Private I: Firefox and others deal with unwanted trackers, whether ads or malicious

You'd think checking a box labeled Do Not Track would indicate a strong preference for, you know: not being tracked. And yet that is not the case. Those who sell slots to advertisers or gather demographic and other personal data to associate with individuals and improve targeting have a desperate interest in following our every move online.

The more closely advertising is targeted to our needs, the more likely we are to not just to pay attention (worth a little), click (worth something), or follow through with buying or signing up (worth a lot). Those who sell advertising slots, and the advertisers who buy them, would prefer to have the best, unmediated access to you.

The Do Not Track preference was first envisioned in 2009 as a way for web users to state affirmatively that they didn't want to be tracked. The idea was that inserting a simple header--a bit of metadata sent from a browser to a server--would be a positive signal. The trick was convincing the browser makers and advertising industries to support it.

All the browser makers did, but the industry didn't. There were issues about whether the setting would be "no choice" along with yes and no, or default to either yes or no. As of now, there's essentially no mandate or requirement, whether among trade groups or governments, to honor the setting.

That's why Firefox's Tracking Protection caught my eye. A feature inserted into Firefox, it had the potential to offer a "Hey, Really, Do Not Track" option that would be largely effective. That fact that it's hidden seems to indicate that it's already controversial. No worries, though: even if it disappears or you don't use Firefox, you have alternatives via Ghostery and other tools, as I'll explain.

How we're tracked

Advertising, analytics, social media, and other tracking networks use JavaScript, tiny images, and other embedded methods to install tracking IDs on your browser when you visit sites that incorporate their signals. This might be a site that uses Google Analytics, Doubleclick, GeoTrust, or dozens of others--or even dozens on one site.

Some networks go beyond using simple browser cookies, which are easy to block or delete, and employ "respawnable" evercookies. These components use various hidey-holes in offline storage and other features in HTML5, Flash, and other systems to cache an ID so that when a cookie is deleted, on the next visit to a site with the network's scripts in use, the browser cookie is re-created. A different category, supercookies, involve a user's ISP or cellular provider tagging their sessions uniquely.

Even in its best form, there was a dispute in the ad industry over whether Do Not Track meant, "Put a marker that someone shouldn't be tracked" or "you can track them but you can't make use of the data in targeting ads to them." Evercookies and supercookies seem unethical, but may be perfectly legal. All legitimate networks offer some kind of opt-out method, but many work poorly, and you have to opt out often for every browser by network, and sometimes only for a limited period of time. And, as with the Do Not Track quibble, opting out of tracking can mean you're tracked with a promise to not use identifying information.

Because of all this, users have increasingly installed ad-blocking software, which throws the baby out with the filthy bathwater. Poor baby! The baby is the revenue from advertising that allows sites such as Macworld and hundreds of thousands--or maybe millions--of others to pay the bills that make publications go from a part-time self-employed blogging gig to a newsroom of hundreds of reporters. A recent report from the Reuters Institute for the Study of Journalism noted:

In the UK, 39 percent have installed ad-blocking software on their PC, mobile, or tablet, whereas in the US this rises to 47 percent. The figures are even higher for 18--24s (56 and 55 percent respectively).

I won't make a moral argument about the necessity of viewing ads when visiting a site that uses them for revenue. The business model of a site isn't the responsibility of its users, and the number of trackers that users shouldn't trust is so high that it's reasonable for people to install ad blockers as a way to get rid of good and bad alike.

To understand my sentiments, I was a co-plaintiff in a suit led by the Electronic Frontier Foundation in support of ReplayTV back in 2002 about ad skipping and space shifting. Turner Broadcasting's CEO famously responded that year in an interview to this question about ad skipping, "What if you have to go to the bathroom or get up to get a Coke?" He replied, "I guess there's a certain amount of tolerance for going to the bathroom."

Likewise, I think it's absurd to say, "If you won't load [any or all] ads, you're stealing." It's an extreme position, especially when sites reference 10 or 20 or 30 tracking elements. About half my paychecks as a freelancer come from sites for which advertising is key, and the other half from sites for which subscriptions pay a good part or a large part of the bills. (Ads for subscriptions are ads, too, of course.) The rise of ad blockers will hurt some sites and services, but also lead to development of other kinds of reader revenue, including more paywalls.

Some people simply don't want to see ads, and those who feel that way aren't valuable lost revenue, because they're not going to click on things or use calls to action, anyway. But I suspect that many people just don't want to be tracked all the time and have ads creepily targeted to them. For that group, blocking malicious sites and blocking bad actors--services that aren't engaged in ethical tracking--would likely be enough.

Less tracking, more speed

Firefox's Tracking Protection earned some attention in May when two researchers--one then working at Firefox's maker, Mozilla--released a paper about the feature, which was rolled into the browser, but not enabled nor presented as a choice in the main preferences interface. (To turn it on, type about:config in a Firefox location bar, and then search for trackingprotection. Double-click to set privacy.trackingprotection.enabled to true.)

Tracking Protection is not an ad blocker; it's not about whether a site is presenting commercial information to you at all. Rather, it's an unsafe-connection blocker. The developers used the software behind Google's Safe Browsing service, which manages a list of URLs to warn surfers about, and took about 1,500 domains from the Disconnect privacy-oriented service's list of bad players. The list is updated every 45 minutes. (Safe Browsing from Google is intended to avoid malware and phishing, while Disconnect focuses on insecure connections that carry private information and "malicious trackers, sources of malware, and identity theft.")

The paper showed not just the quantity of connections to services identified in this fashion, but also how much faster webpages load without pulling in seemingly unwanted or openly dangerous trackers. The speed is what attracted attention.

In my testing over the last few weeks, Firefox in OS X is definitely zippier, but I've also had to disable Tracking Protection for specific sites, especially for use with Facebook logins from other sites. You can use a pop-down menu in the toolbar to disable protection on individual sites. For the most part, most sites work just fine.

As Ed Bott noted weeks ago, however, the feature appears destined to sputter out, as the Mozilla developer, Monica Chew, has left and posted a fairly dismissive blog post about what the future of Mozilla's interest in the area might be. (Ed also noted that Microsoft has had such a tracking blocklist in Internet Explorer since 2011, which is sadly not of use for us on iOS or in OS X. Maybe Microsoft should restart IE for Mac?)

Alternatives to Tracking Protection

I like Tracking Protection because of its integration and seemingly light hand in what it does. But Disconnect (which helped provided the blocklist for the feature), Ghostery, and others offer similar or better features. Ghostery, for instance, shows you a count of how many tracking elements on a site when the page loads, and lets you block whichever you like. Ghostery is focused on privacy, not malice. Disconnect has its feet on both pedestals.

iOS 9 will also support "content-block extensions" for Safari, already available in its OS X incarnation, which can be used for ad blocking. One can imagine Disconnect and others offering these extensions.

No matter your feelings about ads, it's reasonable to be worried about and want to block sites that have no business--literally, it's none of their business--tracking you, and to be angry at those feeding us malicious software and trying to coax our secrets from us. Some balance would be nice. Without it, readers will continue to take matters in their own hands.

Join the CSO newsletter!

Error: Please check your email address.

Tags advertisingFirefoxsecurityinternetprivacy

More about Electronic Frontier FoundationFacebookGoogleMicrosoftMozillaReplayTV

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts