Feeds

Boffins: Punters can't get a grip on online privacy tools

Config and confusion issues make anti-tracking kit useless

Using blade systems to cut costs and sharpen efficiencies

Privacy tools that offer a means to prevent advertisers from tracking the activity of surfers online are largely ineffective, according to a study by computer scientists.

Boffins at Carnegie Mellon University’s CyLab ran a series of lab tests involving 45 participants that revealed all nine privacy tools had usability and configuration problems that made them difficult to use correctly, at least in the hands of an average web surfer. The study poked tools that block access to advertising websites, widgets that set cookies indicating a user’s preference to opt out of online behavioural advertising, and privacy functions built directly into IE9 and Firefox 5 web browsers.

We found serious usability flaws in all nine tools we examined. The online opt-out tools were challenging for users to understand and configure. Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference. Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking OBA when they had not properly configured it to do so.

For example, TACO, one of the nine tools CyLab's hapless guinea pigs grappled with was so complex that accessing the configuration interface for the tool's blocking and opt-out features took four steps. The configuration screen presented users with three tracking categories: "Targeted Ad Networks", "Web Trackers", and "Cookies". There was no explanation of what the different categories meant. To enable blocking, a user has to click on three separate "Not Blocked" tabs that appear as clickable.

That's a whole lot of fail and the other tested tools didn't really fair that much better.

CyLab's study looked at three opt-out tools (DAA Consumer Choice, Evidon Global Opt-Out and PrivacyMark) and three blocking tools (Ghostery 2.5, TACO 4.0 and Adblock Plus 1.3) as well as privacy functions hard-baked into web browsers). Problems encountered included inappropriate default, confusing interface and tools that broke functionality on websites.

The report concludes that the "status quo is insufficient for empowering users to protect their privacy".

"Although we recognise the efforts of the advertising industry, browser providers and third-parties for contributing an assortment of tools to this ecosystem, we encourage a greater emphasis on usability moving forward," the boffins note.

"Our results suggest that the current approach for advertising industry self-regulation through opt-out mechanisms is fundamentally flawed. Users’ expectations and abilities are not supported by existing approaches that limit OBA [online behavioural advertising] by selecting particular companies or specifying tracking mechanisms to block. There are [also] significant challenges in providing easy-to-use tools that give users meaningful control without interfering with their use of the web," the report authors add.

The CyLab report - Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioural Advertising - can be found here [PDF].

Previous studies from Carnegie Mellon suggested that, given a choice, surfers would prefer it if they were not tracked online by advertisers even if their online activities remained anonymous. Two in three respondents (64 per cent) to a 2009 study by the American university said targeted ads were invasive.

Chester Wisniewski, a security consultant at Sophos, said advertisers tracking surfing habits is similar to supermarkets using loyalty cards find out which products you prefer to buy so that they "can tailor their marketing and their placement of products in the store to their customer base".

Some of those who happily use shoppers' cards baulk at the idea of online tracking, which Wisniewski controversially implies is not worth worrying about (a contention anti-Phorm activists and other privacy conscious netizens would doubtless dispute).

"The worst that could happen is that advertisers are able to sell a profile of your information to one another in a way that you lose control of your private information," Wisniewski said during an interview with American Public Media radio on the Carnegie Mellon study. ®

Bootnote

In an on-going series documenting the lengths some advertisers will go to track netizens, Trevor Pott highlights the scourge of the dreaded and hard-to-kill evercookie and some tools that may (or may not) be useful when eradicating it.

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.