Moving the Web Beyond Third-Party Identifiers

from the privacy-and-cookies dept

(This piece overlaps a bit with Mike’s piece from yesterday, “How the Third-Party Cookie Crumbles”; Mike graciously agreed to run this one anyway, so that it can offer additional context for why Google’s news can be seen as a meaningful step forward for privacy.)

Privacy is a complex and critical issue shaping the future of our internet experience and the internet economy. This week there were two major developments: first, the State of Virginia passed a new data protection law, the Consumer Data Protection Act (CDPA), which has been compared to Europe’s General Data Protection Regulation; and second, Google announced that it would move away from all forms of third-party identifiers for Web advertising, rather than look to replace cookies with newer techniques like hashes of personally identifiable information (PII). The ink is still drying on the Virginia law and its effective date isn’t until 2023, meaning it may be preempted by federal law if this Congress moves a privacy bill forward. But Google’s action will change the market immediately. While the road ahead is long and there are many questions left to answer, moving the Web beyond cross-site tracking is a clear step forward.

We’re in the midst of a global conversation about what the future of the internet should look like, across many dimensions. In privacy, one huge part of that discussion, it’s not good enough in 2021 to say that user choice means “take it or leave it”; companies are expected to provide full-featured experiences with meaningful privacy options, including for advertising-based services. These heightened expectations—some set by law, some by the market—challenge existing assumptions around business models and revenue streams in a major way. As a result, the ecosystem must evolve away from its current state toward a future that offers a richer diversity of models and user experiences.

Google’s Privacy Sandbox, in particular, could be a big step forward along that evolutionary path. It’s plausible that a combination of subscription services, contextual advertising and more privacy-preserving techniques for learning can collectively match or even grow the pie for advertising revenue beyond what it is today, while providing users with compelling and meaningful choices that don’t involve cross-site tracking. But that can’t be determined until new services are built, offered and measured at scale.

And sometimes, to make change happen, band-aids need to be ripped off. By ending its support for third-party identifiers on the Web, that’s what Google is doing. Critics of the move will focus on the short-term impact for those smaller advertisers who currently rely on third-party identifiers and tracking to target specific audiences, and will need to adapt their methods and strategies significantly. That concern is understandable; level playing fields are important, and centralization in the advertising ecosystem is widely perceived to be a problem. However, the writing has been on the wall for a long time for third-party identifiers and cross-site tracking. Firefox blocked third-party cookies by default in September 2019; Apple’s Safari followed suit in April 2020—Firefox first made moves to block third-party cookies as far back as 2013, but it was, then, an idea ahead of its time. And the problem was never the cookies per se; it was the tracking they powered.

As for leveling the playing field for the future, working through standards bodies is an established approach for Web companies to share information and innovate collectively. Google’s engagement with the W3C should, hopefully, help open doors for other advertisers, limiting any reinforcement effects for Google’s position in Web advertising.

Further, limits on third-party tracking do not apply to first-party behavior, where a company tracks the pages on its own site that a user visits, for example when a shopping website remembers products that a user viewed in order to recommend other items of potential interest. While first-party relationships are important and offer clear positive value, it’s also not hard to imagine privacy-invasive acts that use solely first-party information. But Google’s moves must be contextualized within the backdrop of rapidly evolving privacy law—including the Virginia data protection law that just passed. From that perspective, they’re not a delaying tactic nor a substitute for legislation, but rather a complementary piece, and in particular a way to catalyze much-needed new thinking and new business models for advertising.

I don’t think it’s possible for Google to put privacy advocates’ minds at ease concerning its first-party practices through voluntary action. To stop capitalizing totally on its visibility into activity within its network would leave so much money on the table Google might be violating its fiduciary duty as a public company to serve its shareholders' interest. If it cleared that hurdle and stopped anyway, what would prevent the company from going back and doing it later? The only sustainable answer for first-party privacy concerns is legislation. And that kind of legislation will struggle to be feasible until new techniques and new business models have been tested and built. And that more than anything is the dilemma I think Google sees, and is working constructively to address.

Often, private sector privacy reforms are derided as merely scratching the surface of a deeper business model problem. While there’s much more to be done, moving beyond third-party identifiers goes deeper, and deserves broad attention and engagement to help preserve good balances going forward.

