Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”)

Testimony of Adam D. Thierer before the Senate Committee on Commerce, Science & Transportation hearing…

Some of My Recent Essays on Privacy & Data Collection

1. A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
2. On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
3. Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
4. Two Paradoxes of Privacy Regulation – Aug. 25, 2010
5. Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
6. When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
7. Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
8. Who Really Believes in “Permissionless Innovation”? – March 4, 2013 (condensed from Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”)
9. The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
10. Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.
Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1’s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

[UPDATE Feb. 2012: This little essay eventually led to an 80-page working paper, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.”]

In this essay, I will suggest that (1) while “moral panics” and “techno-panics” are nothing new, their cycles seem to be accelerating as new communications and information networks and platforms proliferate; (2) new panics often “crowd-out” or displace old ones; and (3) the current scare over online privacy and “tracking” is just the latest episode in this ongoing cycle.

What Counts as a “Techno-Panic”?

First, let’s step back and define our terms. Christopher Ferguson, a professor at Texas A&M’s Department of Behavioral, Applied Sciences and Criminal Justice, offers the following definition: “A moral panic occurs when a segment of society believes that the behavior or moral choices of others within that society poses a significant risk to the society as a whole.” By extension, a “techno-panic” is simply a moral panic that centers around societal fears about a specific contemporary technology (or technological activity) instead of merely the content flowing over that technology or medium. In her brilliant 2008 essay on “The MySpace Moral Panic,” Alice Marwick noted:

Technopanics have the following characteristics. First, they focus on new media forms, which currently take the form of computer–mediated technologies. Second, technopanics generally pathologize young people’s use of this media, like hacking, file-sharing, or playing violent video games. Third, this cultural anxiety manifests itself in an attempt to modify or regulate young people’s behavior, either by controlling young people or the creators or producers of media products.

While protection of youth is typically a motivating factor, some techno-panics transcend the old “It’s For the Children” rationales for information control. What all panics share in common, however, is a general desire by the public, media pundits, and policymakers to “do something” to rid ourselves of the apparent menace. Thus, an effort to control the particular content or technology in question is what really defines a true “panic.”

It’s impossible to be scientific about this but there seems to be a cycle of such moral panics or techno-panics at work in our society.  Indeed, looking back over the past few decades, it seems that we experience a new panic roughly every 3 to 5 years. Consider this chronological breakdown of some notable techno-panics since the 1980s on:

• mid-1980s: music lyrics and music videos
• early to mid-1990s: violent video games
• mid- to late 1990s: Internet porn
• late 1990s to early 2000s: browser cookies + kids privacy
• mid-2000: TV & movie violence
• mid- to late 2000: online predators / “stranger danger”
• late 2000s to present: cyberwar
• late 2000s to present: online privacy / web “tracking”

Of course, there were other “mini-panics” that occurred during this stretch and, again, some of them did not involve child safety rationales. There was a brief panic over RFID chips and even the Y2K scare in the late 1990s, for example. Some might argue we also had a bit of panic with copyright and file-sharing back in the early 2000s, and perhaps even one back in the early 1980s when the VCR came on the scene, although that seemed to be more industry-driven. Wireless geo-location and geo-tagging has also been getting more attention recently and still may blossom into a full-blown techno-panic.   And you could make the case that we experienced a different type of techno-panic last year over the supposed “Death of the Web,” although few took that one all that seriously.

Why Do Techno-Panics Pass?

To be clear, there are no clear boundaries with techno-panics.  They do not just suddenly begin and end, and it is impossible to gauge their relative severity since no metric or yardstick exists to measure them against.  Nonetheless, these techno-panics certainly seem to have peaks and valleys in terms of public / political / media attention.

Just a few years ago, for example, the online predator panic reached a fever pitch and “stranger danger” reports were all over the media. As a result, legislation banning social networking sites in publicly funded schools and libraries was introduced, and state attorneys general proposed mandatory online age verification schemes for the Internet to segregate adults and children online. And then, it seems, the fever passed. I couldn’t tell you exactly what week or month it happened — and in many ways some of those fears still exist out there — but it’s clear that the panic about online predation has subsided greatly. I’d like to think that education and awareness helped debunk some of the myths that were fueling that particular panic, just as I’d like to believe that education and awareness helped deflate the fear bubbles that surrounded previous panics.

