Feeds

Boffins: Punters can't get a grip on online privacy tools

Config and confusion issues make anti-tracking kit useless

SANS - Survey on application security programs

Privacy tools that offer a means to prevent advertisers from tracking the activity of surfers online are largely ineffective, according to a study by computer scientists.

Boffins at Carnegie Mellon University’s CyLab ran a series of lab tests involving 45 participants that revealed all nine privacy tools had usability and configuration problems that made them difficult to use correctly, at least in the hands of an average web surfer. The study poked tools that block access to advertising websites, widgets that set cookies indicating a user’s preference to opt out of online behavioural advertising, and privacy functions built directly into IE9 and Firefox 5 web browsers.

We found serious usability flaws in all nine tools we examined. The online opt-out tools were challenging for users to understand and configure. Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference. Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking OBA when they had not properly configured it to do so.

For example, TACO, one of the nine tools CyLab's hapless guinea pigs grappled with was so complex that accessing the configuration interface for the tool's blocking and opt-out features took four steps. The configuration screen presented users with three tracking categories: "Targeted Ad Networks", "Web Trackers", and "Cookies". There was no explanation of what the different categories meant. To enable blocking, a user has to click on three separate "Not Blocked" tabs that appear as clickable.

That's a whole lot of fail and the other tested tools didn't really fair that much better.

CyLab's study looked at three opt-out tools (DAA Consumer Choice, Evidon Global Opt-Out and PrivacyMark) and three blocking tools (Ghostery 2.5, TACO 4.0 and Adblock Plus 1.3) as well as privacy functions hard-baked into web browsers). Problems encountered included inappropriate default, confusing interface and tools that broke functionality on websites.

The report concludes that the "status quo is insufficient for empowering users to protect their privacy".

"Although we recognise the efforts of the advertising industry, browser providers and third-parties for contributing an assortment of tools to this ecosystem, we encourage a greater emphasis on usability moving forward," the boffins note.

"Our results suggest that the current approach for advertising industry self-regulation through opt-out mechanisms is fundamentally flawed. Users’ expectations and abilities are not supported by existing approaches that limit OBA [online behavioural advertising] by selecting particular companies or specifying tracking mechanisms to block. There are [also] significant challenges in providing easy-to-use tools that give users meaningful control without interfering with their use of the web," the report authors add.

The CyLab report - Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioural Advertising - can be found here [PDF].

Previous studies from Carnegie Mellon suggested that, given a choice, surfers would prefer it if they were not tracked online by advertisers even if their online activities remained anonymous. Two in three respondents (64 per cent) to a 2009 study by the American university said targeted ads were invasive.

Chester Wisniewski, a security consultant at Sophos, said advertisers tracking surfing habits is similar to supermarkets using loyalty cards find out which products you prefer to buy so that they "can tailor their marketing and their placement of products in the store to their customer base".

Some of those who happily use shoppers' cards baulk at the idea of online tracking, which Wisniewski controversially implies is not worth worrying about (a contention anti-Phorm activists and other privacy conscious netizens would doubtless dispute).

"The worst that could happen is that advertisers are able to sell a profile of your information to one another in a way that you lose control of your private information," Wisniewski said during an interview with American Public Media radio on the Carnegie Mellon study. ®

Bootnote

In an on-going series documenting the lengths some advertisers will go to track netizens, Trevor Pott highlights the scourge of the dreaded and hard-to-kill evercookie and some tools that may (or may not) be useful when eradicating it.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.