Filed Under: 3rd party cookies, cookies, identification, privacy
Companies: google

How The Third Party Cookie Crumbles: Tracking And Privacy Online Get A Rethink

from the important,-but-not-as-important dept

Google made some news Wednesday by noting that once it stops using 3rd party cookies to track people, it isn't planning to replace such tracking with some other (perhaps more devious) method. This news is being met cynically (not surprisingly), with people suggesting that Google has plenty of 1st party data, and really just doesn't need 3rd party cookie data any more. Or, alternatively, some are noting (perhaps accurately) that since Google has a ton of 1st party data -- more than just about anyone else -- this could actually serve to lock in Google's position and diminish the alternatives from smaller advertising firms who rely on 3rd party cookies to bootstrap enough information to better target ads. Both claims might be accurate. Indeed, in the "no good deed goes unpunished" category, the UK has already been investigating Google's plans to drop 3rd party cookies on the grounds that it's anti-competitive. This is at the same time that others have argued that 3rd party cookies may also violate some privacy laws.

And, yes, it's possible that it can be both good for privacy and anti-competitive, which raises all sorts of interrelated issues.

In theory cookies should have been very pro-privacy. After all, they're putting data on end user computers where they have control over them. Users can delete those cookies or block them from being placed. In theory. The reality, though, is that deleting or blocking cookies takes a lot of effort, and while there are some services that help you out, they're not always great. In an ideal world, we would have built tools that made it clearer to end users what information cookies were tracking, and what was being done with that information -- as well as consumer-friendly tools to adjust things. But that's not the world we ended up in. Instead, we ended up in a world where the hamfisted use of 3rd party cookies is generally just kinda creepy. In the past, I've referred to it as the uncanny valley of advertising: where the advertising is not so well targeted as to be useful, but just targeted enough to be creepy and annoying by reminding you that you're being tracked.

The actual death knell for 3rd party cookies happened a while back. Firefox and Safari phased out 3rd party cookies a long time ago, and Google announced plans to do the same a year ago, with an actual target date for implementation a year from now. Today's news was more about what happens next, with Google promising not to use some sneaky method to basically replace cookies with something even worse. There is a concerted effort by some to track you through a "hashed email address". This is really creepy and kinda sketchy.

As a side note, a few years back, we were approached by a company doing this. They basically asked us to hand over a hashed set of emails we had collected. We looked over the details, and highlighted that they wanted us to use their hash, meaning that they could easily reverse the hash and figure out the emails. We explained that they must be mistaken, because that's really not all that different from just handing over emails, which would be a violation of our own privacy policy. We were told that, no, the whole idea was everyone had to use the same hash, and it was fine because the email addresses were hashed (ignoring the point we made about that being meaningless if everyone is using the same hash). We rejected this deal, even though they were actually offering decent money. I do sometimes wonder how many other publishers just coughed up everyone's emails, though.

So, Google's latest point is that it's not going to use some other unique identifier, and recognizes that the hashed email based-identifier is a bad idea:

We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not — like PII graphs based on people’s email addresses. We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.

Instead, Google is pushing for a different kind of solution -- what it has referred to for a while now as a "Privacy Sandbox." The idea is not to track individuals but rather to dump you into a "cohort" of similar users, thereby not needing unique identifiers, just slightly more general ones. Google has taken to calling this cohort setup "Federated Learning of Cohorts", or FLoC, which it recently declared to be 95% as good at targeting ads, but in a less creepy way.

In many ways, this is obviously better than the use of full-on individual tracking via 3rd party cookies (or hashed emails). It's sort of a step away from individual targeting and at least a very slight movement back towards contextual advertising, which is something I've argued both Google and Facebook should do. But it's still not ideal. You still have the concerns about how much data Google has about you, and you still have the concerns about whether or not this locks in Google's position. Those don't go away with this move.

And, of course, there's the other framework to think about this: the never-ending threat of new privacy laws. So much of the focus on privacy legislation is (stupidly) about fighting the last battles, and that's why things like the GDPR and California's CCPA focused on useless and counterproductive cookie notifications. In some ways, this could be seen as a step towards getting ahead of that coming meteor, sidestepping it by saying "okay, okay, there are no more third party cookies."

