«

»

May
06
2011

Designing Browser-based Privacy Tools

By Travis Pinnick
User Experience Designer | TRUSTe
@xtratrav

[To learn about the TRUSTe Privacy Manager solution see the post on the Privacy Manager Browser Client Design.]


Browsers traditionally provide basic privacy protections, usually focused around cookie management, including third-party cookie blocking and cookie-based opt-out. New approaches to managing privacy in the browser include blocking tracker domains as well as the browser-based Do Not Track header request. Each approach has pros and cons when assessed on the criteria of effectiveness, comprehensiveness, and ease of implementation.


Cookie-Based Opt-out Tools

Cookie-based opt-out tools use cookies to indicate to tracking companies’ opt-out mechanisms that a user wishes to be opted-out of behavioral advertising. This only affects the use of user data, not the collection of that data.

Examples of cookie-based opt-out tools include the Network Advertising Initiative (NAI) Opt-out and Digital Advertising Alliance (DAA) Opt-out.

While this method of control is relatively easy to implement, it places the burden of control on the user (users can opt-out of upwards of 300 individual tracking domains), and even with a centralized opt-out database this can prove cumbersome. This method also relies on cookies to signal user preferences to the tracking companies – therefore deleting cookies (a common consumer approach for controlling privacy) also deletes the opt-out preferences.

Additionally some tools have attempted to solve the problem of cookie deletion affecting user opt-out preferences with browser plug-ins which preserve opt-out cookie permanence, including the TACO Cookie Opt-out and Google Chrome Keep My Opt-outs.

NAI Behavioral Advertising Opt-out:

DAA Behavioral Advertising Opt-out:


Domain Blocking Tools

Domain blocking tools actually block the collection of data by identifying tracking scripts, web bugs, pixels and beacons placed by known tracking companies. NoScript blocks scripts alone (not specifically those placed by advertisers), whereas Ghostery specifically targets tracking technologies placed by advertisers and ad-related companies.

Domain blocking is a much more powerful approach to tracker management than cookie-based opt-out because it blocks the collection of user data, not just use. Unfortunately it also has the potential to break functionality users may find desirable by blocking either content or dynamic features in addition to tracking. Users can create custom rules around what entities should be blocked or allowed by these tools, or they can rely on trusted parties to create these lists for them (like Microsoft IE9 Tracker Protection Lists).

While cookie-based opt-out mechanisms can be web-based, tracker blocking tools must be browser-based (either built into the browser, or installed by the user as plugins). This allows for an important additional user interface element – the browser alert callout. Users can set alert preferences to be notified of trackers, or choose to block/allow trackers from the in-page alert without having to open the plugin.

NoScript Browser Alert Callout:


‘Do Not Track’ HTTP Header

The ‘Do Not Track’ HTTP header is a browser feature that appends a header to HTTP requests that expresses a user’s preference not to be tracked, placing the burden for compliance on trackers (currently implemented in the Firefox 4 DNT header). This creates the possibility for the header to provide much broader-based protection against tracking than the other mechanisms if the majority of tracking companies abide by it. However unlike the other mechanisms it does not provide a technical means of enforcement. Also in the absence of a standard the header is interpreted differently by different companies – some cease data collection completely, while others continue tracking in aggregate only (while bad actors may ignore it completely). The DNT header does however leave cookies and other tracking mechanisms operational and won’t interfere with site functionality.


Major Browser Approaches to Privacy Controls

Microsoft Internet Explorer 9
-provides Tracking Protection List functionality – the browser will be able to compile and read a list of sites which a user can then use to create an allow list or block list, or select a third party curated list
http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/
-also implemented the ‘Do Not Track’ header that will allow users to send a preference to tracking companies requesting not to be tracked
http://ie.microsoft.com/testdrive/Browser/DoNotTrack/Default.html

Google Chrome
-through a ‘Keep My Opt-Outs’ plugin, Chrome will allow the user to save persistent opt-outs even if they later clear their cookies
https://code.google.com/p/chrome-opt-out-extension/
-also announced WebRequest API which Chrome extensions can use to add the ‘Do Not Track’ header http://code.google.com/chrome/extensions/trunk/experimental.webRequest.html

Mozilla Firefox
-implemented the Do Not Track header that will allow users to send a preference to tracking companies requesting not to be tracked
http://dnt.mozilla.org/
-also available as a plugin for Firefox 3 http://blog.sidstamm.com/2011_02_01_archive.html


Tracker Management Design

There are similarities between the opt-out user experience and the tracker blocking user experience. Both types of user control mechanisms share the following features:

- list of trackers by company name
- the ability to select one or all of the companies on the list

In addition there are a couple of absent features that would add value to these tools:

- the ability to filter the companies by type (ad network, analytics service, etc)
- the ability to filter the companies by trustworthiness / certification status

This is important from a user perspective, as not all trackers are used for behavioral advertising – other uses include web analytics, content personalization, and fraud detection. The ability to filter opt-out or blocking options is therefore important, as there may be valid consumer interest in filtering some types of trackers over others. This is also an opportunity to educate consumers about the different types of trackers, as well as to provide blocking recommendations that are more elegant than simply ‘block all trackers’.

Most of these tools are essentially blocking interfaces (select one or more companies to opt-out of targeting) – but another approach is to act as an allow agent, essentially blocking all tracking companies but those a user chooses to allow because they are deemed trustworthy or because they provide desirable functionality.

When enabled this type of tool could block third party trackers except those with well-documented privacy practices (like those in the TRUSTe Tracking Protection List for IE9).

Recommendations

Effective browser-based user privacy controls should meet the following criteria:

- Graceful integration of several tracking management solutions, especially tracker blocking mechanisms and the DNT header
- Provide more granularity around opt-out / blocking controls than simply ‘block third party trackers’ (ie. ‘block non-certified companies’, or ‘block only trackers used for behavioral advertising’)
- Simplify the implementation of tracker management tools for mainstream users while allowing technical users more detailed options

Probably none of the tracker control approaches described will work in isolation. As the issue develops, the cooperation of several invested parties consisting of integrated approaches may be the ideal solution for transparency around consumer data collection and use .

The optimal end state for a consumer-oriented browser-based privacy tool is one that provides consumers a simple interface for transparency around data practices, coupled with usable, effective controls for managing tracking.


Contact

If you have any questions or comments please contact Travis Pinnick, User Experience Designer at tpinnick@truste.com.

Follow me on twitter at @xtratrav.

Comments