Thursday, January 27, 2011

Data Privacy

Data Privacy Day is "an international celebration of the dignity of the individual expressed through personal information."

There is no doubt that we have evolved into a digital society. Whether it is via a traditional laptop or desktop computer or a mobile device, we are seldom far from being connected to the Internet.

Computers surround our everyday lives. When we make a credit card purchase, the information is transmitted over the Internet.  Computers are an integral part of the airline reservation services we use to schedule a family holiday.  If we need to contact our local police or fire department, they access directions to our home via a computer.

Much of our personal information is stored on computers.  The information contained in our medical, insurance, pharmacy, employment and school records, bank and credit reports, tax and government data provide not only a story of our life but also a key to our identity. 

There is more to online privacy than personal records.  Consider the following activities:
  • Information searches
  • Browsing online for products and services
  • Information shared with friends on social networking sites
  • Travel and location information with location-enabled Smartphone applications

As any of the above online activities are conducted, information is stored on your computer. This information is potentially available for data collection and manipulation, resulting in targeted advertisements. Advertisements are a “necessary evil”. Maintaining websites is not cost free.  Thus, the need for the subsidy provided website owners by advertisers. Although many free and licensed applications and browser add-ons have been created to block or remove what is commonly referred to as tracking cookies, other means of tracking website visits have evolved.


The Future

Particularly due to a year-long study by the Federal Trade Commission (FTC), a lot of attention has been devoted to online privacy. On December 1, 2010, the FTC released a preliminary report entitled "Protecting Consumer Privacy in an Era of Rapid Change". The one hundred twenty-two (122) page PDF file is available for download at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf ). Briefly, the FTC report provides a broad framework centered on three concepts: privacy by design, simplified choice, and greater transparency.

Within days of the FTC report, the Microsoft Internet Explorer 9 team announced tracking protection for inclusion in the Internet Explorer 9 Release Candidate. Both privacy advocates and consumers alike will see this as a major step forward to providing additional online privacy.

IE9 and Privacy: Introducing Tracking Protection
  • Opt-in “Tracking Protection” to identify and block many forms of undesired tracking.
  • “Tracking Protection Lists” to enable control of the third-party site content that can be tracked when online.

clip_image001With Tracking Protection in Internet Explorer 9 (IE9), you will have control of what data is shared as you navigate from one website to another.  This is accomplished by adding Tracking Protection Lists (TPL) to Internet Explorer. Anyone, and any organization, on the Web can create and publish Tracking Protection Lists. 

Although the default installation of IE9 will not include Tracking Protection lists (TPL), the option will be available to add lists created by others.  In effect, the lists provide a “Do Not Call” indicator for external content, unless you visit those sites directly. The TPL will also include the ability to include “OK to Call” addresses.  This is to ensure you can access these sites even if one of their lists has the site identified as “Do Not Call.”  Tracking Protection is not on by default. Thus, after turning on Tracking Protection, it will remain on until you turn it off.

The process of change is not simple.  Realize that it will be ongoing.  As a postscript to the IE Blog article, IE9 and Privacy: Introducing Tracking Protection Dean Hachamovitch, Corporate Vice President, Internet Explorer, added:
"One aspect of the larger tracking discussion involves a change to “HTTP headers.” The key thing to note is that such a change is the start but only part of delivering tracking protection. It is a signal to the web site of the consumer’s preferences. The rest of that solution (defining what that signal from the consumer means, what to do with it, verification, enforcement, etc.) is still under construction."
Mozilla Firefox "Do Not Track"


Last week, Mozilla announced “Do Not Track”.  The concept is to provide a way for people to opt-out of online behavioral advertising (OBA) by transmitting a Do Not Track HTTP header every time their data is requested from the Web. This header will notify the website that the visitor wants to opt-out of third-party tracking for behavioral advertising.  When the feature is enabled, advertising networks will be told by Firefox that the user has asked to opt-out of behavioral advertising.

As indicated in the Mozilla announcement, the "initial proposal does not represent a complete solution" but rather is one step to see if the header approach can work.  The goal is to provide a more nuanced, persistent tool for communicating privacy choices on the web.  Do Not Track (DNT) is expected to be introduced in version 4.1.

More information is available in the MozillaWiki FAQ: Privacy/Jan2011 DoNotTrack FAQ


Today

The Internet Explorer 9 tracking protection will provide a viable option for protecting your privacy. I expect that the other browsers will provide similar methods of providing tracking protection in future releases. In the meantime, there are other options available for protecting your privacy. In the following segments are instructions for restricting tracking cookies as well as examples of options and a few of the available browser extensions for managing DOM Storage and Flash Cookies. Also included are browser settings for private browsing sessions.

Cookies


There are considerations when blocking cookies.  Keep in mind that not all cookies are tracking your every move.  As a simple example, website logon cookies remember pages read. Also, note that cookies cannot be used to run code (run programs) or to deliver viruses to your computer.

