Track-me-not: a comparison of recent browser-based solutions.

January 30, 2011

This month, Google and Mozilla announced extensions for their browsers (Chrome and Firefox, respectively) that will allow users to indicate that they do not wish to be tracked by websites and behavioural advertising networks. Microsoft announced a similar effort late last year. But how effective are these methods, really?

Using Google's Keep My Opt-Outs plug-in users can permanently opt out of being tracked and profiled by companies that participate in the Self-Regulatory Program For Online Behavioral Advertising. Even if you regularly clear your cookie database, your choice to opt-out remains set. This solves the problem that previous opt-out methods, like that from the Network Advertising Initiative, suffered from.

How does the Keep My Opt-Outs plug-in work? Browsing the code (because I could not found a proper description elsewhere on the web), it appears it is still cookie based. It first deletes all cookies that come from registered domains, and then adds any missing do-not-track-me cookies for those domains. Registered domains only see the do-not-track me cookie, and because all old cookies are deleted, they will not be able to retrieve old tracking cookies even if they tried.

The extension is available for Google Chrome now, and constantly updated with opt out code for companies that adopt the industry privacy standard. Note that at the moment only U.S.-based ad companies are part of the opt-out, but a blacklist with non-U.S.-based companies is being worked on.

Mozilla, maker of the Firefox browser, proposed a different approach. In their system, which is not yet implemented, a Do Not Track HTTP header is sent with every click or page view request when browsing the web with Firefox. It is up to the receiving website to honour this request and to not track this user.

Microsoft, last but not least, announced Tracking Protection Lists (TPL) for Internet Explorer 9 in December last year. Although Tracking Protection is framed as being an opt-in mechanism, it really is opt-out (in Microsoft terms you opt-in to opt-out...). A Tracking Protection List (TPL) contains web addresses, that the browser will visit only if a link to them was clicked by a user directly, or if a user types in their address directly. In other words, indirect access to these web addresses is blocked. If a certain web page contains links to other content from these addresses, these links are not visited (and in particular, no cookie is sent to these websites). If your TPL is empty, Internet Explorer behaves as before (i.e. with no protection at all). That's why TPL is an opt-out measure. A nice twist in Microsoft's approach is that TPLs can be shared with others, and can be easily downloaded and installed from third parties. This allows users to obtain a TPL from a source they trust, like the Electronic Frontier Foundation (EFF). TPLs are only available in beta versions of IE9.

How effective are these methods?

All three are a from of opt-out. If you do not install or configure these plugins or extensions, you will be tracked. As argued by many, including the EU Article 29 Data Protection Working Party, opt-out is not a proper solution to protect consumer privacy.

Of these methods, the Mozilla Do Not Track header is the weakest. It is based solely on self-regulation and relies on the participating websites to honour the do-not-track-me request. Google's Keep My Opt-Outs is also based on self-regulation (it only applies to companies that sign up to the Self-Regulatory Program For Online Behavioral Advertising), but it does offer some form of extra protection by deleting all cookies that come from these companies. Microsoft's solution is more general, as it is not limited to companies that already agree too self-regulation, and because it is not limited to just blocking cookies. When released, Internet Explorer 9 blocks all HTTP requests to web addresses on the Tracking Protection Lists, making the user totally invisible to these companies.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Mireille Hildebrandt
, 2011-01-30 16:49:55
(reply)

Is there a relevant difference between the methods you discuss and a browser-setting that refuses third party cookies? Doesn’t this provide nearly as much - or even more - protection in many cases, because the ‘real’ tracking and tracing is done by third parties that provide web statistics services (e.g. Google Analytics)?

Jaap-Henk
, 2011-01-30 22:15:52
(reply)

Indeed, the real tracking is done by third parties, because they are able to compile profiles about your browsing behaviour across many different websites. But in fact the methods I discuss are aimed at blocking third parties from tracking you. Microsoft’s TPLs contain the domains of these third parties, like Google Analytics. So should the list of Goolge’s Keep My Opt-Outs - but checking the source again I see Doubleclick participates, but Google Analytics doesn’t. Remember, the solutions of Google and Mozilla rely on self-regulation. The Mozilla Track Me Not header only works to protect consumer privacy if the third parties really refrain from tracking the user (through cookies, or browser profiling - see EFFs Panopticlic for the power of that approach - or other means).

Mireille Hildebrandt
, 2011-01-30 22:27:41
(reply)

Ah, that means I am indeed better protected by setting my browser to block ALL third party cookies [does not depend on third party self-regulation] - so all this fuss about track-me-not buttons is silly, since many people set their browsers to refuse third party cookies. It seldom affects my ‘user experience’ (or access) and is very simple to arrange.

Privacy by default (standard browser settings that refuse third party cookies) might work best for the time being.