Open source software security

Do Not Track

27 April 2011
Mozilla and Microsoft are teaming up in a rare show of joint purpose, pushing out aggressive "Do not track" features in the latest versions of their browsers. This feature allows users to set a configuration option and requests to websites from the browsers will carry an additional header letting the site owners know that users don't want to be tracked. Currently there isn't any widely adopted way that sites are responding to this information, but it could become a feasible way to stop tracking by aggressive advertisers. Cookie based tracking has become a growing privacy concern as the number of online advertising firms has decreased. After DoubleClick was acquired by Google there was a lot of speculation about the privacy implications. Suddenly a single company had access to most people's search terms, potentially their DNS queries, as well as information about their browsing habits. Although cookies are set in such a way as to limit to them for a specific site (for instance, you get a cookie when you visit this site, but your browser only transmits that cookie to and from this site, there's no way for another webmaster to ever know you've visited this site), a vast ad network could have ads on pages that set and checked cookies. However, when sites have ads they embed a piece of a third party site into their presentation, passing a "third party cookie" to your browser. For instance, if you view your cookie cache right now you'll see a cookie from http://googleads.g.doubleclick.net in your cookie cache. Google can use this cookie to track each site you visit as long as that site participates in their network. There are existing ways to stop this type of surveillance. For instance, in Firefox you can prohibit the browser accepting third party cookies. However, advertisers are becoming more proficient at avoiding these types of safeguards and are employing Flash based cookies, which have different capabilities, abide by different rules, and are much harder to get rid of. For instance, with Firefox you need to employ an extension such as BetterPrivacy. In other browsers this can be much more challenging. Understandably Google has been less that cooperative when it comes to making browsers (including their own Chrome browser) more resilient to cookie tracking. The Electronic Frontier Foundation has been covering this space for quite some time but it is only gaining traction slowly. Microsoft has set up a test page at http://ie.microsoft.com/testdrive/Browser/DoNotTrack/Default.html where you can view statistics on browser privacy standards. Opera is noticeably absent from this list. It is also difficult to gauge support amongst mobile browsers, although these are sure to lag behind significantly. In the meantime this is an opportunity for webmasters to consider their own response to these headers. Although the FTC first recommended the do not track feature it has yet to have any enforced requirements. For now it is probably enough to block cookies from third party sites and accept the privacy implications of cookies in general as a fact of life.