I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

[Here’s an oped of mine that recently ran on Reuters.  Readers will recognize many of these themes and arguments since I have developed them here on the TLF many times before.]

Privacy Regulation and the “Free” Internet

by Adam Thierer, Mercatus Center at George Mason University

Would you like to pay $20 a month for Facebook, or a dime every time you did a search on Google or Bing?  That’s potentially what is at stake if the Obama administration and advocates of stepped-up regulation of online advertising get their way.

The Internet feels like the ultimate free lunch.  Once we pay for basic access, a cornucopia of seemingly free services and content is at our fingertips.  But those services don’t just fall to Earth like manna from heaven.  What powers the “free” Internet are data collection and advertising. In essence, the relationship between consumers and online content and service providers isn’t governed by any formal contract, but rather by an unwritten  quid pro quo: tolerate some ads or we’ll be forced to charge you for service.  Most consumers gladly take that deal—even if many of them gripe about annoying or intrusive ads, at times.

Nonetheless, calls for regulation persist, especially as advertising grows more sophisticated.  More targeted forms of online advertising hold the promise of better ads more closely tailored to consumers’ interests.  But that also raises anxieties among some Web surfers who fear their privacy might be undermined by increased data collection or “tracking.”

To address those concerns, the Federal Trade Commission (FTC) and the Department of Commerce have stepped-up activity in this arena and has suggested that new rules may be needed. Earlier this month, the FTC released a report endorsing a new regulatory framework, including a so-called “Do Not Track” mechanism to allow easier consumer opt-outs of online data collection and advertising.  Last Thursday, the Commerce Department followed suit with a new report calling for expanded oversight and a new Privacy Policy Office within Commerce.  Meanwhile, discussion continues in Congress about a new “baseline” privacy law.

The stakes in the debate are significant since regulation could fundamentally alter the nature of online commerce and the future of how digital content and services are provided.  Curtailing data collection and online advertising could be killing the goose that lays the Internet’s golden eggs.  Such regulation will likely have a particularly deleterious impact on small publishers and service providers, who depend almost entirely upon online advertising.  In turn, this could curtail new entry and innovation—and new forms of speech and culture.

Some regulatory advocates don’t hide their desire to move the U.S. in the direction the European Union has charted with its “data directives” and more stringent forms of privacy regulation.  But America’s refusal thus far to walk down that more regulatory path offers scholars the chance to evaluate Europe’s more restrictive approach and study whether America’s lead in the global digital marketplace might be tied to its more “hands-off” approach to online regulation. A recent study by Avi Goldfarb and Catherine Tucker found that “after the [European Union’s] Privacy Directive was passed [in 2002], advertising effectiveness decreased on average by around 65 percent in Europe relative to the rest of the world.” They argue that because regulation decreases ad effectiveness, “this may change the number and types of businesses sustained by the advertising-supporting Internet.” Regulation of advertising and data collection for privacy purposes, it seems, can affect the global competitiveness of online firms.

Regulatory efforts will be complicated by the fact that privacy is a highly subjective condition and definitions of consumer “harm” vary widely.  Many of us don’t much worry about data collection or advertising online; we merrily go along our way surfing free sites, services, and content.  But a handful of vocal pro-regulatory privacy advocates and organizations have successfully convinced many policymakers that the hyper-sensitive concerns of a small minority should trump all other considerations.

Ironically, many of those privacy advocates bash copyright law and claim it is an information control regime, yet privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright for personal information (which would, in turn, conflict mightily with the First Amendment).  In essence, privacy regulations limit the right of people to talk about other people, or communicate facts about them.  This raises serious free speech concerns and has particularly troubling ramifications for press freedoms.  Restrictions on advertising could also have an effect on non-commercial speech, such as political ads or non-profit communication.

Some proposed privacy regulations, such as a “Do Not Track” mandate, would also require a re-architecting of the Internet and the potential regulation of every Web browser to ensure compliance.  If our experience with attempting to eradicate email spam through regulation proves anything, it’s that such schemes are unlikely to work given the Net’s borderless nature.

There is a better path to balancing privacy interests and economic growth than through an onerous privacy regulatory regime. Educating and empowering consumers with more, and better, privacy-enhancing tools can help alleviate much of the concern about data collection or advertising intrusiveness.  The most-downloaded add-on for both the Firefox and Chrome web browsers is AdBlock Plus, which blocks advertising on most sites. A host of other tools are available to block or limit various types of data collection, and every major browser has privacy control tools and anonymous surfing modes to help users limit data collection.

Again, because privacy is a subjective condition, not everyone takes advantage of these empowerment tools.  The crucial point, however, is that the tools exist and they need not be perfect to be preferable to government regulation, which, in this case, could decimate the “free” Internet as we know it.

Adam Thierer is a senior research fellow at the Mercatus Center at George Mason University where he works with the Technology Policy Program. Thierer covers technology, media, Internet, and free speech policy issues with a particular focus in online child safety and digital privacy policy issues. The views expressed are his own.

