Schneier on Security
A blog covering security and security technology.
« Refuse to be Terrorized |
| Identity Theft Cartoon »
December 21, 2007
Privacy Problems with AskEraser
Last week, Ask.com announced a feature called AskEraser (good description here), which erases a user's search history. While it's great to see companies using privacy features for competitive advantage, EPIC examined the feature and wrote to the company with some problems:
The first one is the fact that AskEraser uses an opt-out cookie. Cookies are bits of software left on a consumer's computer that are used to authenticate the user and maintain information such as the user's site preferences.
Usually, people concerned with privacy delete cookies, so creating an opt-out cookie is "counter-intuitive," the letter states. Once the AskEraser opt-out cookie is deleted, the privacy setting is lost and the consumer's search activity will be tracked. Why not have an opt-in cookie instead, the letter suggests.
The second problem is that Ask inserts the exact time that the user enables AskEraser and stores it in the cookie, which could make identifying the computer easier and make it easy for third-party tracking if the cookie were transferred to such parties. The letter recommends using a session cookie that expires once the search result is returned.
Ask's Frequently Asked Questions for the feature notes that there may be circumstances when Ask is required to comply with a court order and if asked to, it will retain the consumer's search data even if AskEraser appears to be turned on. Ask should notify consumers when the feature has been disabled so that people are not misled into thinking their searches aren't being tracked when they actually are, the letter said.
Here's a copy of the letter, signed by eight privacy organizations. Still no word from Ask.com.
While I have your attention, I want to talk about EPIC. This is exactly the sort of thing the Electronic Privacy Information Center does best. Whether it's search engine privacy, electronic voting, ID cards, or databases and data mining, EPIC is always at the forefront of these sorts of privacy issues. It's the end of the year, and lots of people are looking for causes worthy of donation. Here's EPIC's donation page; they -- well, "we" really, as I'm on the board -- can use the support.
Posted on December 21, 2007 at 11:18 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't see that using a cookie for opting out is, in general, *inherently* such a bad idea.
Setting aside the (orthogonal) question of whether the "feature" in question ought to be opt-out or opt-in, once you have decided to make it opt-out, setting a cookie appears to me quite clearly to be the Right Way to implement that decision. Of course, this assumes that the cookie is implemented right, i.e., all users who opt out get identical cookies, probably just "UseFeatureFoo=No".
What would the alternative be? That the service provider should populate a server-side database with identification about all users who have provided an opting? This would seem to be rather more worrisome than storing the data client-side (i.e., as a cookie).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.