the Flash Settings Manager (more information about the Settings Manager can be found here.) Changes made in the Flash Settings Manager apply to all browsers installed on your computer/OS, so fortunately you don’t have to repeat the following for Firefox, IE, Safari, Chrome, etc… Also, changes take effect immediately, so you don’t have to worry about saving settings or clicking any “Apply” or “OK” buttons.

In order to protect your privacy though the Settings Manager you must do two things: prevent new flash cookies from being saved to your computer; and delete existing flash cookies as well as the list of flash-enabled websites that you have visited.

Prevent New Flash Cookies

Step One: Go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html, the Global Storage Settings Panel.

Step Two:  On the slider presented under “Global Storage Settings”, drag the selector all the way to the left. The text to the right of the slider should read “None”, as below.

Delete Existing Flash Cookie Folders

Step One: Go to the Website Privacy Settings Manager at http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html . Here you will see a list of all websites you have visited that have tried to or have successfully saved flash cookies to your computer, and you will have options to set individual privacy settings, delete website data individually, or delete all website data.

Step Two: Assuming you wish to delete all website data (include the folders and list entries for all websites,) click “Delete all sites”.

Step Three: Confirm that you wish to delete all website data.

Step Four: Repeat. Unfortunately, even though we have prevented sites from being able to save Flash cookies, Flash will still create a folder/list entry for any site that tries to save Flash cookies in the future. Thus, you will regularly (weekly) have to repeat steps 1 – 3 to prevent websites from tracking where you have been on the Internet.

There are a lot of aspects of the recent Facebook privacy debacle that evoke hostility towards the website. A shift in privacy context and the assumed consent of users likely the top list for most. However, I believe that Mark Zuckerberg and company are doing a lot to take would could have been a heated public debate about the nature of privacy online and turning it into a national flamewar. What are they doing exactly? They are acting like condescending assholes.

(more…)