Today I was invited to the Federal Communications Commission (FCC) to testify at one of the agency’s Broadband Working Group workshops. This particular workshop was on “Broadband Consumer Context,” which focused on “a range of challenges and opportunities as the internet becomes a focal point for commercial transactions, social networking, and a host of activities pertaining to information gathering and exchange.”

I was asked to address the issue of whether there is a relationship between online safety concerns and broadband uptake. In my testimony, I noted that, in my 15 years of research in this area, I have never unearthed any substantive empirical evidence suggesting a correlation between parental concerns about online activity and overall household broadband uptake. I have seen occasional anecdotal news stories discussing the concerns some parents have had about their kids online that led them to reject online connectivity, but these stories have been exceedingly rare (and I haven’t seen any in recent memory).

I also argued that I did not think it at all surprising that such anecdotes are harder to find, or that empirical evidence on this front seems non-existent. I argued that there were four logical explanations for why parental concerns about online safety haven’t “moved the broadband needle” much in the negative direction:

1. Not every home has children present
2. Parents use a variety of household media rules to control media & Internet usage
3. A vibrant marketplace of parental control technologies exists
4. Likely that most parents believe that the benefits of broadband outweigh the potential downsides

For all the details on each of those, read my entire testimony or check out the presentation embedded below that I made to the FCC today.

Is There a Relationship Between Online Safety Concerns and Broadband Uptake? (Adam Thierer – PFF) http://d.scribd.com/ScribdViewer.swf?document_id=19575851&access_key=key-1igiha619z8f15dm6hg5&page=1&version=1&viewMode=

Really, what would we do without European antitrust regulators protecting us from the evils of browser innovation? If Microsoft was allowed to actually bundle its Internet Explorer browser alongside its operating system we might actually do something really crazy… like perhaps try it! After all, the latest browser stats make it pretty clear most of us have a choice and that fewer and fewer of us rely on IE. As Erick Schonfeld noted on Tech Crunch today:

The new browser wars on on. More than a decade after Microsoft killed off Netscape with Internet Explorer, competition in the browser market has never been stronger. Just last week, Mozilla released Firefox 3.5, which has now been downloaded nearly 14 million times. Earlier in June, Apple released Safari 4. In March, Microsoft introduced Internet Explorer 8, and Google came out with a speedier beta of its Chrome browser. Some early data is coming in showing relative market share and how fast people are upgrading. If you look at the chart above from Statcounter, it indicates that since March Internet Explorer has lost 11.4 percent market share to other browsers. [..] Where did that go? It went to Firefox, Safari, and Chrome. Nearly 5 percent of that, or about half, went to Firefox 3.0, which currently has 27.6 percent market share. That doesn’t count last week’s upgrade.

Alas, as I pointed out in my essay a few weeks ago (“European Regulators Think Consumers Too Stupid to Know How to Download a Different Browser“), some Euro-crats still seem to believe that changing browsers requires great detective skills to unearth alternatives.  It’s just pure poppycock and yet another sad example of how antitrust law is usually hopelessly behind the times and has absolutely nothing to do with protecting consumers or fostering innovation.

Now, please excuse me while I get back to surfing the Net via Firefox and Chrome (and Opera on my mobile phone). My God, how did I ever find these browser alternatives!

According to Ina Fried of CNet News, Microsoft plans to remove its Internet Explorer web browser from the new versions of Windows 7 when it ships it in Europe later this year. [Additional coverage at ZDNet.]  MS is apparently doing so to assuage the concerns of EU antitrust officials, who have been obsessed with the company for the past decade. [Update: Here is MS official announcement.]

Apparently, European officials think their citizens are too stupid to find an alternative browser.  I mean, seriously, how hard is it?  Does the competition lack name recognition such that consumers can’t find them?  Hmmm… Google and Apple seem to be pretty well known brands, and their browsers (Chrome & Safari) are pretty easy to find.  And then there’s Mozilla’s Firefox browser (my PC favorite) and Opera (my mobile phone favorite), which are outstanding browsers. [Incidentally, Firefox already has 31% share of the European market.]

OK, OK, the regulators might say, but these competitors are just too expensive!  Uh, no, wait… every one of them is free. So, strike that theory.

Well, the regulators need another theory then. How about illegal tying of products and services! You know, there’s only certain sites or services you can use with IE, right?   Nope, that theory doesn’t work either.  And does anyone believe that MS could really tie OS functionality to the use of IE? How long would the world tolerate Outlook e-mails or Word documents that only allowed linking to URLs via IE??  Come on.

OK, any other theories left? Not that I can think of. Which brings us back to the only theory the Euro-crats have left: people are sheep. They’ll take whatever MS bundles into the OS free, you see, and they will use it more than they use competing products.  Thus, we regulators have to save them from their own stupidity! The masses just don’t know what’s good for them!  These free, integrated services are harming them! And, therefore, the only remaining solution is to kill innovation by crippling functionality and removing the free offering. That’s pro-consumer! … or so say the European antitrust bureaucrats.