While I don’t want to entirely discount that possibility, I’m convinced another more cynical explanation may exist: New techno-panics simply crowd-out old techno-panics. There may be several explanations for this:

• Perhaps there is only so much fear-mongering our minds can handle at any given time.
• Perhaps it is becuase the media gets myopically focused on one panic and then hammers it till all the fear has been squeezed out of it such that they have to move on.
• Perhaps it is because a new technology comes along that spooks politicians and the media even more than the previous one they were demonizing.
• Or perhaps all of those factors combine to limit the duration of panics.

Regardless, it seems evident that moral panics and techno-panics have always been with us and will always be with us. From the waltz to rock and roll to rap music, from movies to comic books to video games, from radio and television to the Internet and social networking websites — every new media format or technology spawns a fresh debate about the potential negative effects it might have on society or our kids in particular. An excellent recent report by the U.K. government entitled Safer Children in a Digital World noted that “New media are often met by public concern about their impact on society and anxiety and polarisation of the debate can lead to emotive calls for action.” Indeed, each of the media technologies or communications platforms mentioned above was either regulated or threatened with regulation at some point in its history.

The Cycle is Accelerating but is the Severity of Each Panic Diminished as a Result?

However, it seems like these cycles are now accelerating somewhat.  They peak and fizzle out faster, that is. Perhaps that is a natural outgrowth of the technological explosion we have witnessed in recent years.  Digital innovation is unfolding at a breakneck pace and each new development gives rise to a new set of concerns. Going forward, this could mean we experience more “mini-panics” and fewer of those sweeping “the-world-is-going-to-hell” type panics.

This brings me to the current debate over online advertising, web “tracking,” and personal privacy. What’s interesting about this debate is that, unlike many of the other moral or techno-panics mentioned above, this debate is not being driven by the mantra that “It’s For the Children.”  Today’s privacy panic reflects a more widespread unease with the notion that our digital footprints are somehow being “tracked” for nefarious purposes.  In reality, there isn’t anything nefarious going on here at all. Online sites and service providers are simply using data collection to improve our web experience and better target ads to us in an attempt to cross-subsidize all that wonderful free stuff we enjoy online today. This is truly one of the great pro-innovation, pro-consumer success stories of modern times.  Yet, irrational fears about data collection and targeted marketing have given rise to the second major privacy techno-panic of the past dozen years. (Again, the first privacy-related panic was the “cookie craze” that took place back in the late-90s but then subsided). It is also somewhat ironic that many of the same people and groups who have done yeoman’s work debunking techno-panics in other contexts are driving this modern privacy panic.

I want to make it clear that I am not oblivious to the fact that there are occasionally some legitimate concerns behind some of these moral panics or techno-panics.  For example, I certainly don’t want my young children (ages 9 & 6) viewing hard-core porn, playing extremely violent video games, or even reading graphic comics. And I understand that some forms of personal information are quite sensitive and a legitimate topic for policy discussions.  But, again, these concerns are typically greatly over-hyped, and to the extent that they represent more legitimate concerns, I would argue that education and empowerment-based solutions typically represent a more sensible approach than regulation. Although I sometimes question whether the “harm” that people fear is legitimate, I would hope we could work together to find more sensible ways to address people’s concerns without calling for comprehensive control of the media, content, technology, or the Internet more generally.

Resiliency, Responsibility & Common Sense

Finally, in these discussion, I believe many people overlook the importance of human adaptability and resiliency.  The amazing thing about humans is that we adapt so much better than other creatures. When it comes to technological change, resiliency is hard-wired into our genes.  “The techno-apocalypse never comes,” notes Slate’s Jack Shafer, because “cultures tend to assimilate and normalize new technology in ways the fretful never anticipate.” We learn how to use the new tools given to us and make them part of our lives and culture.  Indeed, we have lived through revolutions more radical than the Information Revolution.  We can adapt and learn to live with some of the legitimate difficulties and downsides of the Information Age. [See my recent book chapter on, “The Case for Internet Optimism, Part 1: Saving the Net From Its Detractors.”]

A healthy does of humility, patience, personal responsibility, and good ‘ol common sense will usually get us through these things. Quite literally, there is no need to panic!