In the end, you can't argue that this is a great solution or a terrible one. It is... just a change. A change that helps one aspect of how our current online privacy paradigm works, but which might cause other problems. It's good in that it's a further step towards the end of 3rd party cookies, which have been abused in creepy ways for too long. But it doesn't really fix overall privacy issues, and could still help lock Google into a position of dominance.

Filed Under: ads, cookies, online ads, privacy, third party cookies
Companies: google

One Of The World's Largest Web Tracking Companies Leaks Tons Of Personal Info From An Unsecured Server

from the so-happy-to-have-contributed-to-the-leak-by-using-the-internet dept

Advertisers want to know everything about you. So do sites that buy ad inventory and allow middlemen to let their trackers run free, tracing people from site to site, following them into their email inboxes, and tracking them across platforms and devices if need be.

BlueKai, owned by Oracle, deploys these pervasive trackers, sinking its hooks into a reported 1% of the world's internet traffic. BlueKai is the kind of clever no one really respects. It's more along the lines of "devious." But it is very, very effective.

BlueKai relies on vacuuming up a never-ending supply of data from a variety of sources to understand trends to deliver the most precise ads to a person’s interests.

[...]

BlueKai… uses more covert tactics like allowing websites to embed invisible pixel-sized images to collect information about you as soon as you open the page — hardware, operating system, browser and any information about the network connection.

[...]

BlueKai can also tie your mobile web browsing habits to your desktop activity, allowing it to follow you across the internet no matter which device you use.

All the information BlueKai grabs has to go somewhere so it can be packaged and sold to marketers. Considering how much data BlueKai is able to obtain about the average internet user, you'd think it would place a premium on keeping this data secure -- if not for the security of unsuspecting trackees, then to prevent its valuable stash from falling into a competitor's hands.

Unfortunately for a whole lot of internet users, BlueKai doesn't seem to believe this information -- or the people who generated it -- is worth protecting.

[F]or a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find.

Security researcher Anurag Sen found the database and reported his finding to Oracle through an intermediary — Roi Carthy, chief executive at cybersecurity firm Hudson Rock and former TechCrunch reporter.

TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed sensitive users’ web browsing activity — from purchases to newsletter unsubscribes.

Oracle's response was to blame "two companies" for "not properly configuring their services." The two companies have not been named. Whoever these companies are, they collect data on a wide range of activities. TechCrunch examined the exposed data and found extensive records tied to individuals -- an astonishing pool of data that even indicated if a tracked person's device was in need of a software update. That's on top of the wealth of purchase and internet history that linked people to purchases, web searches, and other activity. Sitting in with everything else was personally identifiable info like addresses, phone numbers, and email addresses.

Very few people want all of this information in the hands of marketers. (BlueKai says it strips identifiable info before handing it over to its ad-serving customers.) And they definitely don't want it in the hands of people even more nefarious than ordained spyware pushers like BlueKai. The company has created a one-stop shop for phishers, stalkers, and identity thieves. And then it left the door unlocked for an undetermined amount of time.

Filed Under: cookies, data leak, personal info, privacy, security, tracking
Companies: bluekai, oracle

Yes, This Site Uses Cookies, Because Nearly All Sites Use Cookies, And We're Notifying You Because We're Told We Have To

from the even-though-it's-silly dept

If you're visiting our site today (and I guess, forever into the future if you don't click "got it") you will now see a notification at the bottom of the site saying that this site uses cookies. Of course, this site uses cookies. Basically any site uses cookies for all sorts of useful non-awful, non-invasive purposes. We use cookies, for example, to track your preferences (including when you turn off ads on the site, which we let you do for free). In order to make sure those ads are gone, or whatever other preferences stay in place, we use cookies.

For the last few years, of course, you've probably seen a bunch of sites pop up boxes "notifying" you that they use cookies. For the most part, this has to do with various completely pointless EU laws and regulations that probably make regulators feel good, but do literally nothing to protect your privacy. Worst are the ones that suggest that by continuing on the site you've made some sort of legal agreement with the site (come on...). These cookie notification pop ups do not help anyone. They don't provide you particularly useful information, and they don't lead you to a place that is more protective of your actual privacy. They just annoy people, and so people ignore them, leave the site, or (most commonly) just "click ok" to get the annoying bar or box out of the way to get to the content they wanted to see in the first place.