Meanwhile, back in the real world, a whole lotta innovation continues to take place. But shhhh.. don’t tell the Euro-crats. They need a company to pick on. Welcome to the Theater of the Techno-Absurd.

Ted Dziuba has penned a humorous and sharp-tongued piece for The Register about last week’s Adblock vs. NoScript fiasco.  For those of you who aren’t Firefox junkies, a nasty public spat broke out between the makers of these two very popular Firefox Browser extensions (they are the #1 and #3 most popular downloads respectively).  To make a long and complicated story much shorter, basically, NoScript didn’t like Adblock placing them on their list of blacklisted sites and so they fought back by tinkering with the NoScript code to evade the prohibition.  Adblock responded by further tinkering with their code to circumvent the circumvention!  And then, as they say, words were exchanged.

Thus, a war of words and code took place.  In the end, however, it had a (generally) happy ending with NoScript backing down and apologizing. Regardless, Mr. Dzuiba doesn’t like the way things played out:

The real cause of this dispute is something I like to call Nerd Law.  Nerd Law is some policy that can only be enforced by a piece of code, a public standard, or terms of service. For example, under no circumstances will a police officer throw you to the ground and introduce you to his friend the Tazer if you crawl a website and disrespect the robots.txt file. The only way to adjudicate Nerd Law is to write about a transgression on your blog and hope that it gets to the front page of Digg. Nerd Law is the result of the pathological introversion software engineers carry around with them, being too afraid of confrontation after that one time in high school when you stood up to a jock and ended up getting your ass kicked.

Dziuba goes on to suggest that “If you actually talk to people, network, and make agreements, you’ll find that most are reasonable” and, therefore, this confrontation and resulting public fight could have been avoided. They “could have come to a mutually-agreeable solution,” he says.

But no. Sadly, software engineers will do what they were raised to do. And while it may be a really big hullabaloo to a very small subset of people who Twitter and blog their every thought as if anybody cared, to the rest of us, it just reaffirms our knowledge that it’s easy to exploit your average introvert.  After all, what’s he gonna do? Blog about it?

OK, so maybe the developers could have come to some sort of an agreement if they had opened direct channels of communications or, better yet, if someone at the Mozilla Foundation could have intervened early on and mediated the dispute.  At the end of the day, however, that did not happen and a public “Nerd War”  ensued.  But I’d like to say a word in defense of Nerd Law and public fights about “a piece of code, a public standard, or terms of service.”

What we had here was a code war that, despite some nastiness, was resolved reasonably well and on a reasonably timely basis.  Now, imagine if this sort of dispute had gone legal, or worse yet, been subjected to a federal regulatory proceeding.  Can you imagine the Federal Communications Commission being asked to adjudicate such a thing!  Next time you hear of a major dispute coming before the commission, start your stopwatch and pray that it doesn’t die before the FCC finally gets around to rendering its judgment on the matter at hand. Worse yet, sit back and watch as entire forests will fall from the resulting paperwork war as both sides hire teams of lawyers, economists, and consultants to file an endless stream of indecipherable documents with the Commission.

What got me thinking about all this is that recently I’ve been critiquing Lessig’s “code-is-law” thesis and pointing out that code really doesn’t have the same force as law, and thank God it doesn’t!  Precisely because it does not have the coercive capacity of actual law or regulation it means that code developers must use other means to persuade competitors or the public to side with them in disputes.  It means that code developers must find ways to innovate around problems, sometimes even creating messy code wars in the process.  And yes, it sometimes means that, when that process goes badly, a war of words may take place online.  But still, isn’t that better than the legal alternative or a regulatory approach?

And, so, when Mr. Dziuba suggests that “The only way to adjudicate Nerd Law is to write about a transgression on your blog and hope that it gets to the front page of Digg,” I guess I just don’t see as much of a downside to that approach as he does.  I share his belief that it would be nice to get both sides to a table to talk and hopefully to hammer out an agreement, but sometimes that doesn’t always happen in cyberspace or in realspace for that matter. What’s going on here is the same game that companies and unions have been playing for years:  Push the envelope in public by any means necessary to drive a better bargaining position when you eventually must come to the table and reach an agreement.  Athletes and sports clubs do the same thing.

Thus, I am rather fond of “Nerd Law,” or “Code Wars” or whatever you want to call it. (Perhaps “hard-nosed public negotiations” is the better umbrella term).  Let coders have their fights and air their dirty laundry in public because, at the end of the day, that process will likely reach a better conclusion than if they took a highly legalistic or regulatory approach to things.  I do not mean to suggest that law or regulation never has a place in resolving disputes. Rather, I am suggesting that the sheer cost of the legal / regulatory route — in terms of time, money, lost innovation opportunities, etc — makes is generally sub-optimal when compared to relying on non-legal means of dispute resolution.

So, let the coders have their Nerd Wars, I say.  And let the best code win.

