Tuesday, May 03, 2011

Industry-created "privacy enhancing" abandonware

Industry loves self regulation and why shouldn't it? Given the choice between strong enforcement by a federal agency, and scout's honor promises, industry would be foolish to support a strong FTC.

Unfortunately, the self-regulatory groups and organizations that are created in response to the threat of regulation are often extremely short lived.

Pam Dixon noted this in her her comment (pdf) submitted in response to the FTC's recent privacy report:
[I]ndustry knows that the Commission’s attention span is limited. When the Commission showed interest in online privacy in the years before 2000, industry responded by developing and loudly trumpeting a host of privacy self-regulatory activities. Most of these activities were strictly for the purpose of convincing policy makers at the Commission and elsewhere that regulation or legislation was a bad idea. All of these activities actually or effectively disappeared as soon as new appointees to the Commission demonstrated a lack of interest in regulatory or legislative approaches to privacy.

[These include:]

The Individual Reference Services Group (IRSG) was announced in 1997 as a self-regulatory organization for companies that provide information that identifies or locates individuals. The group terminated in 2001.

The Privacy Leadership Initiative began in 2000 to promote self regulation and to support privacy educational activities for business and for consumers. The organization lasted about two years.

The Online Privacy Alliance began in 1998 with an interest in promoting industry self regulation for privacy. OPA’s last reported activity appears to have taken place in 2001, although its website continues to exist and shows signs of an update in 2011.

The Network Advertising Initiative had its origins in 1999, when the Federal Trade Commission showed interest in the privacy effects of online behavioral targeting. By 2003, when FTC interest in privacy regulation had evaporated, the NAI had only two members. Enforcement and audit activity lapsed as well. NAI did nothing to fulfill its promises or keep its standards up to date with current technology until 2008, when FTC interest increased

Industry created privacy enhancing software is made for regulators, not consumers

A few weeks ago, Ryan Singel at Wired wrote about Google's curious lack of support for Do Not Track (DNT). Rather than embracing the DNT header supported by the three other major browser vendors, Google is instead pushing the 3rd party browser plugins it has released that make it possible for consumers to retain their opt out cookies.

As I told Ryan then:
"[Google's] opt-out cookies and their plug-in are not aimed at consumers," Soghoian says. "They are aimed at policy makers. Their purpose is to give them something to talk about when they get called in front of Congress. No one is using this plug-in and they don’t expect anyone to use it."
Soon after this piece was published, I received a bit of pushback from several friends in Washington, who felt I was unfairly slamming the company.

However, when you actually examine the history of the industry's privacy enhancing technologies, they seem awfully similar to the short-lived self regulatory organizations that Pam Dixon highlighted.

Privacy enhancing abandonware

On March 11, 2009, Google entered the behavioral advertising market. On the same day, Google released its Advertising Cookie Opt-out Plugin for Firefox and Internet Explorer. The browser plugin permanently saves the DoubleClick opt-out cookie, enabling users to retain their opt-out status even after clearing all cookies.

Google's tool was a genuine innovation in privacy enhancing technologies. Furthermore, as the tool was released under an open source license, I was able to take the source code, expand it, and turn it into TACO, which opted consumers out of dozens of different ad networks.

The initial release of Google's plugin worked with Firefox 1.5 through 3.0.

In June 2009, Mozilla released Firefox 3.5. It took Google nearly two weeks to release an update to its plugin that was compatible with the new version of the browser.

One year later, Mozilla released Firefox 3.6 in January 2010. This time, it took more than a month for Google to release an updated version of the add-on.

Most recently, on March 22, 2011, Mozilla released Firefox 4.0. More than 5 weeks later, Google still has not released an updated version of its opt out add-on.

Google can perhaps be forgiven for ignoring the users of its Firefox privacy add-on -- the company's attention seems to have shifted to its new plugin: Keep My Opt Outs, which only supports the company's Chrome Browser (the tool was quickly rushed out announced on the same day that Mozilla announced its support for Do Not Track).

Similarly, in November 2009, the Network Advertising Initiative (an organization representing many of the major ad networks) released its own Firefox plugin that makes opt out cookies permanent. NAI Executive Director Charles Curran told one journalist that "this [tool] has been a recognition of criticism of opt-outs that are recorded in cookies. It's essentially designed to prevent the standard sweep of cookies that you get from a cookie cache dump...It's designed to work with the browser functionality."

As with Google's plugin, although it has been more than 5 weeks since the the release of Firefox 4.0, the NAI plugin still has not been updated to support it.

Why updates are important

When a user upgrades to a new version of Firefox, the browser will check for available updates to all installed browser plugins. Any plugins that have not been updated to support the new browser release will be disabled. This is obviously a pretty big problem, which is why Mozilla actively encourages developers to make sure that their addons support upcoming versions of the browser. For the 4.0 version of Firefox, which was released in March, Mozilla started harassing add-on developers as far back as November, 2010.

As such, there are likely tens of thousands (if not more) users of Firefox 4.0 whose Advertising Cookie Opt-out Plugin is currently disabled due to incompatibility. The moment these users clear their cookies (something some many have configured to happen automatically when they restart their browser), they will lose their doubleclick.net behavioral advertising opt out cookie. Likewise, the thousands of Firefox 4.0 users who had previously installed the NAI opt out plugin have now lost the opt out cookie persistence that they were promised.

These firms have created privacy enhancing technologies and then loudly advertised them to consumers and regulators. Unfortunately, now that the attention of regulators has shifted to Do Not Track, both Google and the NAI appear to have abandoned the users of their respective plugins. Neither firm has provided their users with sufficient notice to let them know the impact, or let them know what other options they have to continue to maintain their opt out choices.

Perhaps the FTC will take notice?


Vance Ricks said...

So, what should we Firefox 4.0x users be doing in the meantime...?

Anonymous said...

Vance, that's the same thing I'd like to know.
Chris, I watched your presentation on youtube; Your ISP and the Government: Best Friends Forever. Awesome job! Keep up the good work; if it weren't for people like you fighting for our privacy, I'm not sure where we'd be by now. Thank you so much!

Ethan said...

Do you have any recommendations for further reading on what services and tools could be used to regain a little anonymity and freedom? Its hard to be comfortable that a information source isn’t itself compromised. Is there a reasonable way to verify who is a real friend of privacy and not someone leading the innocent astray? I am always checking your twitter feed since stumbling across your and Stamm's paper a couple months ago. I currently just use Firefox and the Noscript addon. But I would really like to reduce my footprint further. Thank you again for all you do, I feel changes are accelerating.