Related Reading

• Techno-Panic Cycles (and How the Latest Privacy Scare Fits In)
• Against Techno-Panics
• Collier on “Why Technopanics are Bad”
• Kids, Media, Commercialism & Moral Panic
• The Next Great Technopanic: Wireless Geo-Location / Social Mapping
• Technopanics and the Great Social Networking Scare
• Sen. Klobuchar Stirs Up Facebook Child Safety Technopanic
• A Rarity: Newspaper Argues Against Techno-panic, Cites Constitution
• Google Street View/Wi-Fi Privacy Technopanic Continues
• Digital Sensors, Darknets, Hyper-Transparency & the Future of Privacy

You have to read all the way to the end to get exactly what the New York Times is getting at in its Sunday editorial, “Netizens Gain Some Privacy.”

Congress should require all advertising and tracking companies to offer consumers the choice of whether they want to be followed online to receive tailored ads, and make that option easily chosen on every browser.

That means Congress—or the federal agency it punts to—would tell authors of Internet browsing software how they are allowed to do their jobs. Companies producing browser software that didn’t conform to federal standards would be violating the law.

In addition, any Web site that tailored ads to their users’ interests, or the networks that now generally provide that service, would be subject to federal regulation and enforcement that would of necessity involve investigation of the data they collect and what they do with it.

Along with existing browser capabilities (Tools > Options > Privacy tab > cookie settings), forthcoming amendments to browsers will give users more control over the information they share with the sites they visit. That exercise of control is the ultimate do-not-track. It’s far preferable to the New York Times‘ idea, which has the Web user issuing a request not to be tracked and wondering whether government regulators can produce obedience.

[I got enough push-back to a recent post arguing the existence of market nimbleness in the browser area that I’m unsure of the thesis I expressed there. The better explanation of what’s going on may be that regulatory pressure is moving browser authors and others to meet the peculiar demands of the pro-regulatory community. The reason they have waited to act until now is because they do not perceive consumers’ interests to be met by protections against tailored advertising. The question of what meets consumers’ interests won’t be answered if regulation supplants markets, of course.]

Via @csoghoian (who can be wrathful if you don’t attribute), Adobe buries the lede in its blog post about privacy improvements to the Flash player. They’re working with the most popular browser vendors on integrating control of “local shared objects”—more commonly known as “Flash cookies”—into the interface. Users control of Flash cookies will soon be similar to control of ordinary cookies.

It doesn’t end there:

Still, we know the Flash Player Settings Manager could be easier to use, and we’re working on a redesign coming in a future release of Flash Player, which will bring together feedback from our users and external privacy advocates. Focused on usability, this redesign will make it simpler for users to understand and manage their Flash Player settings and privacy preferences. In addition, we’ll enable you to access the Flash Player Settings Manager directly from your computer’s Control Panels or System Preferences on Windows, Mac and Linux, so that they’re even easier to locate and use. We expect users will see these enhancements in the first half of the year and we look forward to getting feedback as we continue to improve the Flash Player Settings Manager.

Mysterious, sinister “Flash cookies” were Exhibit A in the argument for a Do Not Track regulation. There is no way that people can cope with the endless array of tracking technologies advertisers are willing to deploy, the argument went, so the government must step in, define what it means to be “tracked,” and require it to stop—without kneecapping the free Internet. (Good luck with that!)

But Flash cookies are now quickly taking their place as a feature that users can control from the browser (or OS), customizing their experience of the Web to meet their individual privacy preferences. This is not a panacea, of course: People must still be made aware of the importance of controlling Flash cookies, as well as regular cookies. New tracking technologies will emerge, and consumer-friendly information controls meeting those challenges will be required in response.

But if this is what the drawn-out “war” against tracking technologies looks like, color me pro-war!

In a few short months, Adobe has begun work on the controls needed to put Flash cookies under peoples’ control. The Federal Trade Commission—prospective imposer of peace through complex, top-down regulation—took more than a year to produce a report querying whether a Do Not Track regulation might be a good idea. This problem will essentially be solved (and we’ll be on to the next one) before the FTC would have gotten saddled up.

Yes, Adobe may have acted because of the threat of damaging government regulation. That seems always to be what gets these companies moving. Of course it does, when the primary modus operandi of privacy advocacy is to push for government regulation. Were the privacy community to work as assiduously on boycotts as acting through intermediary government regulators, change might come even faster.

We could do without the standing army of regulators. Having a government sector powerful enough to cow the business sector is costly, both in terms of freedom and tax dollars.