Session Cookies
are also useful. Some websites require session cookies to track your movements on the site. Without the session cookies, you would repeatedly be asked for the same information already provided.  As an example, session cookies are used when shopping online to remember items placed in a shopping cart.  Without the session cookies, the shopping basket would disappear before you reach the checkout.  Session cookies are stored in memory not on the hard drive. They expire when the browser is closed.

Third-party Cookies
are cookies that are set by one site, but can be read by another site.  This enables advertisers that use third-party cookies to track your visits to the websites on which they advertise. With third-party cookies, your web surfing habits are logged, allowing advertisers to tailor advertisements to your interests.

What if you do not want to be tracked?


The Network Advertising Initiative (NAI) provides a system for opting out of popular ad networks. The Network Advertising Initiative tool identifies the member companies that have placed an advertising cookie on your computer. Using the NAI tool is simple. Merely choose the provided option to Select All member companies or check specific boxes that correspond to the company(s) from which you wish to opt out. After you click the Submit button, the tool will automatically replace the selected advertising cookie(s) and verify your opt-out status.

TrackBlocker
is a Firefox extension provided by PrivacyChoice.org. The extension not only blocks cookie tracking by over 200 ad companies it also deletes Flash cookies from these companies.
Most web browsers have a feature in their settings that lets you disable cookies from third-party websites. Shown below are the instructions for the setting to block tracking cookies for the major web browsers.

To block third-party cookies in Internet Explorer, do the following steps:
  • Launch Internet Explorer and select the Tools menu
  • Click Internet Options, click Privacy, and then click Advanced.
  • Check the box next to Override automatic cookie handling
  • Check the option to Block in the Third-party Cookies column.
  • Click OK.
clip_image002

Firefox
also has the option to block third-party cookies.  The steps include:
  • Launch Firefox and click the Tools menu
  • Select Options and Privacy
  • Uncheck the option to Accept third-party cookies.
clip_image003

Google Chrome
allows all cookies by default.  Below are the steps for changing the default settings:
  • Launch Google Chrome and click the Tools menu
  • Select Options.
  • Click the Under the Bonnet tab and locate the Privacy section
  • Choose the Content settings button.
  • Click the Cookie settings tab and choose your preferred settings.
  • Click Close.
clip_image004

Google Chrome now also has available the recently announced Keep My Opt-Outs.  The extension provides users to out of cookies that are related to personalized online ads. Note, however, that a small percentage of personalized ads also come from companies who do not yet participate in self-regulatory efforts. Thus, do not expect perfection.

Safari has similar instructions as the other browsers:
  • Launch Safari and go to Preferences and then click the Security tab
  • Click the Show Cookies button
  • Click the radio button for the option Only from sites I visit (Block cookies from third parties and advertisers).

The terminology used by Opera is similar to Safari.
  • Launch Opera and press CTRL+F12 to open the Opera Preferences menu.
  • Select the Advanced Tab
  • Select Cookies from the left sidebar menu.
  • Select Accept cookies only from the site I visit to disable third-party cookies.
clip_image005

Opera also has the option to disable “referrer logging”, which allows a website to know what site you were previously visiting. Some sites depend on referrer logging to work correctly. If you elect to disable referrer logging in Opera, it can be done through Settings > Preferences > Advanced > Network. Uncheck Send referrer information.

DOM Storage


Although we generally associate the term cookie with data stored by websites we visit, DOM Storage does not store cookies per se. Rather, DOM storage is per-session or domain-specific data. It is easier to control how information stored in one window is visible to another with DOM Storage. (According to W3C, officially, the term is Web Storage but the common term is DOM for Document Object Model.)

DOM Storage is comprised of two primary parts, Session Storage and Local Storage. In Session Storage, any data input is stored for the duration of the session. Thus, if a new tab is opened, the data from the Session in the original tab is stored for the new tab. Conversely, Local Storage spans multiple windows and persists beyond the current session. Local Storage allows Web applications to store up to 10 MB of user data. This could include data stored offline for later reading.

Disable DOM Storage

It is easy to disable DOM storage cookies in both Internet Explorer and Firefox browsers by following the simple instructions below. It is important to note, however, that some sites (i.e., CNN) may not work correctly with DOM storage disabled.

Internet Explorer
  • Launch Internet Explorer and open the Tools Menu
  • Select Internet Options
  • Click the Advanced tab
  • Scroll down until you reach Security
  • Uncheck the box for Enable DOM Storage
  • Click Ok

Firefox


A simple way to disable DOM Storage in Firefox is with the extension, Better Privacy. To make the change manually, do the following:
  • Launch Firefox and type about:config in the address bar
  • In response to the warning, click I'll be careful, I promise!
  • Scroll down until you reach dom.storage.enabled or copy/paste dom.storage.enabled in the filter
  • Double-click the dom.storage.enabled line item and it will change from its default value True to False
  • Close the about:config tab

To undo the change to Internet Explorer or Firefox, simply reverse the above steps.