Here's the stupendously stupid thing about all of this: you are already in control. If you don't like cookies, your browser gives you quite a lot of control over which ones you keep, and how (and how often) you get rid of them. Some browsers, like Mozilla's Firefox Focus browser, automatically discard cookies as soon as you close a page (it's great for mobile browsing, by the way). Of course, that leads to some issues if you want to remain logged in on certain pages, or to have them remember preferences, but for those you can use a different browser or change various settings. It's nice that the power to handle cookies is very much up to you. We here at Techdirt like it when the control is pushed out to the ends of the network, rather than controlled in the middle.

But, because it makes some privacy regulators feel like they've "done something", they require such a pointless "cookie notification" on sites. Recently, one of our ad providers told us that we, too, needed to include such a cookie notification, or else we'd lose the ability to serve any ads from Google, who (for better or for worse) is one of the major ad providers out there. We did not get a clear explanation for why we absolutely needed to add this annoying notification that doesn't really help anyone, but the pleas were getting more and more desperate, with all sorts of warnings. We even asked if we could just turn off the ads entirely (which would, of course, represent something of a financial hit) and they seemed to indicate that because we still use other types of cookies (again, including cookies to say "don't show this person any ads"), we had to put up the notification anyway.

The last thing we were told is that if we didn't put up a cookie notification within a day, Google would "block us globally." I'm honestly not even sure what this means. But, either way, we're now showing you a cookie notification. It's silly and annoying and I don't think it serves your interests at all. It serves our interests only inasmuch as it gets our partner to stop bugging us. Don't you feel better?

You can click "got it" and make it go away. You can not click it and it will stay. You can block cookies in your browser, or you can leave them. You can toss out your cookies every day or every week (not necessarily a bad practice sometimes). You're in control. But we have to show you the notification, and so we are.

Filed Under: advertising, control, cookie notification, cookies, eu, preferences, privacy, privacy theater, silly pointless regulations, silly regulations
Companies: techdirt

Chrome's Move To Stomp Out Third Party Cookies? Good For Privacy, Good For Google's Ad Business... Or Both?

from the people-are-so-bad-at-systems-thinking dept

We've talked in the past how efforts solely focused on "protecting privacy" without looking at the wider tech ecosystem and the challenges its facing may result in unintended consequences, and now we've got another example. Google has announced that it's beginning a process to phase out support for third-party cookies in Chrome. Looking at this solely through the lens of privacy, many privacy advocates are celebrating this move, saying that it will better protect user privacy. But... if you viewed it from a more competitive standpoint, it also does much to give Google significantly more power over the ad market and could harm many other companies. Former Facebook CSO, Alex Stamos' take is pretty dead on here:

A win for privacy may be a loss for competition -- and nearly every big regulatory effort to "deal with" big internet companies is going to play right into those companies' hands.

For years I've been talking about how we need to view privacy as a series of tradeoffs, or any attempt to regulate privacy will go badly. Here, this is even pre-regulation, but just based on the nature of the public narrative that third party cookies must obviously be bad. They can be, but not always. And the end result here is that the "trade off" for protecting more privacy is giving more of the ad market to Google. I'm guessing that most privacy advocates would argue that they don't want to do that. But if you look solely through the lens of 3rd party cookies and no further -- that's what you get.

Filed Under: 3rd party cookies, chrome, competition, cookies, privacy, tradeoffs
Companies: google

Guess What? Many Cookie Banners Ignore Your Wishes, So Max Schrems Goes On The GDPR Attack Again

from the lack-of-respect dept

One of the most visible manifestations of the EU's General Data Protection Regulation (GDPR) is the "cookie banner" that pops up when you visit many sites for the first time. These are designed to give visitors the opportunity to decide whether they want to be tracked, and if so by whom. Any business operating Internet sites in the EU should theoretically use them or something similar, or risk a GDPR fine of up to 4% of global turnover. Cookie banners may be tiresome, but at least they give users some measure of control over how much they are tracked online. But do they? Few of us have the skills or the time to check that our wishes are obeyed by every site. Fortunately, three researchers in France -- Célestin Matte, Nataliia Bielova, Cristiana Santos -- possess both, and have conducted the first rigorous study of this area. They've written a good summary of their full academic paper.