With the failure of Do Not Track, the vision of a free and open Internet—populated by aware, empowered individuals—lives on.

Recent revelations about Microsoft’s internal debate over Internet Explorer’s handling of tracking cookies, as chronicled by The Wall Street Journal earlier this month, have prompted harsh criticism from self-described privacy groups, who’ve called on Congress to investigate Microsoft’s actions. But as Jim Harper pointed out in an excellent WSJ essay, Web users stand to lose a great deal if online tracking is squelched by the hand of government. Data gathering on the Internet is largely harmless, and individually targeted advertising coexists with robust privacy safeguards.

Over on AOLNews.com, my colleague Carolyn Homer discusses these privacy tradeoffs, arguing that Microsoft and other Internet firms have a strong incentive to set privacy defaults that align with their users’ preferences. She points out that most consumers are, in practice, quite willing to live with allegedly “pervasive” tracking in exchange for the enormous benefits that targeted advertising makes possible. While many surveys and polls indicate consumers are very worried about their privacy, the actual decisions that consumers make every day tell a very different story (as documented extensively by Berin Szoka). From Carolyn’s piece:

A body of research reveals a sizable disparity between how much people say they value privacy and how willing they are to actually protect it. In a 2003 Duke Law Journal article, Michael Staten and Fred Cate found that fewer than 10 percent of users exercise their right to opt out and share less. Conversely, if given the opposite choice, fewer than 10 percent of users elect to opt in and share more. The vast middle is apparently indifferent. If consumers were required to affirmatively opt in before sharing data, the Internet’s prevailing advertising-based business model would be decimated. The effectiveness of online advertising in Europe, for example, fell 65 percent after the European Union in 2002 required a blanket opt-in system. For more than a decade, the Internet has thrived on the assumption that most people believe it is a fair trade to receive free content in exchange for viewing ads. Mere advertisements shouldn’t be equated with gross privacy violations.

She goes on to discuss how privacy settings are evolving as consumer preferences adapt to new technologies and firms experiment with new ways to use and collect data. You can read the rest over at the AOL News website.

I have a piece on Internet privacy in the Wall Street Journal today. It’s one side of a “debate” on Internet privacy and tracking. I say be careful what you give up if you thwart online tracking—personalization, free content, and other goodies may go by the wayside.

My “opponent” is Nicholas Carr, whose identity and arguments I didn’t know as I wrote, nor likely did he mine. His is a good piece that lays out the many legitimate concerns with online tracking. Must be nice to be the maximal-privacy “good guy”!

For the sake of making it interesting I’ll pick out one important point that highlights the nub of the issue.

Privacy tradeoffs have always been a part of life, Carr says, “But now, thanks to the Net, we’re losing our ability to understand and control those tradeoffs—to choose, consciously and with awareness of the consequences, what information about ourselves we disclose and what we don’t.”

This sentence brought back to me a memorable moment from law school. In a seminar course, the professor called upon a fellow student who rather dopily apologized, “Sorry, I didn’t have time to do the reading.”

“In fact you did have time to do the reading,” replied the teacher, “but you just didn’t take it. Isn’t that correct?”

It was funny, if embarrassing for my colleague, and a great illustration of precision with language.

Holding to that standard of precision, I’ll disagree with Carr’s statement: The Net is not affecting our ability to understand and control privacy tradeoffs. Its development has outstripped that capacity. Developing consumers’ understanding of information flows, information uses, and consequences will position them to restore privacy.

I don’t think Carr would disagree with that sentiment in the main. Later he says, agreeably to me, “We need to take personal responsibility for the information we share whenever we log on.”

And I do think that’s the heart of the problem: “Education is the hard way, and it is the only way, to get consumers’ privacy interests balanced with their other interests.”

Today’s Washington Post has a story entitled U.S. Web-Tracking Plan Stirs Privacy Fears. It’s about the reversal of an ill-conceived policy adopted nine years ago to limit the use of cookies on federal Web sites.

In case you don’t already know this, a cookie is a short string of text that a server sends a browser when the browser accesses a Web page. Cookies allow servers to recognize returning users so they can serve up customized, relevant content, including tailored ads. Think of a cookie as an eyeball – who do you want to be able to see that you visited a Web site?

