Schneier on Security
A blog covering security and security technology.
« Cyberwar and the Future of Cyber Conflict |
| Profiling Lone Terrorists »
December 6, 2010
FTC Privacy Report
The U.S. Federal Trade Commission released its privacy report: "Protecting Consumer Privacy in an Era of Rapid Change."
From the press release:
One method of simplified choice the FTC staff recommends is a "Do Not Track" mechanism governing the collection of information about consumer's Internet activity to deliver targeted advertisements and for other purposes. Consumers and industry both support increased transparency and choice for this largely invisible practice. The Commission recommends a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The most practical method would probably involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads.
Posted on December 6, 2010 at 1:52 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I keep reading that as: "We only track you enough to know that you don't want us to track you."
Fat chance of this ever happening or working. It will have big enough loopholes to fly a jumbo jet through and the only ones to be protected will be the previledged elite.
Like most other privacy policies, and similar to the Do Not Call list, consumers are required to opt-out.
I have notified my elected representatives in the past that I prefer a opt-in system where privacy is concerned. It falls on deaf ears.
I do realize that being a citizen living in my elected representatives area of representation does not make me a constituent. That unfortunately seems reserved for those with deeper pockets.
Why call it "rapid change"? That isn't what we need. We need basically the same protections ALREADY provided by law, and simply recognize that anybody putting anything onto my computer without my permission, knowledge or invitation, is ILLEGAL. It is the same as breaking and entering. Just because they can do it doesn't mean they should do it or that they shouldn't be punished for doing it. Doing it to my computer should be dealt with the same as doing it to an NSA or military computer (or dealt with as they are attempting to deal with the WikiLeaks item).
I'm already doing this, and my friends has stopped asking me why no images or css gets loaded when I surf.
For any opt-in/out I believe there is a need to put responsibility on the browser end.
One opt-in scheme could be a specific named cookie that all sites first must set and get back before thay are allowed to track. Second the browsers must implement a blocking of cookies with this specific name.
Then of course there is the user who Have to make the choice, and when they do they might get pushed by websites to opt-in like many websites today pushes you to enable cookies. Actually many sites even break in infinite loops without cookies enabled.
When you come to think about it, should we really do anything that to the average population would indicate that there is anything related to privacy on the web?
Cookie? Why not a User-agent string? eg: User-Agent: Do-Not-Track v1.0 ;-)
I think this is a big misconception, the other way around could be just as wierd where people promote a specific url gets charged for copyright violation, oh wait , they did.
To me traveling the web is big bunch of requests, I ask a server for a website, they in return answer me as they see fit. In their reply they in turn ask me to store some data on my computer.
All this is voluntary, the server is not obligated to comply with my request and therefor I should not be accountable for getting something I didn't have rights to, because they gave it to me.
And you/your browser is not obligated to store that data which get sent to you and you must not send it back with every request. Still many do that which is their choice when they started to use the web.
@anon, Well If you really want to be anonymous you wouldn't even send a User-Agent at all.
There is a difference in what I suggest In that you don't have to shout out to everyone, "don't look at me", you know what happens then. Instead the "out-out" would be to NOT keep that cookie rather than having to tell everyone that they don't want to be tracked.
I can even see a situation where ordinary websites must first get that cookie back before they are allowed to link to the tracking scripts at google-analytics or other. It would make it possible to know if they honor the cookie.
Of course then we have the question about what tracking is, is gravatar tracking?. How far in the future must the expire date be.
This leaves me wondering: as pretty much 80% or more of the internet is financed via targeted advertising, what to they think this does?
Let's forget for a second that everyone can just not honor the "do-not-track bit" or, if really worried about prosecution, can move their sites out of country.
Ads: try using the AdBlock Plus add-on for Firefox.
Sites that ask you to install something you don't know: just say no.
Malware: use a recent virus scanner.
Missing the obvious? Use built-in cookie management, session cookies only, and a virtualized browser (sandboxed), configured to dump everything every time you close the browser. Then close it often, or at least use the "history delete" (Firefox on Win: Ctrl + Shift + Del). Also use add-ons, like RefControl, SafeHistory, and SafeCache.
It's a losing battle in the long run, but since the law will never do what commenters are wishing for, we can at least not make it easy for the trackers and miners. (I'm sure I left out a few ideas; just wanted to get this ball rolling.)
Oh, and don't use Google for searches, web mail, or anything else, for that matter. Certainly not their browser. They're in the business of selling ads, right? (They own DoubleClick, largest and slimiest Net ad agency.)
