This month, Google and Mozilla announced extensions for their browsers (Chrome and Firefox, respectively) that will allow users to indicate that they do not wish to be tracked by websites and behavioural advertising networks. Microsoft announced a similar effort late last year. But how effective are these methods, really?
Using Google’s Keep My Opt-Outs plug-in users can permanently opt out of being tracked and profiled by companies that participate in the Self-Regulatory Program For Online Behavioral Advertising. Even if you regularly clear your cookie database, your choice to opt-out remains set. This solves the problem that previous opt-out methods, like that from the Network Advertising Initiative, suffered from.
How does the Keep My Opt-Outs plug-in work? Browsing the code (because I could not found a proper description elsewhere on the web), it appears it is still cookie based. It first deletes all cookies that come from registered domains, and then adds any missing do-not-track-me cookies for those domains. Registered domains only see the do-not-track me cookie, and because all old cookies are deleted, they will not be able to retrieve old tracking cookies even if they tried.
The extension is available for Google Chrome now, and constantly updated with opt out code for companies that adopt the industry privacy standard. Note that at the moment only U.S.-based ad companies are part of the opt-out, but a blacklist with non-U.S.-based companies is being worked on.
Mozilla, maker of the Firefox browser, proposed a different approach. In their system, which is not yet implemented, a Do Not Track HTTP header is sent with every click or page view request when browsing the web with Firefox. It is up to the receiving website to honour this request and to not track this user.
Microsoft, last but not least, announced Tracking Protection Lists (TPL) for Internet Explorer 9 in December last year. Although Tracking Protection is framed as being an opt-in mechanism, it really is opt-out (in Microsoft terms you opt-in to opt-out…). A Tracking Protection List (TPL) contains web addresses, that the browser will visit only if a link to them was clicked by a user directly, or if a user types in their address directly. In other words, indirect access to these web addresses is blocked. If a certain web page contains links to other content from these addresses, these links are not visited (and in particular, no cookie is sent to these websites). If your TPL is empty, Internet Explorer behaves as before (i.e. with no protection at all). That’s why TPL is an opt-out measure.
A nice twist in Microsoft’s approach is that TPLs can be shared with others, and can be easily downloaded and installed from third parties. This allows users to obtain a TPL from a source they trust, like the Electronic Frontier Foundation (EFF). TPLs are only available in beta versions of IE9.
How effective are these methods?
All three are a from of opt-out. If you do not install or configure these plugins or extensions, you will be tracked. As argued by many, including the EU Article 29 Data Protection Working Party, opt-out is not a proper solution to protect consumer privacy.
Of these methods, the Mozilla Do Not Track header is the weakest. It is based solely on self-regulation and relies on the participating websites to honour the do-not-track-me request. Google’s Keep My Opt-Outs is also based on self-regulation (it only applies to companies that sign up to the
Self-Regulatory Program For Online Behavioral Advertising), but it does offer some form of extra protection by deleting all cookies that come from these companies. Microsoft’s solution is more general, as it is not limited to companies that already agree too self-regulation, and because it is not limited to just blocking cookies. When released, Internet Explorer 9 blocks all HTTP requests to web addresses on the Tracking Protection Lists, making the user totally invisible to these companies.