Feeds

Boffins: Punters can't get a grip on online privacy tools

Config and confusion issues make anti-tracking kit useless

Top three mobile application threats

Privacy tools that offer a means to prevent advertisers from tracking the activity of surfers online are largely ineffective, according to a study by computer scientists.

Boffins at Carnegie Mellon University’s CyLab ran a series of lab tests involving 45 participants that revealed all nine privacy tools had usability and configuration problems that made them difficult to use correctly, at least in the hands of an average web surfer. The study poked tools that block access to advertising websites, widgets that set cookies indicating a user’s preference to opt out of online behavioural advertising, and privacy functions built directly into IE9 and Firefox 5 web browsers.

We found serious usability flaws in all nine tools we examined. The online opt-out tools were challenging for users to understand and configure. Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference. Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking OBA when they had not properly configured it to do so.

For example, TACO, one of the nine tools CyLab's hapless guinea pigs grappled with was so complex that accessing the configuration interface for the tool's blocking and opt-out features took four steps. The configuration screen presented users with three tracking categories: "Targeted Ad Networks", "Web Trackers", and "Cookies". There was no explanation of what the different categories meant. To enable blocking, a user has to click on three separate "Not Blocked" tabs that appear as clickable.

That's a whole lot of fail and the other tested tools didn't really fair that much better.

CyLab's study looked at three opt-out tools (DAA Consumer Choice, Evidon Global Opt-Out and PrivacyMark) and three blocking tools (Ghostery 2.5, TACO 4.0 and Adblock Plus 1.3) as well as privacy functions hard-baked into web browsers). Problems encountered included inappropriate default, confusing interface and tools that broke functionality on websites.

The report concludes that the "status quo is insufficient for empowering users to protect their privacy".

"Although we recognise the efforts of the advertising industry, browser providers and third-parties for contributing an assortment of tools to this ecosystem, we encourage a greater emphasis on usability moving forward," the boffins note.

"Our results suggest that the current approach for advertising industry self-regulation through opt-out mechanisms is fundamentally flawed. Users’ expectations and abilities are not supported by existing approaches that limit OBA [online behavioural advertising] by selecting particular companies or specifying tracking mechanisms to block. There are [also] significant challenges in providing easy-to-use tools that give users meaningful control without interfering with their use of the web," the report authors add.

The CyLab report - Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioural Advertising - can be found here [PDF].

Previous studies from Carnegie Mellon suggested that, given a choice, surfers would prefer it if they were not tracked online by advertisers even if their online activities remained anonymous. Two in three respondents (64 per cent) to a 2009 study by the American university said targeted ads were invasive.

Chester Wisniewski, a security consultant at Sophos, said advertisers tracking surfing habits is similar to supermarkets using loyalty cards find out which products you prefer to buy so that they "can tailor their marketing and their placement of products in the store to their customer base".

Some of those who happily use shoppers' cards baulk at the idea of online tracking, which Wisniewski controversially implies is not worth worrying about (a contention anti-Phorm activists and other privacy conscious netizens would doubtless dispute).

"The worst that could happen is that advertisers are able to sell a profile of your information to one another in a way that you lose control of your private information," Wisniewski said during an interview with American Public Media radio on the Carnegie Mellon study. ®

Bootnote

In an on-going series documenting the lengths some advertisers will go to track netizens, Trevor Pott highlights the scourge of the dreaded and hard-to-kill evercookie and some tools that may (or may not) be useful when eradicating it.

Combat fraud and increase customer satisfaction

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.