Feeds

Boffins: Punters can't get a grip on online privacy tools

Config and confusion issues make anti-tracking kit useless

The essential guide to IT transformation

Privacy tools that offer a means to prevent advertisers from tracking the activity of surfers online are largely ineffective, according to a study by computer scientists.

Boffins at Carnegie Mellon University’s CyLab ran a series of lab tests involving 45 participants that revealed all nine privacy tools had usability and configuration problems that made them difficult to use correctly, at least in the hands of an average web surfer. The study poked tools that block access to advertising websites, widgets that set cookies indicating a user’s preference to opt out of online behavioural advertising, and privacy functions built directly into IE9 and Firefox 5 web browsers.

We found serious usability flaws in all nine tools we examined. The online opt-out tools were challenging for users to understand and configure. Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference. Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking OBA when they had not properly configured it to do so.

For example, TACO, one of the nine tools CyLab's hapless guinea pigs grappled with was so complex that accessing the configuration interface for the tool's blocking and opt-out features took four steps. The configuration screen presented users with three tracking categories: "Targeted Ad Networks", "Web Trackers", and "Cookies". There was no explanation of what the different categories meant. To enable blocking, a user has to click on three separate "Not Blocked" tabs that appear as clickable.

That's a whole lot of fail and the other tested tools didn't really fair that much better.

CyLab's study looked at three opt-out tools (DAA Consumer Choice, Evidon Global Opt-Out and PrivacyMark) and three blocking tools (Ghostery 2.5, TACO 4.0 and Adblock Plus 1.3) as well as privacy functions hard-baked into web browsers). Problems encountered included inappropriate default, confusing interface and tools that broke functionality on websites.

The report concludes that the "status quo is insufficient for empowering users to protect their privacy".

"Although we recognise the efforts of the advertising industry, browser providers and third-parties for contributing an assortment of tools to this ecosystem, we encourage a greater emphasis on usability moving forward," the boffins note.

"Our results suggest that the current approach for advertising industry self-regulation through opt-out mechanisms is fundamentally flawed. Users’ expectations and abilities are not supported by existing approaches that limit OBA [online behavioural advertising] by selecting particular companies or specifying tracking mechanisms to block. There are [also] significant challenges in providing easy-to-use tools that give users meaningful control without interfering with their use of the web," the report authors add.

The CyLab report - Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioural Advertising - can be found here [PDF].

Previous studies from Carnegie Mellon suggested that, given a choice, surfers would prefer it if they were not tracked online by advertisers even if their online activities remained anonymous. Two in three respondents (64 per cent) to a 2009 study by the American university said targeted ads were invasive.

Chester Wisniewski, a security consultant at Sophos, said advertisers tracking surfing habits is similar to supermarkets using loyalty cards find out which products you prefer to buy so that they "can tailor their marketing and their placement of products in the store to their customer base".

Some of those who happily use shoppers' cards baulk at the idea of online tracking, which Wisniewski controversially implies is not worth worrying about (a contention anti-Phorm activists and other privacy conscious netizens would doubtless dispute).

"The worst that could happen is that advertisers are able to sell a profile of your information to one another in a way that you lose control of your private information," Wisniewski said during an interview with American Public Media radio on the Carnegie Mellon study. ®

Bootnote

In an on-going series documenting the lengths some advertisers will go to track netizens, Trevor Pott highlights the scourge of the dreaded and hard-to-kill evercookie and some tools that may (or may not) be useful when eradicating it.

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?