Google, MS, Mozilla: Three 'Do Not Tracks' to woo them all

So many ways to do one simple thing

High performance access to file storage

With the arrival of Microsoft's IE9 release candidate, we now have three separate "do not track" mechanisms from three separate browsers makers. There's room for them all. But it would be nice if we could agree a single mechanism that makes it as easy as possible for netizens to sidestep behavioral ad tracking, as the US Federal Trade Commission has requested.

In a December report on web privacy, the FTC recommended a "simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads". The most practical method, the commission said, would "involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads".

Mozilla has already built such a mechanism into the latest Firefox beta: a "Do Not Track" http header that lets netizens tell the world they don't want to be tracked. All that's left is for websites and ad networks to actually recognize the thing – and for other browser makers to adopt it too.

Neither is on the immediate horizon. Mozilla only proposed its DNT header last month, and the open source outfit is still in the early stages of sweet-talking the rest of the web. "Mozilla has garnered support from a number of stakeholders, starting with our users and developers," Mozilla global privacy and public policy leader Alex Fowler tells The Reg. "We continue to engage with key players in the online advertising industry and are seeing strong interest in server-side implementations of the DNT header."

Meanwhile, both Google and Microsoft have rolled out their own do-not-track mechanisms. Hours after Fowler and Mozilla unveiled their proposal, Google released a Chrome extension that lets you opt-out of tracking cookies from multiple advertising networks, including the web's top 15. It works even if you regularly clear your cookies.

Of course, Google is among those running the top 15 ad networks. This is very much a case of self-regulation, and it's not much of a change from what has come before.

Following the debut of Google's 2009 behavioral-advertising setup, privacy crusader Christopher Soghoian introduced a Firefox plug-in that maintained opt-outs for 27 separate behavioral ad networks. He called it the Targeted Advertising Cookie Opt-Out project – or TACO for short. It has since expanded to countless other networks and spawned a sister project, Beef TACO. As Soghoian tells The Reg, Google's "Keep My Opt Outs" extension is merely another TACO.

"Had this come out back in March of 2009, it would be innovative. However, at this point, it is rather pathetic," he tells The Reg. "Google needs to come up with quite a bit more if it wants to be able to claim that it is innovating on privacy. Instead, it appears to be doing the minimum possible to try and keep regulators off its back."

The extension is limited to participating ad networks, and it requires you to, well, install an extension. It's not built into the browser proper. Like Soghoian, Mozilla sees the need for more. "Mozilla's DNT header in Firefox is intended to be a single, clear universal signal to convey users desire to opt-out of tracking," Mozilla privacy engineer Sid Stamm told us. "While hardening the cookies surely helps opt-outs persist, we think it's more appropriate to have a single universal signal for even those who aren't in the list of hardened cookies get to know the user's desire to opt out."

Microsoft uses a third method. Known as Tracking Protection Lists, it relies on predefined lists of domains known to track your behavior via ad technologies. These lists are maintained by various third-party outfits, and the user is free to choose from among them. Microsoft has already submitted this method to the W3C in the hopes of turning it into a standard.

Mozilla's method is simpler. There's less for the user to wrap his head around. But Mozilla is requiring the active participation of sites and ad networks. With Microsoft's method, third-parties decide what should be blocked.

In typical fashion, Mozilla believes the best route is to get everyone to play nicely together. "We believe the major players in the display advertising business will honor consumers' choice for privacy (as witnessed in the NAI opt out program and others), and we would like to allow them that opportunity by letting consumers convey their choice through our HTTP header," Stamm says.

"Advertisements are a constructive part of the Web ecosystem, and we think blocking ads outright is too detrimental to the Web; instead, we would like to pursue a solution where users and advertising networks can work in concert (instead of in conflict) to balance value with consumers' privacy choices."

As Stamm points out, the Mozilla and Microsoft methods can coexist. And they will. Both have their merits. Microsoft's method actually works – right now – and Mozilla should be applauded for working to get everyone on the same page. But for the moment, they're not. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.