Mozilla chief privacy officer Alex Fowler relayed a vivid anecdote last week during RSA Conference 2013 that illustrates the lengths third parties such as advertisers, data brokers and others who traffic in users’ online behavior will go to track you once you land on a website.
Fowler said that in his typical daily web surfing across four popular online destinations, nearly 120 third-party domains were able to track him, dropping more than 300 cookies onto his machine. All of this is perfectly legal and convolutedly spelled out in privacy policies, but most users are oblivious to how much information is collected about their surfing habits and what it’s used for—which is primarily to serve targeted advertising.
Privacy measures such as the Do Not Track W3C specification are mired in conflicting political and business debates, forcing the hand of browser vendors such as Mozilla to adopt their own tracking mitigation. Announced last week, Mozilla said the next version of Firefox will come with a patch that blocks third-party cookies; in order for cookies to be placed on a user’s computer, they must directly interact with a site. Mozilla’s approach is similar to what Apple has implemented with its Safari browser for a decade.
“We’ve been seeing an explosion of companies using third-party cookies to track activities. We tried to engage with stakeholders, but we’re seeing an expenditure of money and talent to optimize and refine the tracking ecosystem,” Fowler said. “We’re not seeing the same investment in user controls. We can’t sit back and allow the industry to ignore a core component of the user experience online.”
The Mozilla patch is already present in the current nightly experimental build of Firefox, and Fowler said once he ran the patch on his machine and revisited the four websites, none of the third-party cookies were dropped and only 75 showed up from the sites he directly visited.
Privacy advocates at the Electronic Frontier Foundation (EFF) call the patch a careful step toward protecting users from pervasive tracking, and added that this type of policy change is encouraged by a recent IETF technical specification on cookies.
“Enhancing user privacy without disrupting user experience may seem like a completely obvious measure to take, but advertisers and other firms have a vested interest in tracking users to serve users with behaviorally targeted advertisements,” wrote EFF staff technologist Dan Auerbach in a recent blogpost. “Since this industry has a lot of influence and money, it is hard to make even the smallest change to the status quo, despite the fact that behaviorally targeted advertising represents only a small fraction of advertising-based business models and countermeasures like these will not hurt ad-supported publishers.”
Third-party tracking has been a hot-button issue for months that only figures to heat up again now that Microsoft has shipped Internet Explorer 10 for Windows 7 with the Do Not Track header turned on by default; previously it had been available only for Windows 8. The setting sends a signal to sites that the user does not want to be tracked. While some, such as the Apache HTTP Server Project, have argued that on by default does not truly indicate the user’s desire not to be tracked, the fact remains that since DNT is not an official W3C standard yet, there is no way to enforce compliance and most websites can and likely will ignore the signal.
“We surveyed our customers and 75 percent of them told us they were concerned about tracking online,” said Brendon Lynch, chief privacy officer at Microsoft. IE 10 users on Windows 8 are presented with the option to turn off DNT during the recommended setup. “There are market forces at play, not just privacy advocates and legal people pushing technology on their own. People are concerned about privacy as technology intersects with their lives. There is more interest in privacy and more pressure coming from that angle; we wanted to respond to that. Privacy is becoming a feature.”
Mozilla’s Fowler said that 14 percent of Firefox users are sending the DNT header today. Couple that number with IE and Google Chrome users sending the same header and there is some significant traffic opting out of tracking without a standard in place.
“People are asking for a different level of privacy on your service, and you have to listen to that. It’s critical to the business and web ecosystem,” Fowler said. “At Mozilla, we also do online advertising campaigns and email outreach. We try to think about the tracking we impose on users, so we are making an effort to work with vendors who are willing to respect the DNT header. It’s not a condition, but we think it’s important for organizations advocating for this that we spur service providers to understand and respect it.”