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes. These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In the last installment, we covered the privacy features embedded in Microsoft’s Internet Explorer (IE) 8. This installment explores the privacy features in the Mozilla Foundation’s Firefox 3, both the current 3.0.7 version and the second beta for the next release, 3.5 (NOTE – The name for the next version of Firefox was just changed from 3.1 to 3.5 to reflect the large number of changes, but the beta is still named 3.1 Beta 2). We’ll make it clear which features are new to 3.1/3.5 and those which are shared with 3.0.7. Future installments will cover Google’s Chrome 1.0, Apple’s Safari 4, and some of the more useful privacy plug-ins for browsers . The availability and popularity of privacy plug-ins for Firefox such as AdBlock (which we discussed here), NoScript and Tor significantly augments the privacy management capabilities of Firefox beyond the capability currently baked into the browser.  In evaluating the Web browsers, we examine:

(1) cookie management; (2) private browsing; and (3) other privacy features

History of Firefox

Firefox descends from the very first graphical web browser, NCSA Mosaic. Mosaic was developed at the National Center for Supercomputing Applications in 1992. The co-author of Mosaic, Marc Andreessen, co-founded Netscape Communications and was the lead developer of Netscape Navigator, which was first released in 1994 and based in part on NCSA Mosaic code. In 1998, Netscape publicly released the source code for the latest version of its browser and created the Mozilla Organization to coordinate its development. AOL acquired Netscape Communications later that year, and when AOL scaled back its involvement with the Mozilla Organization in 2003, the Mozilla Foundation was launched to ensure the browser could survive without Netscape or AOL. The Mozilla Foundation released Firefox 1.0 on November 9, 2004. According to Net Applications, Firefox is currently the second-most popular Web browser after Internet Explorer, with 21.72% of the market in Q1 2009.

Cookie Management

To access Firefox’s basic cookie management and privacy settings, open the “Tools” menu, click “Options,” and then click on the “Privacy” tab to display the following options:

Instead of using a slider, as Internet Explorer does, Firefox gives more direct control over cookies. Users can choose to refuse all cookies, refuse all third-party cookies (see the previous post in this series for an explanation of the difference between first-party cookies and third-party cookies), and/or control when cookies expire. The “keep until” box gives three options:

(1) ” they expire” – Cookies determine their own expiration date.

(2) ” I close Firefox” – Cookies are deleted when you close the browser.

(3) ” ask me every time” – Every time a cookie is sent to the user’s computer, the user is asked if they want to “Allow” the cookie (accept it and let the cookie determine its own expiration date), “Allow for Session” (equivalent to the “I close Firefox” setting), or “Deny.” Firefox can also optionally save the user’s preference for all future cookies received from that website. The “Show Details” button allows true power users to view the contents of each cookie before making a decision, as seen here:

By clicking the “Show Cookies” button in the Privacy tab of the Options dialog box, users can view all of the cookies already saved on their computer and delete individual cookies or all cookies at once.

Finally, by clicking the “Exceptions” button in the Privacy tab of the Options dialog box, users can specify which websites are always or never allowed to set cookies.

In addition to having the option of deleting all cookies whenever the browser is closed, users can clear other types of private data when the browser is closed. The following dialog box is displayed when a user clicks on the “Settings” button in the Privacy tab of the Options dialog box.

Private Browsing

Similar to Internet Explorer 8’s “InPrivate Browsing” feature (see the previous post in this series for more information) and Chrome’s Incognito, Firefox 3.5 will include a new “Private Browsing Mode” that protects so-called “over the shoulder” privacy. To enable Private Browsing Mode, select “Private Browsing” from the Tools menu. To disable Private Browsing Mode and reload all tabs that appeared when you enabled Private Browsing Mode, just uncheck the same “Private Browsing” menu item in the Tools menu. There is a hidden way to make Firefox 3.1 Beta 2 always start in Private Browsing Mode and a plan to possibly provide an easier way to do this in the final 3.5 release, but the only obvious use for this would be on public computers (e.g., at a library or coffee shop) where it can’t be guaranteed that each user will close the browser before leaving.

Other Privacy Features

• Master Password – As more and more can be done online and more and more sites require user accounts (and passwords), having all those passwords stored in your web browser can be a security problem unto itself. Firefox allows you to view saved passwords, but it also allows you to protect all of your site-specific saved passwords with a single master password. Your saved passwords cannot be used to automatically log into websites and other individuals with access to your computer cannot view your saved passwords unless the master password is entered. Firefox also has a password quality meter to show you how secure your master password is from cracking attempts.

• Instant Web Site ID – For all websites with an Extended Validation SSL Certificate, this feature displays the website owner’s name to the left of the URL in the address bar. Clicking on the “favicon” on the left side of the address bar displays additional information about the certificate (whether an Extended Validation Certificate or regular SSL certificate) and whether the connection is SSL-encrypted. A second click displays the Page Info dialog box which reports whether you’ve previously visited the website and how many times, whether the website is storing cookies on your computer (which you can view with another click), and if there are saved passwords for the website on your computer (which you can also view with another click). From the Page Info dialog box you can also view all of the media embedded in the webpage, all of the meta tags in the HTML source code for the page, any RSS feeds on the page, and the permissions in effect for the page.