Your browser lets you control what happens with the cookies offered by the sites you visit. You can issue a blanket refusal of all cookies, you can accept all cookies, and you can decide which cookies to accept based on who is offering them. Here’s how:

• Internet Explorer: Tools > Internet Options > “Privacy” tab > “Advanced” button: Select “Override automatic cookie handling” and choose among the options, then hit “OK,” and next “Apply.”

I recommend accepting first-party cookies – offered by the sites you visit – and blocking third-party cookies – offered by the content embedded in those sites, like ad networks. (I suspect Berin disagrees!) Or ask to be prompted about third-party cookies just to see how many there are on the sites you visit. If you want to block or allow specific sites, select the “Sites” button to do so. If you selected “Prompt” in cookie handling, your choices will populate the “Sites” list.

• Firefox: Tools > Options > “Privacy” tab: In the “cookies” box, choose among the options, then hit “OK.”

I recommend checking “Accept cookies from sites” and leaving unchecked “Accept third party cookies.” Click the “Exceptions” button to give site-by-site instructions.

There are many other things you can do to protect your online privacy, of course. Because you can control cookies, a government regulation restricting cookies is needless nannying. It may marginally protect you from government tracking – they have plenty of other methods, both legitimate and illegitimate – but it won’t protect you from tracking by others, including entities who may share data with the government.

The answer to the cookie problem is personal responsibility. Did you skip over the instructions above? The nation’s cookie problem is your fault.

If society lacks awareness of cookies, Microsoft (Internet Explorer), the Mozilla Foundation (Firefox), and producers of other browsers (Apple/Safari, Google/Chrome) might consider building cookie education into new browser downloads and updates. Perhaps they should set privacy-protective defaults. That’s all up to the community of Internet users, publishers, and programmers to decide, using their influence in the marketplace. (I suspect Berin is against it!)

Artificially restricting cookies on federal Web sites needlessly hamstrings federal Web sites. When the policy was instituted it threatened to set a precedent for broader regulation of cookie use on the Web. Hopefully, the debate about whether to regulate cookies is over, but further ‘Net nannying is a constant offering of the federal government (and other elitists).

By moving away from the stultifying limitation on federal cookies, the federal government acknowledges that American grown-ups can and should look out for their own privacy.

Chris Soghoian has responded to my recent post lauding his Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). We’re agreed in the main on user empowerment. The interesting stuff is on the margin: He disagrees with me that blocking third party cookies as I do (and he does too) is a satisfactory approach to suppressing tracking by advertisers.

There are a couple of points worth making about the discussion.

The first has to do with our slightly differing objectives. Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing – and there are many.

Again, TLF readers, I ask you to try setting your browser to query you before setting cookies. It’s a real insight into the dozens of entities getting a look at you as you surf, including a bunch of social networks and news sites.

If “advertisers” are what you seek to harness, that seems like a group that can be captured through some kind of centralized control mechanism. (I don’t think it actually is.) But if your goal is privacy as against all comers, you don’t attempt to centrally plan or decide who is good and who is bad. Responsibility rests with the end user.

Let the goal be “advertisers,” though. And I ask: Those social networks and news aggregators – are they “advertisers”? If you’re going to require a subset of Web communicators to obey opt-out cookies, you have to be able to define that subset – a problem Chris doesn’t seem to have thought about yet.

Lots of different publishers, sites, and networks have data that is entirely fungible with the tracking data advertisers collect. What do you get if you push down on the “officially advertisers” part of the balloon? Workarounds.

But I’ve backed into the second point – the means to these ends. Chris soft-pedals how he would get at tracking, but as far as I can tell it’s a law that says “advertisers” have to obey opt-out cookies.

Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.

Is it by magic that they “cannot ignore” opt-out cookies? No, it’s by law.

With the right law in place, Chris appears to believe, “[t]he Federal Trade Commission and Congress would likely take an interest” when advertisers tried to skirt opt-out cookies, using other technologies to glean information about Web surfers’ interests.

His hope is to end the “arms race” in which users have to constantly chase the shifting tactics advertisers use to track them. It’s a fair point: There is a constant, rolling change in how the Web is used by publishers, advertisers, and consumers to interact and trade the data each produces.

That is an “arms race” only if you’ve adopted the rigid, war-like stance that tracking by advertisers is inherently wrong. It’s not. Berin and Adam, who have done a lot more work than me on this lately, have done a good write-up of the subtleties. What Chris calls an “arms race” is better thought of as a constantly unfolding negotiation among all parties about the terms of the content-for-advertising bargain.