An initial scan of 22,949 Web sites from the EU domains, as well as .org and .com, showed 1,426 that had cookie banners based on the Interactive Advertising Bureau Europe Transparency and Consent Framework, the main industry standard for this area. Of those, the team of researchers took a close look at 560 Web sites from .uk, .fr, .it, .be, .ie and .com domains to detect possible GDPR violations. Shockingly, they found four types of violations in cookie banners, across 305 Web sites -- 54% of the sample:

Consent stored before choice

The cookie banner stores a positive consent before the user has made their choice in the banner. Therefore, when advertisers request for consent, the cookie banner responds with the positive consent even though the user has not clicked on a banner and has not made their choice yet.

No way to opt out

The banner does not offer a way to refuse consent. The most common case is a banner simply informing the users about the site's use of cookies

Pre-selected choices

The banner gives user a choice between one or more purposes or vendors, but some of the purposes or advertisers are pre-selected: pre-ticked boxes or sliders set to "accept".

Non-respect of choice

The cookie banner stores a positive consent in the browser even though the user has explicitly refused consent.

That's a pretty dismal state of affairs. The GDPR is designed to give control to those visiting Web sites in the EU, and yet over half of the latter studied in detail fail to respect users' choices. One person who has shown himself unwilling to accept the GDPR being flouted in this way is the privacy campaigner Max Schrems. Over the years, he has launched -- and won -- multiple legal challenges involving privacy and the GDPR. Now his privacy organization noyb.eu is turning its attention to disrespectful cookie banners:

noyb.eu identified countless violations of European and French cookie privacy laws as CDiscount, Allociné and Vanity Fair all turn a rejection of cookies by users into a "fake consent". The privacy enforcement non-profit noyb.eu filed three formal [GDPR] complaints with the French Data Protection Authority (CNIL) today.

Up to 565 "fake consents" per user. Despite users going through the trouble of "rejecting" countless cookies on the French eCommerce page CDiscount, the movie guide Allocine.fr and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent "fake consent" signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows now show.

Schrems points out that one company taking advantage of "fake consent" is Facebook, which is happy to place cookies after people have clearly objected to all tracking. That means the scale of the potential GDPR breach is considerable. It will be some time before CNIL hands down its decision, but based both on Schrems' track record and on the facts of the case, it seems probable that he will prevail once more. Although the initial ruling will only apply to France, it is likely to be followed by data protection authorities in other EU countries. If any of the Web sites mentioned above challenge a result that goes against them, there may be a referral to the EU's top court, whose decision will be definitive and apply across the whole region. That, in its turn, is likely to influence online privacy laws around the world, as the GDPR is already doing.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: cookie banners, cookies, eu, gdpr, max schrems, privacy

Pepperidge Farm Sues Trader Joe's Because It Too Made A Cookie

from the c-is-for-court-costs dept

You learn quite a bit writing for this site. For instance, did you know that Milano cookies aren't a style of cookie, but are rather an actual trademarked name of a dessert from Pepperidge Farm? I didn't. Yes, the two biscuit cookies with a layer of chocolate in between, which most of us ignorant fools just call a cookie sandwich, is jealously protected by Pepperidge Farm. Case in point is the company's lawsuit against Trader Joe's for selling what it claims is an infringing cookie.

Pepperidge Farm is calling out Trader Joe’s for allegedly being some kind of cookie monster, claiming in a new lawsuit that the grocery company is infringing on its trademark for selling a cookie that it says is a ripoff of its Milano cookie. By selling a product called Crispy Cookies, Trader Joe’s is damaging Pepperidge Farm’s goodwill and confusing shoppers, according to the lawsuit reported by Reuters. Though Trader Joe’s cookie is more rectangular, it has rounded edges, “mimicking an overall oval shape,” the lawsuit says. The grocery chain also uses similar packaging, the complaint claims.