• Optional automatic phishing and malware protection – Two options in the “Security” tab of the Options dialog box, “Tell me if the site I’m visiting is a suspected attack site” and “Tell me if the site I’m visiting is a suspected forgery,” allow Firefox to automatically protect users from malware (attack sites) and phishing scams (forgery sites). When either of these options is enabled, Firefox automatically checks the URL of the page you’re visiting against a list of reported phishing and/or malware sites that it downloads in the background every 30 minutes. If you navigate to a page on one of these lists, Firefox will double-check that the URL is on the list by sending a cookie to google.com, who maintains the lists of identified malware and phishing sites used by Firefox. The anti-phishing site aspect of this feature is equivalent to Internet Explorer’s SmartScreen Filter.

Conclusion

In terms of privacy, what makes Firefox unique compared to the other popular browsers is the extensive number of add-ons (also called “plug-ins” or “extensions”) designed to protect users’ privacy. Google’s Chrome browser does not currently support third-party add-ons but plans to do so in an upcoming release. Microsoft’s Internet Explorer does support extensions, and Microsoft has a website devoted to cataloging those extensions, but offers nothing like the variety and complexity of the add-ons available for Firefox. The two most popular Firefox add-ons (in terms of total downloads; currently second and fourth most popular in terms of weekly downloads) are specifically related to privacy. Adblock Plus (ABP) uses dynamically-updated “subscriptions” to maintain a list of unwanted third-party content and automatically  block that content from being displayed or run by Firefox. ABP can block Flash code, images, external scripts, stylesheets, frames, tracking cookies, webbugs, html elements, text ads, backgrounds, and any class, id, and any other HTML or CSS tag. By default, ABP allows all such elements unless they are blocked by a filter.  NoScript, by contrast, blocks all Java, JavaScript, Flash, and other plugins unless you explicitly allow them on a particular website  either (i) temporarily for your current session (until you close the browser); (ii) or permanently for all future sessions. Thus, with these two add-ons, Firefox offers security-conscious users a much more secure (and thus private) browsing environment than currently available in other browsers. We already covered Adblock Plus in a previous installment of our Privacy Solutions Series. We plan to cover NoScript and other popular Firefox add-ons such as TorButton and FoxyProxy in future installments.

Additional Reading / Links

• Download Firefox 3.1 Beta 2
• New features in Firefox 3.1 Beta 2
• Privacy & Security add-ons for Firefox
• Wikipedia entry on Firefox

By Adam Thierer, Berin Szoka, & Adam Marcus

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In some of the upcoming installments we will be exploring the privacy controls embedded in the major web browsers consumers use today: Microsoft’s Internet Explorer (IE) 8, the Mozilla Foundation’s Firefox 3, Google’s Chrome 1.0, and Apple’s Safari 4. In evaluating these browsers, we will examine three types of privacy features:

(1) cookie management controls; (2) private browsing; and (3) other privacy features

We will first be focusing on the default features and functions embedded in the browsers. We plan to do subsequent installments on the various downloadable “add-ons” available for browsers, as we already did for AdBlock Plus in the second installment of this series.

In this installment, we’ll be taking a look at the privacy-related features in the most popular browser in use today, Microsoft’s Internet Explorer. Specifically, we’ll be examining the most recent version of the browser, IE 8, Release Candidate 1. We’ll make it clear which features are new to IE 8 and those which are shared with IE 7.

Basic Background

Microsoft’s Internet Explorer browser was launched in 1995 and quickly became America’s most popular web browser, displacing Netscape’s Navigator browser. In recent years, IE has faced new challenges from the Mozilla Foundation’s “Firefox” browser, Apple’s “Safari”, the open source “Opera” browser, and others. (For an excellent history / timeline of web browsers, click here.) Despite these new challenges, IE still commands over 70% of the browser market. Like most other web browsers, Internet Explorer is free. So too are the features we are describing here.

Before we get further in the discussion of privacy controls, it’s important for readers to understand the difference between “first-party” and “third-party” content on webpages. Many webpages today contain a combination of content from many different websites, which enables powerful “Web 2.0” functionality like an interactive Google map displayed along with an address or a “Digg This” link in a blog post. Third-party content can also be used to track users across websites and to serve up advertising. All content loaded from the same domain as is displayed in the Address bar is first-party content. All content loaded from other domains is third-party content. Internet Explorer has a “Privacy Report” function that can show you the source for all the different content elements in the current webpage. To access it, select Webpage Privacy Policy from IE7’s Page menu or IE8’s View menu.

Basic Cookie Management Controls

To access Internet Explorer’s basic cookie management and privacy settings, open the “Tools” menu, click “Internet Options,” and then click on the “Privacy” tab to display the following options:

Users can configure the slider on the upper left-hand side of the window to establish their preferred level of cookie privacy. There are 6 options on the sliding scale from which to choose. Starting from the top of the slider bar:

(1)   ” Block all cookies” — Blocks IE from receiving any new cookies and blocks websites from reading any existing cookies on your computer. (Of course, that would greatly inconvenience users that regularly access websites that require information from the user, such as a Web-based email site that requires users to log in every time they access the website.)

