NEW YORK–The movement in the security and privacy communities to push the Do Not Track standard as an answer to the problem of pervasive online tracking by ad companies and other entities has resulted in the major browser vendors including DNT as an option for users, giving them a method for telling advertisers and Web sites their preferences on tracking. But DNT  may well have outlived its usefulness and needs to be replaced by something that’s more effective and efficient, security experts say.

DNT was conceived as a way for users to communicate their preferences on Web and ad tracking to the sites that they visit. The major browsers, including Internet Explorer, Firefox and Chrome, all have an option that allows users to enable DNT, which essentially sends an HTTP header to sites the users visit telling them whether the users consent to tracking. Advertisers and Web site owners rely on tracking to help them determine user preferences and behaviors and see where users are coming from and going to after leaving their sites. The Federal Trade Commission has pushed DNT as a privacy protecting technology and something that helps consumers defend against unwanted tracking of their online activities.

However, some security experts have begun to question the efficacy of DNT and say that it may be giving users the false impression that they’re completely safe from tracking.

“We need something more substantial that actually works and doesn’t impinge on people’s privacy. This Do Not Track thing is kid of a hot mess,” said Robert Hansen, a senior product manager at WhiteHat Security, in a talk at the OWASP AppSec USA conference here Wednesday. “We believe in opting everyone into security instead of out of it.”

One issue with DNT is that the online ad groups do not support it, and it’s left up to each individual site owner to decide how to deal with the signal from users and whether to honor it. There also are ways around the DNT system, and advertisers and site owners can use other means to track users. Hansen said that users should have a better option for preventing tracking than a voluntary system that many sites and advertisers ignore.

“We’d like to see ‘can not track’ rather than Do Not Track,” he said.

Another problem is that the major browser vendors implement DNT in different ways and have no incentives to actually block the ads that contain the code that tracks users. Microsoft, Mozilla and Google all partner with advertisers, which generates large amounts of revenue for all of them. Google, for example, is expected to earn nearly $40 billion in online ad revenue in 2013.

WhiteHat has released its own browser, Aviator, which is based on Chromium and uses an extension called Disconnect that disables Web site tracking and enables private search. The extension breaks the connections to third parties, preventing them from getting any data from users’ browsers.

DNT at this point appears to be dead, Hansen said, and there is a need for something more effective and useful for consumers.

“All the players came out looking good, because they can say that they supported it,” he said. “I firmly believe it was just a head fake by the online ad industry to buy time.”

 

Categories: Privacy, Vulnerabilities, Web Security