cookies don’t track people. people track people.

The news shows are in a tizzy: Google violated your privacy again [CBS, CNN] by circumventing Safari’s built-in tracking protection mechanism. It’s great to see a renewed public focus on privacy, but, in this case, I think this is the wrong problem to focus on and the wrong message to send.

what happened exactly

(Want a more detailed technical explanation? Read Jonathan Mayer’s post. He’s the guy who discovered the shenanigans in question.)

Cookies are bits of data with which web sites tag users, so that when users return, the site can recognize them and provide continuity of service. This is mostly good for users, who don’t want to re-identify themselves every time they visit their favorite social network or e-commerce site. Cookies work mostly with strong compartmentalization: if cnn.com tags you, your browser sends that tag back only to cnn.com. This is important because users would be surprised (not the good kind of surprise) if one site could tag them once and then cause them to uniquely identify themselves with the same identifier to all other sites across the Web.

Things get complicated when web sites embed content served by third parties, for example ads within a news site. Should this third-party content also be able to tag your browser? Should the tag be sent back to that third party when its content is loaded?

Different browsers do different things. Firefox toyed with the idea of not sending the tag back to third parties, but in beta-testing realized that this would break some features that users have come to depend upon, for example Facebook sharing widgets. Safari chose a fairly unique approach: they mostly disallow third parties from tagging users, though they do allow existing tags to be read, so that things like Facebook widgets can still work.

For some reason (I won’t speculate why, Google claims it’s to enable the +1 button), Google used a known technique that tricks Safari into accepting a third-party tag from Google.

mechanism vs. intent

So the reason this whole controversy bugs me is that we’re discussing web privacy based on specific mechanisms, a bit like discussing home privacy by regulating infrared cameras. Sure, an infrared camera can be used to violate my home privacy, but it can be used for many good things, and there are many other ways to invade my home privacy. Cookies, like all technical mechanisms, have both good and evil uses. And browsers don’t all behave the same way with respect to cookies and other web features, so it’s typical for developers to find workarounds that effectively give them “standard behavior” from all browsers. Sometimes these workarounds are truly meant to help the user accomplish what they want. Sometimes these workarounds are used to evil ends, e.g. to track people without their consent.

Again, I don’t know what Google’s intentions were. All I know is that we’re prosecuting the wrong thing: a technical mechanism instead of the an intent to track. Cookies don’t track people. People track people. We should be focusing on empowering users to express their preferences on tracking and ensuring web sites are required to comply.

the tracking arms race

If we focus on technical mechanisms to protect user privacy, then we’re dooming users to an un-winnable arms race. There are dozens of ways of tracking users other than classic cookies. Google used a work-around for Safari third-party cookies, but let’s say they hadn’t. Let’s say instead they’d used Flash cookies, or cache cookies, or device fingerprinting, or a slew of other mechanisms that browsers do not defend against, in large part because it’s really hard to defend against these tracking mechanisms without also breaking key Web features. Would Google then be in the clear?

I fear that that’s exactly what we’re implying when we focus the privacy discussion on mechanisms of tracking. The trackers will move on to the next mechanism, and the browsers will scram to try to defend against these mechanisms without every being able to catch up. Blocking tracking at the technical level is, in my opinion, impossible.

the solution: Do Not Track and More

The beginning of a solution lies in the judo move that is Do Not Track, an idea that came out of a collaboration between Christopher Soghoian, Dan Kaminsky, and Sid Stamm (see the full history of DNT). Do Not Track was first implemented in Firefox last year, and soon thereafter in IE, Opera, and Safari. It’s being standardized now at the W3C. It simply lets the user express a preference for not being tracked. Is it a strong technical measure? No. It does nothing to directly prevent tracking. Instead, it lets the user express a preference. And, as support for it grows, it will become incredibly difficult for sites to justify tracking behavior, regardless of the mechanism, when the user has clearly expressed and communicated this choice.

We’ll need more than Do Not Track in the future. But it’s the right kind of battle. It doesn’t care about cookies or fingerprinting or who-knows-what.

If you want to get upset at Google, ask why they don’t provide Do Not Track support in Chrome. Ask why they don’t respect the Do Not Track flag on Google web properties when they see users waiving it. These are fights worth having. But fighting over cookies? That’s so last decade.

UPDATE: corrected origin credit for DNT header.

4 thoughts on “cookies don’t track people. people track people.

  1. I think addressing the specific technical mechanism here is a very important part of the story. You’ve framed it as being about cookies. I’d probably frame it to instead be about using JavaScript to launch an iframe that submits a useless form in order to get around default cookie behavior in Safari. Safari has made a technical decision to disallow third-party cookies but had to do so with a few technical wrinkles so that some large edge cases didn’t “break the internet” for Safari users where that’s code for “break functionality that engineers have decided browsers must be more promiscuous with tracking features to use”. Here, these 4 companies have decided that the choice made by Safari doesn’t mean anything and they can use a workaround, JS+iframe+form, to set that cookie anyway. Sure, they could have used a number of other methods to do this but those would presumably be as bad given the extent to which at least Google must take to respect appropriate flows of personal information that are to some extent under the user’s control.

  2. I’m really not good on the computer but I’m not stupid I know my boyfriend is using my I phone to track me he pays the bill and cookies is turned on will it make any difference if I turn it off plz help I’m so over this hope I’m wrong but sure I’m not any suggestions

  3. there is a clear reason that¬† makes this thing not a google’s fault but apple’s. the default preference of blocking 3rd party cookies is framed as user’s privacy choice, but it isn’t, it’s the unilateral move of one company making the choice¬† in the name of all of the customers.

    that’s why DNT is so much better, and why it is *not* turned on by default in firefox (a paragon of user’s privacy). the preference/header represents user’s explicit wish not to be tracked, that she makes deliberately (which makes it a much stronger assertion).

    apple is trying to kill advertizing as a business model, because they feel threatened, and that is the real threat here. think about all the cool (important) stuff on the internet that would go dark without it. think universal and instant search across all of human knowledge, think firefox, think, well, think internet as we know it!

  4. Pingback: El Noguer | Sobre les galetes i la privacitat

Comments are closed.