(2)   ” High” — Blocks all cookies from websites that do not have a P3P compact privacy policy or that have a compact privacy policy which specifies that personally-identifiable information is used without your explicit consent. Cookies already on your computer can only be read by the site that created them.

(3)   ” Medium High” — “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without explicit consent,” and “Blocks first-party cookies that save information that can be used to contact you without your implicit consent.”

(4)   ” Medium” — This setting “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without your explicit consent,” and “Restricts first-party cookies that save information that can be used to contact you without your implicit consent.”

(5)   ” Low” — This setting “Blocks third-party cookies that do not have a compact privacy policy” and “Restricts third-party cookies that save information that can be used to contact you without implicit consent.”

(6)   ” Allow all cookies” — This setting allows all cookies from any website.

A P3P compact privacy policy is a machine-readable summary of the full P3P specification, which is a standardized method for explaining a website’s privacy policy. So when IE states that it will “block[] third-party cookies that save information that can be used to contact you without your explicit consent,” it means that the cookie will be blocked unless the site has a P3P compact privacy policy that either indicates that only non-identifiable (NOI) information is collected, or that for every data collection PURPOSE and every type of RECIPIENT that the website shares collected data with, the site’s policy is that the user must opt in (“explicitly consent”) to the practice.

When the slider bar is set anywhere other than the “High” and “Low” levels, users can also click the “Sites” button and then specify different cookie security levels for individual websites. The advantage of this approach is that it lets users create their own personal “white lists” and “black lists” of sites for which they either never want cookies blocked, or for which they always want cookies blocked. This increases the privacy-configurability of the browsing experience. For example, the following screen shows two sites that have been whitelisted and two hypothetical sites that have been blacklisted.

In addition, if the user wishes to manually delete their cookies, web browsing history, form data, personal passwords, or other stored information, they can do so on the “General” tab under the “Browsing History” section. Or, in the new IE 8, they can do so under the new “Safety” drop-down menu (in the Command toolbar) under the first option, “Delete Browser History.” They can also configure IE 8 so that all of this data is deleted each time the browser is closed (essentially converting “persistent cookies” into “session cookies,” concepts Adam Marcus has explained previously). The following screen shows how this user is choosing to delete just their temporary Internet files, cookies, and browsing history. Favorite websites are websites the user has bookmarked.

Using these controls, a particularly privacy-sensitive user who only trusted two or three sites-say, their bank and their employer’s website-could allow cookies for only those sites and block cookies for all other websites. Again, this assumes that they do not mind the potential hassles associated with logging-in to many other sites each time they visit or losing custom preferences that would otherwise be stored in a cookie.

Advanced Cookie Management – “InPrivate Filtering”

Microsoft explains its InPrivate Filtering feature as follows:

Today websites increasingly pull content in from multiple sources, providing tremendous value to consumer and sites alike. Users are often not aware that some content, images, ads and analytics are being provided from third party websites or that these websites have the ability to potentially track their behavior across multiple websites. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can potentially use to track browsing activity.

InPrivate Filtering is off by default and must be enabled on a per-session basis. To use this feature, select InPrivate Filtering from the Safety menu.

In “Automatically Block” mode, InPrivate Filtering will automatically block a site if IE finds that site’s content embedded in more than a user-specified number of other sites (the default is 10) visited by the user.  You can also manually control which sites are blocked, and import and export your list of white/blacklisted sites to share that list with others.

The beta version of IE8 included a subscriptions feature that would have allowed users to automatically receive updated white or blacklists from others-much like the subscription feature in AdBlock Plus that we discussed previously. However, this functionality was removed in the “Release Candidate 1” version of IE8 (released Jan. 26, 2009) for unspecified reasons.  While we recognize that not every beta feature makes it into final releases because of challenges in implementation, we very much hope Microsoft will ultimately add the subscription feature to Internet Explorer 8.  InPrivate Filtering goes a long way in empowering truly privacy-sensitive users to take more granular control over their own privacy, but a subscription feature would allow less sophisticated users to rely on groups or other individuals they trust to help them avoid specific sites according to their concerns about privacy or security.  Indeed, we hope that other browser manufacturers consider incorporating such tools into their browsers.  Perhaps the privacy advocates who currently focus on inventing one-size-fits-all regulatory or legislative solutions could channel their enthusiasm about user privacy into actually developing whitelists and blacklists.

Private Browsing

Another new privacy-related feature in Internet Explorer 8 is called InPrivate Browsing mode (akin to “Incognito” mode in Chrome), which protects so-called “over the shoulder” privacy, although that’s a somewhat misleading term. By not saving any record of your web browsing while InPrivate Browsing mode is turned on, this feature ensures that others with access to your computer will not know what websites you have accessed. Some people like being able to refer to their browser history and don’t want to delete all of their cookies, but want to hide all traces of some of their browsing activities-such as shopping online for a surprise gift, searching for information about a medical condition you don’t want to disclose and, most obviously, enjoying pornography).