Recently, Google NotScripts extension was released. It is currently necessary to create a password when using the extension and also make other settings changes back to default. The Opera and Safari browsers use DOM storage but, at this point, it does not appear that either provides a means for disabling it.

Flash Cookies


Blocking all or just third-party cookies and clearing browser history does not remove another form of cookies -- Flash cookies. Flash cookies are also known as local shared objects (LSO) or Super Cookies. Because Flash cookies are not as well known as HTTP cookies, they provide the additional advantage for advertisers for tracking and providing targeted advertising. As a result, Flash cookies also jeopardize your online privacy. The same advantages of Flash cookies over HTTP cookies for advertisers are disadvantageous in maintaining privacy.

A partial list of Flash Cookie/LSO properties includes:
  • Unlike HTTP cookies, Flash Cookies are never expiring
  • HTTP cookies are 4 KB, compared to the default storage availability of 100 KB of storage for LSO’s.
  • Browsers provide control mechanisms for HTTP Cookies, which is not generally the case for LSO's.
  • Highly specific personal and technical information (including system and user name) can be stored via Flash.
  • The stored information can be sent to the appropriate server without permission.
  • There is no easy way to monitor sites following you with flash-cookies.
  • LSO’s work in every flash-enabled application, thus allowing cross-browser tracking via the shared folders.

Considering the complexity of Flash Cookies, the question in your mind most likely is how to control or remove them from your computer. Below are few options for consideration.

clip_image006Adobe provides an On-line Settings Manager, illustrated below, to configure Flash Player settings. To use the tool, you need to go to the Adobe Website Storage Settings panel to make the changes to the settings. Although the changes are made via the on-line manager, the settings are only stored on your computer. I have discovered that the Adobe On-line Settings Manager version has changed several times. As a result, it has been necessary after a Flash Player update to revisit the site to verify the settings.


For on-line game players, note that Flash cookies are used to save a game in progress. In that case, you will want to add an exception to the on-line game site.

The Taco plug-in is available for both Internet Explorer and Firefox. It helps manage and delete standard cookies as well as Flash and DOM Storage Cookies. The plug-in also lets you see who is trying to follow your online movements and helps you decline targeted ads from more than 100 ad networks.
Firefox users have the option of using the BetterPrivacy or Flashblock extension.

Flashblock blocks all Flash content from loading. It then leaves placeholders on the webpage. With that method, if you wish to view the Flash content, you can click to download and then view it.
The BetterPrivacy extension manages Flash Cookies by removing them on every browser exit. It also provides the capability of reviewing, protecting or deleting new Flash-cookies individually. If desired, the automatic functions can be disabled. BetterPrivacy also protects against the previously discussed DOM Storage.

Private Browsing


Private browsing options are available for occasions when you do not want to leave evidence of your browsing or search history. When surfing at an Internet Café or unsecured Wi-Fi location this feature is recommended to protect not only your privacy but also security should it be necessary to access a banking or similar secure site.


Internet Explorer
Internet Explorer 8 and Internet Explorer 9 provide several easy ways to start InPrivate Browsing. The feature is available from the Safety menu, by pressing CTRL+Shift+P, or from the New Tab page. Any of those actions will result in launching a new browser session that will not record any information, including searches or website visits. Closing the browser window will end the InPrivate Browsing session.
Note: InPrivate Browsing is not available in earlier versions of Internet Explorer.

Firefox


To access Private Browsing in Firefox, click on the Tools menu and select Start Private Browsing or key CTRL+Shift+P. To end Private Browsing, reverse the process by clicking on the Tools menu and selecting Stop Private Browsing.

Google Chrome

Private browsing in Google Chrome is called Incognito mode. To turn on Incognito mode, from the Tools menu, select New incognito window or key CTRL+SHIFT+N. To stop browsing in Incognito mode, close the Chrome window.

Opera

Opera provides the option of launching either a private tab or window. Any new tab opened in a private window is a Private Tab. Browsing history is removed when the tab or window is closed. Click the red O in the upper, left corner and select Tabs and Windows | New Private Tab or Tabs and Windows | New Private Window. This feature is also available from the File menu on the menu bar.

Finally

clip_image007 It is apparent that there is a long way to go toward online privacy before the tenants proposed in the FTA draft report are accomplished.  Internet Explorer 9 is taking a step forward in design with tracking protection as is Mozilla Firefox.  I anticipate that the other browsers will follow with something similar. A simplified choice and an easier method of changing the settings is needed. Beyond that, and more importantly, a clear understanding of the information advertisers are collecting is needed in order to make informed decisions about what information to allow or block.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: