FTC endorses DNT self-regulation, no consensus with EU

http://www.politico.com/news/stories/1112/83290.html

 

In other news, foxes support a self-regulatory approach to the eating of hens.

 

Well, let's think about several things. We have a government entity here, who we're asking to regulate a problem. Do we not have enough regulation in our lives already and upcoming regulations from the government? Can they really enforce such a thing after the inevitable exemptions that will come and with thousands upon thousands of advertising companies out there? What will happen once we leave the "regulated" websites of America and visit overseas-based websites when the FTC loses jurisdiction? They're not going to step on other territory for that like the rest of the government will for piracy issues and whatnot. Another question is should they regulate it to begin with? We can't stop robo-callers, spam and many other annoyances, so we do need their help in those areas. Do we really need it in this area though? We have options like DNT+, ABP and other very simple to use measures to "regulate" the issue ourselves.

I think the implementation of DNT, even though it doesn't necessarily work, will cause this issue to become much bigger than it ever really needed to. We were going along just fine. Some of us didn't care one bit we were being tracked, some of us did and went straight for our much more effective toolbox of blockers. Browser vendors come along and start adding DNT in while the WC3 decides to step in and get involved, and the advertising industry goes nuts. I only see this making advertisers more aggressive about it and coming up with much more difficult to stop methods, including pushing websites into denying service to those with blocking tools. That's my take on the matter.

 

I'm not sure people who don't care one bit actually exist. In any case, I'd say no we really weren't going along just fine. In terms of blocking we've been having some success against static threats but playing wack-a-mole with all the new/dynamic ones. Furthermore, we have no recognized right/ability to limit how information is used when we do business with companies that we have to or want to. We're still, practically speaking, substantially at the mercy of some of the least human amongst us.

 

Oh yes they exist, and many don't even know. We were doing well, we still have those tools and they work just fine. Advertising agencies aren't being created every single day, so no, there is no "wack-a-mole" going on like there is in the malware industry. I'm telling you right now that DNT is going to cause far more harm than good, but we'll be seeing in time whether that is true.

 

I don't see how DNT can make them any more aggressive than they already are. Look at how far this has come, before DNT was even conceived. Remember when it was just cookies? Compare that to what we have to deal with now. IMO, DNT is pointless without some legal recourse that enforces it. Without it, it's a flag that they're free to ignore, one that serves no purpose other than to mark you as one who values privacy. Without enforcement, it may end up having the opposite effect, drawing attention to you.

 

gotta love the way some things work in here

 

Advertising isn't just polluting the public sphere, it is also polluting our minds. I see no reason whatsoever why new legislation should be industry-friendly as the DNT lobby would like to see. As Neelie Kroes put it:

http://www.theregister.co.uk/2012/10/11/regulators_threaten_do_not_track_standard/

http://www.pcpro.co.uk/news/377518/eu-chief-warns-against-watering-down-do-not-track

 

Any solution that relies on voluntary cooperation is dead before it starts. They aren't going to comply with anything that affects their bottom line. There's only one thing that works, a combination of settings, policies, software, filters, etc that forcibly implement YNT, aka You're Not Tracking". If it gets to the point that sites won't allow you in unless you let them track you, then we don't need those sites.

 

Can't you prevent tracking just by disabling your 3rd party (aka 'tracking') cookies?


----
rich

 

Not quite, though it's by far the most common way to track you since every ad placed on a page will track you if you visit another website with ads from the same advertising company. IP addresses can be used for it, but typically the only thing "scary" about IP address usage is going to Google for a search only to find out they've got your exact location listed right there on the page or close to it ((which by the way cannot be turned off unless you go through a VPN or some other such method not worth the hassle to surf.)). One area commonly missed is Javascript and Flash, especially Flash cookies. They're completely separate from browser cookies and, at least for a time, were not deleted when you cleared out your browser history/cache/cookies.

 

That's been around for a long time, but I don't consider that tracking, since once the session is over, I have a new IP on next reboot.

Aren't there several programs that take care of Flash cookies?

In addition, anyone with a reboot-to-restore program has the LSO cache wiped on reboot:



So, not something to worry about, unless I've overlooked something.

Web beacons have been mentioned, but these depend on 3rd-party tracking cookies (unless something has changed):

How does a web beacon(web bug) work?
http://stackoverflow.com/questions/7165763/how-does-a-web-beaconweb-bug-work

To me, 'tracking' means building a profile over a period of time. It seems to me that the user can control when it's desired or not desired.

----
rich

 

Well, even logging in to a website can enable tracking to start. But, in regards to Flash cookies, I'm aware of at least Firefox now counting those when you delete cookies after a session. Whether Chrome, IE or anyone else does I'm not sure. I'm thinking web beacons are covered under such tools as ABP. Tracking over time I believe can't happen unless you're never ever clearing out your browsing data.

 

Obviously, client IP Address can be useful to varying extents and there are those things mentioned at http://samy.pl/evercookie/ and https://panopticlick.eff.org/. Login credentials provide another means of tracking someone (and can be used with URL session IDs). Not just at those sites where you login, mind you, because those sites can use redirects and/or other mechanisms to exchange information with yet other sites. Thus allowing those other sites to piggyback track so to speak, and also allowing the sites to exchange tracking history. On top of that you have things like cloud AV programs, malicious URL checking features, some custom secure DNS clients, updaters, telemetry/metrics reporters, and various other applications and apps that pass information to sites along with GUIDs. To be safe you must reset anything and everything that can be used to correlate activity over time, all at the same time, and do so very frequently in order to keep the windows during which things were correlated as short as possible. Remember, giving the same unique information (unique nick, name, address, credit card number, license key, whatever) to a site during window X and window Y allows that site and potentially others the means to correlate the tracking history acquired during those two windows. Thus creating the potential to perpetually link windows and enable continuously tracking even when you are taking other steps to prevent that.

 

Very interesting.

I confess to not knowing much about these techniques.

Can you give an example of what can happen when I log onto my banking site?

thanks,

----
rich

 

Is there some specific way you want me to try to abuse you <laugh> or should I just conjure something up?

Edit: while checking the thread for your reply I scanned what you wrote again and realize you may have been making a statement rather than actually asking a question (its late, I'm tired/slow). FWIW, in what you quoted I meant can as in they can do it even though it is problematic. Hopefully the developers contributing to your bank and any related/secondary sites considered the consequences of session IDs in URLs. For purposes of conjuring up a tracking scenario though, it really only needs to be some kind of unique identifier in the URL. It could be something attached to the session rather than a session ID itself. Sadly, many financial institutions do expose their customers (and from within those pages only accessible after login) to third-party advertising systems, analytics solutions, and various affiliate servers.

 

For those who prefer less drastic measures and/or use multiple browsers, the Everything file search engine comes in quite handy.

It sorts alphabetically, anything starting with # will be on top. So whenever it pops up, it will show you any flash cookies on your hard drive instantly.

http://www.voidtools.com/

 

This type of tracking is the primary reason I started using SandBoxie. It makes it so much easier to just delete locally stored tracking data instead of having to figure out where all of the locations they're using are. If they want to store tracking data, they'll have to do it on their own equipment.

Even though it's old, Proxomitron is still one of my favorite tools for dealing with many tracking techniques. It makes spoofing the referrer and user agents easy. The original filterset has a referrer spoof built in that returns the same site you're at instead of the one you came from. At The Un-Official Proxomitron Forum, they have a filter that removes ETags. There isn't much it can't filter if the user puts their mind to it.

 

IMO,much of what is conjured up in "security" discussions is problematic.

Many years ago, I decided for myself that at some point, I need to trust.

I have just two financial sites on which I conduct business, and they assure in their privacy policies that they do not share personal information with any 3rd parties. I have no reason not trust that. No advertisements appear on their pages, except for information regarding their own services.

In trusting, each person has to set a threshold of concern according to one's own comfort level.

I was taught that for financial sites, to insure that no 3rd party cookie is set, and following a session, to delete the browser cache. I'm content with those measures, and am not concerned about a tracking profile being built from using those sites.


----
rich