When the InPrivate Browsing mode is enabled, none of the varieties of “browsing history” data is saved-but none of your previous history is deleted, either. This comes in handy because, if someone with direct access to your computer is monitoring your browser history to see what you’ve been up to, deleting all of your browsing history would suggest that you’ve been doing something you wanted to hide. But InPrivate Browsing mode allows you to surf anonymously when desired-without making it obvious that you’re doing so. Parents who are concerned about their kids using the InPrivate Browsing mode can use the parental controls in Windows Vista to disable it. But there does not appear to be a way to disable InPrivate Browsing on Windows XP.

Below is a screenshot of the InPrivate Browsing mode-which, again, can be enabled by clicking on the new “Safety” drop-down menu in IE 8 and selecting “InPrivate Browsing.”

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored:
  • All new cookies become “session” cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
  • New entries will not be saved to the browsing history
• New temporary Internet files will be deleted when the Private Browsing window is closed
• The following data will not be stored:
  • Form data
  • Passwords
  • Addresses typed into the address bar
  • Queries entered into the search box
  • Visited links

Other Privacy Features

• SmartScreen Filter – Called “Phishing filter” in IE 7, this feature monitors and blocks links to malicious downloads. In IE 8, it also monitors links distributed via email and instant messaging (assuming IE is the default Web browser).
• Cross Site Scripting (XSS) filter – Cross-site scripting attacks allow hackers to “inject” malicious scripts into trusted websites, which can then steal the account credentials of users who access these websites. XSS attacks are dangerous because everything looks fine to users and the attackers can gain almost complete access to users’ computers. The XSS filter in IE constantly scans the data received from websites to determine if there is a likely XSS attack and re-writes the data to neutralize the attack.
• ActiveX Opt-In – By default, ActiveX Opt-In disables most ActiveX controls. When a Web page tries to run an ActiveX control, the following text is displayed in an Information Bar: “This website wants to run the following add-on ‘ABC Control’ from ‘XYZ Publisher.’ If you trust the website and the add-on and want to allow it to run, click here …” The user can then choose whether or not to run the ActiveX control.
• Per-Site ActiveX – If a website tries to access an installed ActiveX control that is not permitted to run on the website, this new feature in IE 8 gives the user the option of blocking the attempt, allowing the ActiveX control for the current site, or to allow all websites to access the ActiveX control.
• Domain Highlighting – The domain name of the site you’re viewing is highlighted in the address bar. By making it clearer to the user which website they’re accessing, this feature serves to protect users against phishing attacks from domain names that look like trusted domain names (e.g., www.paypal.com.hax0r.net, which is not PayPal’s actual website).

Additional Reading / Links

• Download Internet Explorer 8
• IEBlog: IE8 and Privacy
• IEBlog: Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Cookies
• Jesse Ruderman’s blog post on new security features in IE 8 – Has links to the first five IEBlog posts about new security features in IE 8.
• Wikipedia entry on Internet Explorer

Over at Ars, Ryan Paul has an appropriately sharp-tongued response to the Mozilla Foundation’s troubling move to become a cheerleader for the European Commission’s ongoing antitrust efforts against Microsoft. Apparently Mozilla will assist the EC’s investigation “by offering expertise about the browser market.”

Paul focuses on what’s wrong with this in both a micro and macro sense. He rightly points out that the potential remedies here do not bode well for the future of this sector, since regulatory tinkering with high-tech product standards is bound to end badly and create a terrible precedent for future interventions. “It’s hard to find a rational argument in favor of mandatory standards enforcement,”  Paul says. “It would be punitive and unhelpful to the advancement of the web.” Moreover, Paul notes that things have never looked better on the browser front:

Claims that Microsoft’s monopoly status has eliminated competition in the browser market sound hollow in the face of the profoundly vibrant browser market that exists today. The record-setting launch of Firefox 3 added up to over 8 million downloads in the first 24 hours alone. Firefox’s global market share continues to climb every month and the browser has grabbed almost 30 percent of the European market.

And let’s not forget about those two little companies called Google and Apple who have competing products in the field! They’re making serious inroads in the browser wars. Moreover, Microsoft is struggling to hold on to whatever “dominance” they have left in their core market: OS. As Paul concludes:

To the observant tech enthusiast, all signs seem to indicate that Microsoft’s monopoly is on its way out. The Redmond giant is in no danger of annihilation, but it’s definitely not positioned to dictate terms to the rest of the industry anymore.

But what is perhaps most shocking about Mozilla’s call for intervention is the way that Mozilla Foundation chairperson Mitchell Baker minimizes the importance of not just Firefox, but the entire open source movement, when justifying EC intervention in this marketplace.

“The success of Mozilla and Firefox does not indicate a healthy marketplace for competitive products,” she wrote. “I am convinced that we could not have been, and will not be, successful except as a public benefit organization living outside the commercial motivations. And I certainly hope that neither the EU nor any other government expects to maintain a healthy Internet ecosystem based on nonprofits stepping in to correct market deficiencies.”