I'm seen an early version of that, which was talking about a voluntary do-not-track list that sites could decide for themselves whether to honor or not. I was utterly gobsmacked that the FTC thought a *voluntary* do-not-track list would do anything at all to curb abuses. It's about like putting up a sign in your window saying "Do not rob this store, unless you want to."
I suspect the only way we'll get strong privacy regulation is if someone does a Reidenberg-style dossier exercise on lawmakers and lobbyists. See Daniel Solove's discussion here:
We got the Video Privacy Protection Act because someone started digging up Bork's video rental records and lawmakers started worrying that the media dig up and publish their own records. Privacy issues only get taken seriously when you make them salient.
So when does the DOD come up with the mechanism, Do Not Secure?
"I have notified my elected representatives in the past that I prefer a opt-in system where privacy is concerned. It falls on deaf ears."
Deaf because those ears are stuffed with money.
My concern with that is that someone might legislate such a device into existence and effectively eliminate the possibility of a more fine grained control by the consumer.
Politicians don't care what people think. Save yourself the disappointment.
If you want non-tracking policies, you can implement them yourself via combinations of /etc/hosts, socks 5, tor, noscript, adblock plus, and .mozilla directory cleansing and rotation + about:config tomfoolery.
My name is Johnston, and I come in peace.
This will harm the very people it aims to help. All this does is reduce the value of each web hit. A consumer looking at a web site has only the value of his hits to offer in exchange for information. Reducing that value is like a tax on his browsing. It simply means that he will be able to purchase less from the information provider.
And this will force those who don't opt out to subsidize those who do. Likely it will prohibit or discourage making some content available only to those who don't opt out. This is as pernicious as credit card companies that don't allow merchants to pass on the costs of processing to their customers, forcing cash customers (worth more to the merchant) to subsidize credit card customers (worth less).
I think there is a perception problem here and it is on the side of the public. The public has no reasonable expectation of privacy on a system that is only sustained through monitoring the user's behavior. The best way for consumers to protect themselves is via browser side technologies that are non-standard and cannot be easily worked around or counter-profiled by the content providers. Any attempt to implement a do not track feature will simply allow content providers to easily deny content to those opting out (which is entirely fair). In the end only the paranoid will use it because only the sites that never tracked to begin with will continue to allow a full featured experience. Just like taxes and services the consumer cannot have his cake and not pay for it.
However there is nothing stopping the savy or truly concerned from adding in whatever Firefox plugin that can block these tracking technologies or even better deceive them. I have been using Ad Block for years with no ill effect, but I still get all the content because the majority of the population puts up with the ads, The truth is that most people should not fear being tracked and by allowing them to be tracked those that do have a greater need for privacy have an easier time getting it.
this is a public notification that I own a computer with a hard drive and it is entirely my own property.
Anyone who plants code on my harddrive for their purposes is trespassing on my property and in arrears on their rent.
my hard drive is not provided to you for your business profit. it belongs to me and your code is an intrusion, a burglary of sorts. get out of my computer if you were not invited to specifically use my drive for your purposes.
Fail. Most privacy practices involve deleting cookies which would remove this proposed 'privacy protection'.
How about having people opt in? To each site.
Put a tracking opt in on the corner of each page, and if you click it it adds the cookie, allowing you to be tracked by that site until you delete the cookie. I shouldn't have to go get my connection info logged (and tracked) on an opt out site in order to opt out for tracking.
Next we'll be submitting our photos/info to avoid the publication of said content.
As I see it, one or both of two things is going t happen: 1) more (and less technical) people will start blocking sites from tracking them and 2) companies will put lots of effort into making that data valuable to the people they are tracking. As a current example, Google can get away with putting sponsored links on there result's page because, often, they are as good or better then the rest of the links.
that's all well and good, but you are neglecting the other half of the bargain.
This is the implied contract that you will accept such tracking / advertising / etc so that the content you request can be provided to you without any cost to yourself.
There's so such thing as a free lunch / packet / website / cookie blocker
American laws only apply in the U.S. Non-American sites would not pay any attention to such laws.
"Just like taxes and services the consumer cannot have his cake and not pay for it."
yet, how odd that the net worked ok, in the days of "hit counters" and "dumb" ads (or no ads).
"This is the implied contract that you will accept such tracking / advertising / etc so that the content you request can be provided to you without any cost to yourself."
According to you. But according to me, the implied contract is opt-in. Apparently i only need to catch them violating such contract.
"get out of my computer if you were not invited to specifically use my drive for your purposes."
"Google can get away with putting sponsored links on there result's page because, often, they are as good or better then the rest of the links."
eh? the ads at the top (when i notice them) are never much relevant to my searches, unless i've searched for "burger king", in which case the 1st result is equally relevant.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.