Yeah, about that packaging. The claim that they're similar? Yeah, that's not actually true.

The differences in trade dress abound, from the colors to the specific shapes of the packaging, not to mention that clearly labeled Trader Joe's logo on its product. Claims that the packaging was designed to look like Pepperidge Farm packaging are clearly not true. As for the trademark claim on the cookie itself? Look, when it comes to the trademark protections of food items, these things are really specific. Recall that in the EU there was an attempt to trademark Kit Kat's shape, which was specific enough to require four bars with the exact shape that Kit Kats are sold in...and even that was recommended to be rejected by the EU. In this case, the shapes of the cookies are different, the types of filling are slightly different, and the actual type of cookies used in each are different (the Milano is a vanilla wafer cookie, and the Trader Joe's product is just a plain old cookie). So, different ingredients and different shapes. Where is the trademark violation?

It's worth noting as well that Milanos first appeared as a cookie in the 1950s, yet Pepperidge Farm only got the trademark on the cookie in 2010, which seems to undercut the theory that its only with this trademark that it could survive in the first place. It seems unlikely that anyone is going to Trader Joe's and thinking they're buying something from Pepperidge Farm. Given the weakness in the other areas of the claim, I'd expect this suit to meet a quick end.

Filed Under: cookies, milano, trademark
Companies: pepperidge farm, trader joe's

Throwback Thursday: Eat'n Park Still Suing Over Smiley Face Cookies After All This Time

from the :( dept

The more things change, the more they stay the same, as the saying goes. Over half a decade ago, Techdirt covered a bakery out of Pennsylvania that used trademark laws to keep another bakery from putting smiley-faces on its cookies. Frankly, it's one of those stories we cover where the immediate question of how trademarks could be twisted into this nonsense is immediately followed by the assumption that the whole thing will soon go away, never to be repeated again.

Not so much in this case, as it turns out. Eat'n Park recently once again brought a federal trademark suit against another company for daring to put the universal symbol for happiness on a cookie.

Eat'n Park this week sued a Chicago company in federal court over its use of a cookie that the Pittsburgh restaurant chain says is too similar to its trademarked Smiley face cookie. The suit filed Tuesday said Chicago American Sweet & Snacks sells cookies called "Smiley's" that Eat'n Park says are a lot like its product. Eat'n Park has sold its Smiley cookies since 1985 and has filed numerous trademark infringement suits against various companies over the years to protect the design.

It should be noted that the dispute also seems to be about the two company logos for their respective smiley-face cookie brands, not just about the baked goods. Here are the logos for both.

Now, let's leave aside for a moment the fact that the two logos don't look anything alike and are about as likely to be confused with one another as my manly physique is likely to be confused with a professional bodybuilder's. Instead, I'd like to propose that there should be a provision in trademark law that goes something like this: if your distinctive logo is so generic that tons of your competitors keep accidentally coming upon the same base design as yours, nobody gets to trademark it. Think of it as something like an independent invention test for patents. We can call it the Geigner rule, because vanity is my trademark, jerks.

“In this particular case, the “Smiley’s Cookies” logo name and design used by the company infringes on our brand trademark,“ said spokesman Kevin O’Connell.

If it was audible, Mr. O'Connell would be hearing the sound of my eyes rolling. Nobody is associating a smiley-face cookie with any particular brand, because the very idea seems like the kind of thing that everyone came up with when making cookies in their home kitchens. Maybe it's time someone do a cookie with an "R" encircled by the treat, huh?

Filed Under: cookies, smiley faces, trademark
Companies: chicago american sweets & snacks, eat'n park

Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block

from the our-post-cookie-era dept

ProPublica has a new story about the rise of "canvas fingerprinting," a new method of tracking users without using cookies. It's a method that is apparently quite difficult to block if you're using anything other than Tor Browser. In short, canvas fingerprinting works by sending some instructions to your browser to draw a hidden image -- but does so in a manner making use of some of the unique features of your computer, such that each resulting image is likely to be unique (or nearly unique). The key issue here is that the popular "social sharing" company AddThis, which many sites (note: not ours) use to add "social" buttons to their website, had been experimenting with canvas fingerprinting to identify users even if they don't use cookies. As ProPublica's Julia Angwin notes, it's very difficult to block this kind of thing -- and tons of sites make use of AddThis -- including WhiteHouse.gov (whose privacy policy does not seem to reveal this, saying it only uses Google Analytics as a third party provider).