As Paul points out in his Ars story, “[Mozilla’s] position on this matter is highly questionable.” Indeed, I believe it’s more than just highly questionable, it’s a bit of insult to an entire community of developers. Paul is generally correct in his response that:

There are quite a few open source software enthusiasts who would argue that, for a broad range of software products, the emergence of a Mozilla-like model is actually desirable and highly advantageous for consumers. A point will eventually arrive for many kinds of software where there is simply no point in trying to derive value from shrink-wrapping it, and then efforts will converge around collaboratively-developed open source implementations that will displace and eliminate the need for proprietary commercial implementations. Why should that be viewed as unhealthy?

Indeed, but it actually goes beyond that. The message that Mozilla’s Baker seems to sending to the open source community is: You can’t change the world. Your voluntary, collaborative actions cannot correct market deficiencies or fulfill unmet needs.

Geez, isn’t that what the open source movement is all about?!  I’m hardly some sort of open source / free software fanatic — indeed, I envision a future full of plenty of open source AND proprietary types of software and service — but the beauty of the open source movement to me is the way it has so nicely filled unsatisfied niches of demand in the software universe.  And, here’s the really important point, as Paul points out in his Ars article:

The popularization of the open source development model arguably emerged as a response to Microsoft’s monopoly. Developers had to find innovative ways to compete with an entrenched product. If the government had intervened in the software industry at an early stage and those conditions hadn’t existed, the browser market could arguably be a lot less rich and competitive than it is today. If Internet Explorer had never gained the dominant marketshare to necessitate a change in the status quo, the only browser choices we would have today might be between an ad-encumbered Opera and a proprietary Netscape.

That is exactly right. I have been making the argument for many years that it is at a market’s supposedly darkest hour that we are likely seeing some of the most exciting innovation being spawned. People don’t innovate most when they are completely happy with the world around them. It’s when they are pissed-off that they get cracking!!  Mozilla’s Firefox is the perfect example of that. And so is just about everything that Google and Apple have developed in response to Microsoft over the past 10 years.

And yet, sadly, the folks at the Mozilla Foundation want to now become handmaidens to the state — and the European Commission, no less — in their pathetic effort to stick it to a competitor using the law instead of using more marketplace innovation and competition. SHAME ON YOU MOZILLA!  I would dump your browser today if I didn’t love it so much! And thank you to all the brilliant, dedicated people behind the scenes who do keep innovating and making Firefox even better. I sincerely hope that the Mozilla Foundation doesn’t speak for you on this matter.

Microsoft’s share of the browser market across all versions of Internet Explorer has dropped, by one estimate, dropped from 78.58%  in December 2007 to 68.15% in December 2008 (or by just under 8% in another estimate).

[IE’s] share dropped from 69.77% in November to 68.15% in December. [During the same period,] Firefox gained more than half a point and ended up at 21.34%, Safari approaches the [10%] hurdle with 7.93% and Chrome came in at 1.04%, the first time Google was able to cross the 1% mark.

This is particularly interesting: 

Since IE6 is used primarily within corporations, its market share is much higher during the week than it is on weekends. As a result, all other browsers gain on weekends and especially during a holiday. Because of that circumstance, Net Applications noted that the December numbers should be taken with a grain of salt. However, it is worth the note that IE6 achieved … market share numbers of about 28% during the week and about 21% on weekends in early 2008. In December, these numbers were down to about 20% during the week and 15% on weekends.    

So, Microsoft still has an established base among corporate users, where IT administrators  generally prevent employees from installing new applications (including browsers) and the sysadmins often don’t roll out alternative browsers across a corporate network for any one of several possible reasons, including:

• They just don’t want to bother having to install, regularly upgrade and support another piece of software;
• They may overestimate the security vulnerability of such alternative browsers compared to Internet Explorer;
• The crustier sysadmins may not realize that today’s browsers are not only free for individual users, but also for corporate users–unlike the old Netscape Navigator; and
• Corporate intranets may be designed for IE, in which case rolling out an alternative browser might cause confusion among less tech-savvy employees.

Microsoft may still have an advantage that could be considered “unfair,” but so what?  IE’s share of home browser usage may have fallen faster among home users than corporate users, but the overall trend line is clear:  increasing numbers of Americans are taking advantage of the rich browser options available to them, both at home and at work.  As Microsoft’s  share of the browser market falls further with each passing year–at an apparently accelerating rate–the concerns about Microsoft’s “dominance” of the browser market that drove the Justice Department’s antitrust jihad against the company a decade ago seem increasingly obsolete. 

If nothing else, the increasing competitiveness of the browser market should be a persistent reminder to those who advocate top-down regulatory “fixes” to perceived iniquities of online markets that competition and innovation may move faster than government regulators or the courts.  

My prediction for 2009:  IE’s overall share will fall even further than it did in 2008, with particularly strong growth in Google Chrome’s market share.