Useful Links
SMBlog
RSS feed RSS icon
About this blog
About me
Archives of Dave Farber's IP list
Archives of RISKS Digest
The Legal Information Institute at Cornell University
Thinking Security
Firewalls and Internet Security: Repelling the Wily Hacker
The Electronic Frontier Foundation
The Tor Project
The Center for Democracy and Technology
Freedom to Tinker blog
Bruce Schneier's blog
Matt Blaze's blog
Matthew Green's A Few Thoughts on Cryptographic Engineering
Krebs on Security
October 2007
The Technical-Social Contract (1 October 2007)
Screendump: #1 in a Random Series of Messages You Shouldn't See (5 October 2007)
This is Disgusting (10 October 2007)
The Proper Benefit of an iPhone Design Mistake (16 October 2007)
Comcast Apparently Blocking Some Peer-to-Peer Traffic (19 October 2007)
More on Comcast Blocking Peer-to-Peer Traffic (22 October 2007)
"Do Not Track": All or Nothing? (31 October 2007)
Recent Posts
Brief Notes on Computer Word and Byte Sizes (7 March 2023
In Memoriam: Frederick P. Brooks, Jr. --- Personal Recollections (18 November 2022
Attacker Target Selection (5 July 2021
Where Did "Data Shadow" Come From? (26 June 2021
Vaccine Scheduling, APIs, and (Maybe) Vaccination Passports (2 April 2021
Security Priorities (25 February 2021
Covid-19 Vaccinations, Certificates, and Privacy (13 August 2020
Hot Take on the Twitter Hack (15 July 2020
Trust Binding (11 June 2020
Facebook, Abuse, and Metadata (24 May 2020
Archive
2007 (43)
2008 (39)
2009 (21)
2010 (15)
2011 (16)
2012 (14)
2013 (6)
2014 (16)
2015 (14)
2016 (6)
2017 (17)
2018 (16)
2019 (17)
2020 (15)
2021 (4)
2022 (1)
2023 (1)
 
Full Index
Tag Index

"Do Not Track": All or Nothing?

31 October 2007

According to press reports, some Internet marketing companies are starting a "Do Not Track" list, a way to opt out of tracking cookies. It’s a good idea, but there’s a downside: using this scheme can hurt your privacy unless you’re very careful.

Internet marketers typically track people via cookies. A cookie is a small amount of text stored on your computer by a web server; it lets the server know you’re the same person (more precisely, you’re using the same web browser) who visited the site some other time. Some cookies are used to track your preferences, such as what sort of web sites you visit or articles you read; this is used to tailor ads to your (perceived) interests.

One of the best explanations of cookies and advertising can be found at Doubleclick’s FAQ. (Doubleclick’s privacy policy disclosure is one of the best out there. This is quite ironic, since years ago they were roundly criticized for their privacy practices. On the other hand, very few people know to check that site, since most people don’t even know it exists.) You can see how this works by connecting to my cookie test server, which I’ll leave running for a few weeks.

A typical "Do Not Track" option works by letting people download a special cookie. Doubleclick’s opt-out service does just that:

Presumably, the AOL version would be more complex, because it will let you specify your interests. That is, it’s intended to permit targeted advertising but without tracking.

The problem is that today’s best way to avoid tracking — regularly cleaning out your cookie collection — will delete the "no-track" cookies. (Doubleclick even warns about this.) Users will thus be faced with a choice: defend against everyone, by frequently discarding all cookies; defend against the more responsible marketers, by using their no-track cookies; or trying to remember to be selective about discards and/or recreating many different no-track cookies very frequently. None of these options sound appealing.

Update: a New York Times blog has noted the same problem. It refers to some technology developed by Tacoda to permit preferences to persist even if cookies are deleted. It isn’t clear to me what that technology is; Tacoda and its subsidiary, Advertising.com have web pages on cookie-based opt-out. Perhaps it uses a Flash cookie? Flash cookies are just about as useful for tracking people, and they’re seldom deleted because most people don’t know about them.
Tags: privacy
https://www.cs.columbia.edu/~smb/blog/2007-10/2007-10-31.html