The report does note that others who have tried canvas fingerprinting have found that it's not necessarily accurate enough yet, but the technology appears to keep getting better. Still, AddThis says it's likely to drop it anyway, because it's not good enough yet:

AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.

AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.

The company also insisted it wasn't doing anything bad with the tracking, but even if you believe that's true, how long will it be until others make use of similar fingerprinting for more questionable behavior.

Given the attention this is getting, hopefully browsers will at least role out features that allow users more notification and control over such practices. Cookies are hardly a perfect solution, but at least users have control over them.

Filed Under: canvas fingerprinting, cookies, tracking, whitehouse, whitehouse.gov
Companies: addthis

How Google Should Respond To Revelation That NSA Uses Its Cookies To Track And Exploit

from the moving-on-now dept

The latest Washington Post story from the Snowden leaks highlights how the NSA was able to effectively piggyback on Google's ad-tracking cookies to track someone's online activities and to "enable remote exploitation" (the details of that exploitation are not revealed, but there are a few ways that would be possible). It's important to note, first off, that it does not appear that that the NSA is doing this in any "bulk" sense. Rather it appears to be accessing this and other data via more specific orders. That is, rather than going through everyone's surfing habits, it's using this particular "trick" when it's looking for someone (or something) specific, and likely getting a FISA court order to do so.

Still, this should raise very serious concerns -- and it should lead internet companies to rethink the way they use cookies. I know that some people want an extreme solution, in which cookies go away entirely, but that ignores the many benefits that cookies/tracking can provide. As we've said in the past, privacy is always about tradeoffs, and generally it should be about tradeoffs where individuals can assess if what they're giving up is worth what they get in return. The problem here is that the information on what they were giving up was not clear at all, and open to abuse -- meaning that things may have tilted pretty far in one direction.

There is value in cookies and being able to track certain user information, but the implementation has been done in a manner that makes it way too easy to let the NSA piggyback on the results.

Image courtesy of Parker Higgins. There are solutions -- though they may not be easy. Prof. Ed Felten has a good discussion about how commercial websites can still track users without letting the NSA piggyback on their work: by extending HTTPS to more or less everything they do:

An approach that does work is for the tracking entity to use https, the secure web protocol, for its communication with the user’s computer. This ensures that the unique ID that is transmitted is protected by encryption in a way that doesn’t leak to an eavesdropper any information about which connections are to the same user. Implementing https on a larger site is not as easy as it should be, but it seems to be the price of surveillance-proof tracking.

For what it's worth "not as easy as it should be" would be considered by some to be something of an understatement. It's not easy, period. But it's becoming increasingly clear that it's something that probably needs to be done. Eight giant internet companies earlier this week took a strong stand on reforming surveillance. To show that they're serious about this, moving to an all HTTPS world would be a very clear step that they're not just saying things, but actually doing things to protect their users' privacy from an overreaching NSA.

Felten also notes another alternative, which would be storing everything on the client side:

Another approach to protecting users is to switch to a method that holds all of the stored information on the client side, that is, in the user’s browser. The idea is that rather than having the server accumulate a record of the user’s activities (or some kind of preference profile based on those activities), you would instead have the user’s browser store the same information for you. This approach is taken by some of the privacy-preserving behavioral advertising systems that have been proposed. If information is accumulated on the user’s own computer, there doesn’t need to be a unique identifier that is sent across the Internet every time the user accesses your site. Instead, you can send encrypted data only at the times you need it. This requires more aggressive re-engineering of an ad or analytics service, but it provides additional benefits to the user in terms of privacy and transparency.

As he notes, there are significant challenges there as well, and potential side effects in the way certain things would work, but it is also an approach worth exploring.

Either way, if companies are serious about protecting their users privacy, looking into ways to protect cookie data and stop the NSA cookie monster would be a good start.

Filed Under: ad tracking, cookies, encryption, https, nsa, privacy, surveillance
Companies: google