Sunday, October 17, 2010

It is time for the web browser vendors to embrace privacy by default

Three times over the past six months, web browsers' referrer headers have played a major role in major privacy issues. Much of the attention has reasonably been focused on the websites that were leaking their users' private data (in some cases, unintentionally, but at least in Google's case, intentionally). It may be time to focus a bit of attention on the role that the web browser vendors play, and in the pathetic tools they offer to consumers to control this form of information leakage.

The root of the current focus by privacy advocates on the browser referrer header stems from a paper (pdf download) written two researchers last year, who found that Facebook, MySpace and several other online social networks were leaking the unique IDs of their users to behavioral advertising networks. Furthermore, according to a class action lawsuit filed last week, Facebook actually began to leak even more information to advertisers, including users' names, starting in February of this year. It wasn't until the Wall Street Journal called up MySpace and Facebook for quotes in May, that the two companies quickly rolled out fixes (behold, the power of the media).

One month ago, I filed a complaint with the FTC, arguing that Google intentionally leaks its users' search queries to third parties via browser referrer headers. Unlike the Facebook leakage episode, in which it is generally acknowledged that Facebook didn't know about the leakage, Google has repeatedly gone out of its way to make sure this leakage continues, and has publicly confirmed that it is a feature, not a bug.

Now today, the Wall Street Journal has another blockbuster article on referrer leakage. This time, it is Facebook apps that are leaking Facebook user IDs to third parties, including advertising networks and data aggregators like Rapleaf.

It is certainly reasonable to point the finger at companies like Zynga, whose Farmville game has been confirmed by experts to be leaking users' Facebook IDs. However, as the Electronic Frontier Foundation's Peter Eckersley told the WSJ today, "The thing that is perhaps surprising is how much of a privacy problem referers have turned out to be."

These referrer leakage problems are not going to go away, and depending on hundreds of thousands of different websites and apps to take proactive steps to protect their users' privacy is doomed to failure. As such, we need to look to the web browser vendors to fix this problem, since, after all, it is the web browser that sends the referrer header in the first place.

Referrer headers and the browser vendors

The original HTTP standard, dating from 1996, which defined the core technical standard used by web browsers noted that the referrer header feature had significant potential for privacy problems:
Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

Fast forward 14 years, and only two web browsers, Firefox and Chrome, offer a feature to disable the transmission of the referrer header. Internet Explorer and Safari, which are used by 65% of users on the Internet, include no built in functionality to scrub or otherwise protect this information.

While Firefox and Chrome do include features to disable the referrer header, these features are not enabled by default, and enabling them requires technical knowledge that is beyond the vast majority of users.

For example, Firefox users must first type "about:config" into the location bar, navigate past a very scary warning, and then change an obscure preference from 1 to 2.





Likewise, Chrome requires that users start the browser from the command line with a undocumented parameter (‐no‐referrers):



It is time to embrace privacy by default

Earlier this summer, the European Article 29 Working Party released an extensive report on privacy and behavioral advertising. The report (pdf) called on web browser vendors to play a more important role in protecting users, and to embrace privacy by default. While the Working Party was primarily describing cookie controls, the same message applies to referrer headers:
"Given the importance that browser settings play in ensuring that data subjects effectively give their consent to the storage of cookies and the processing of their information, it seems of paramount importance for browsers to be provided with default privacy-protective settings. In other words, to be provided with the setting of 'non-acceptance and non-transmission of third party cookies'. To complement this and to make it more effective, the browsers should require users to go through a privacy wizard when they first install or update the browser and provide for an easy way of exercising choice during use. The Working Party 29 calls upon browser makers to take urgent action and coordinate with ad network providers."

It is time for the browser vendors to listen to this advice. Had IE, Firefox, Chrome and Safari blocked (or at least partially scrubbed) referring headers by default, the leakage from Facebook that the Wall Street Journal highlighted today would never have occurred.

13 comments:

jon said...

Excellent article ... not that it lets FB, Zynga, and everybody else off the hook of course but it shows how completely the browser world is ignoring the issue.

Anonymous said...

As earlier articles in the WSJ series made clear, the companies that develop and own the major browsers are the same companies that own and operate the major ad networks. The conflict of interest doesn't explain everything, but it doesn't bode well.

In the meantime, I recommend RefControl: http://www.stardrifter.org/refcontrol/

Anonymous said...

In fact, RefControl can execute all the things you recommend on Bugzilla: retaining the referer within sites, disabling referers to third party sites, and truncating referers to top-level domains for third party sites.

That said, I very much agree that these features should be implemented by default in private browsing modes.

Has the community expressed any interest in your request and recommendation?

John said...

What are you worrying about in the Google referrer? As far as I can see it ids your search, but not who you are. The referral data is vital to anyone running a web site.

Unless of course the referring site is doing something it shouldn't do, like putting your User Name or ID in the URL, I don't see a big issue on referrers.

I think if you are concerned about privacy you probably should avoid social media like the plague. The whole idea of a site like Facebook is to share your personal information.

Moverman said...

Many sites use referral data for fair reasons like to prevent 'steeling' bandwidth by so called hotlinking to (large) files. The default browser setting should be to send the referrer only within the same domain, and to block it for third party sites. Otherwise browsing the web will become a nightmare for both users and webmasters around the globe.

ShEila said...

Opera has a checkmark "Send referrer information" in its normal options menu and you can even set that on a per-site basis with the site preferences (just like cookies, javascript and so on).

Auren said...

This is a really well thought-out article. Referer requests are an issue. Firefox, IE, Safari, Chrome, and other browsers (like mobile browsers) should all have an easy way to manage this so one can stay private if they chose to.

Dx said...

anyone knows how to do it on google chrome for mac

Stereocilia said...

I think for Firefox 3.6.10 you change the setting from 2 to 0?? http://kb.mozillazine.org/Network.http.sendRefererHeader

Browsers should come with reasonable privacy and security enabled. I don't like first run wizards though. I think a secondary tab that opens until you configure it would be better.

AppSec said...

Interestingly enough, the referenced spec basically points out that the producers/consumers of the refer tag need to be careful in what they put in there: "Because the source of a link may be private information or may reveal an otherwise private information source".

While I am a big proponent of the Browsers incorporating more secure/privacy tools and functionality, this is on sites themselves to maintain.

The referrer is very important in site to site communication. If two sites need to communicate with one another, whose to say they won't just use a web service between the two to send that data anyway?

Shmerl said...

A correction: in Firefox one needs to change to 0 (zero):

See http://kb.mozillazine.org/Network.http.sendRefererHeader for details.

Anonymous said...

The problem is not so much that browser vendors are not modifying or forging the referer header but that users are not
properly educated to surf the web cautiously. If they were, I bet that either browser vendors would already have included such a feature by default or the users would already deploy such add-ons like JonDoFox (http://anonymous-proxy-servers.net/en/software.html) which have a referer spoofing by default without breaking sites. Either way, you would not need to make your proposal which shows that it just cures a symptom but not the main problem.

Anonymous said...

Just checked my Firefox and the mentioned network.http.sendRefererHeader is set to 2.

I'm using 3.6.10 in openSUSE 11.3.