I believe, as a person who dislikes third-party cookies, that offering them to my computer in the hopes of gleaning some information is not wrong. Some people think it’s horribly wrong. Most people are indifferent.

Who’s right? Everyone and nobody. There doesn’t have to be one answer.

But should the terms of use for the Web be written by a vociferous minority (i.e. Chris) that can’t persuade the public to refuse tracking using the tools available to them? Perhaps the demand for control comes because the public won’t be persuaded.

Now that would be wrong – regulating cookies to force “protection” on a public that could seek it for itself, but won’t. That would deprive “advertisers” – we still don’t know who they are – of freedom and communications channels, it would deny publishers revenues, and it would deny consumers content they want and enjoy.

But let’s talk about arms races. Chris seeks exit from the so-called arms race on the technical and user side in favor of an arms race in the legislative and regulatory world. The law he imagines – so perfect as it resides there in his head – would have to be passed by Congress and implemented by a regulatory agency like the Federal Trade Commission.

Each of these regulatory bodies is under constant, well, “siege” by phalanxes of lobbyists, paid to advocate the views of their clients, including ” advertisers.” There is no realistic hope that Chris’ opt-out cookie law would make it through that in the form he wants. Defining what one means by “advertisers” is a gruesome task, with likely First Amendment problems. Instead of the clean bill Chris imagines, it would be perverted (from Chris’ perspective) by lobbying and special-interest influence. Remember when Congress passed a law alleging it would prevent spam?

Chris would transfer the arms race we’re in now – where consumers are in control, if apathetic – to a field where consumers are not in control and very apathetic, believing that they are protected by the government. This is the approach preferred by victims of the fatal conceit, who think that they can design society better than society can design itself. (Berin has done a terrific job of lambasting the Center for Democracy and Technology for its similarly conceited, blindly pro-regulatory armchair quarterbacking on the online advertising issue.)

Plenty of people dream about regulation that works, of course. The SEC’s failure to protect investors in the Madoff case provides one more example among many where law and regulation failed utterly to protect consumers – and by its existence encouraged their irresponsibility.

It is damaging folly to try protecting consumers from the tracking advertisers do when consumers can just as well protect themselves.

What a victory for privacy and personal responsibility is Chris Soghoian’s Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). It signals to the 27 ad networks with well-configured opt-out cookies that you don’t want them to track you.

It’s a technical solution that empowers (and places responsibility with) the user to exercise dominion over his or her personal information. No need for law and regulation. No need to go pleading to politicians and bureaucrats for help.

It’s also a little more efficient than my method of controlling tracking, which is to take a glance at cookies as Web sites ask to set them on my computer.

(The answer is usually “no,” but it’s very interesting to see who all wants to get a glance at me when I visit any site. It’s a lot more than just ad networks, btw. I have no idea why people think ad-network tracking is bad and tracking by others is a matter of indifference.)

Now, Chris and I always find something to disagree about, so for good measure I’ll note that I disagree with his goal of switching targeted advertising from opt-out to opt-in.

Cookies are the wrong mechanism for universal opt-out, he correctly notes, and an opt-out HTTP header, were one adopted, would be switched on by default, so the big players won’t go there. “The only way we will get an easy to use, built-into the browser solution,” he concludes, “will be if government regulators get involved. FTC staffers — are you listening?”

Actually, an easy to use, built-into-the-browser solution is right there. In Firefox, it’s Tools > Options > Privacy > uncheck “Accept cookies from sites” or “Accept third-party cookies” (or further define what you want done with cookies). In Internet Explorer, it’s Tools > Internet Options > Privacy > Advanced > select “Override automatic cookie handling” and define what you want done.

A lot of folks think it’s jaw-droppingly difficult to look at cookies as they’re offered. It’s not. It’s easy to give cookies a quick skim as they come in. (Sometimes exercising responsibility for yourself is difficult. Walk it off.)

Now, should everyone do as I do? No. Should everyone do a Chris wants (and be untracked unless they request it)? Also, no.

The default on the street and on the Internet is for information to be available to others. If you don’t like it, you cover up your nakedness with clothes, or you figure out how to block cookies offered by sites you don’t want a relationship with. Kudos to Chris for giving people a cloak to wear, even though he advocates that regulators should tut-tut Web site operators for using their eyes to see.

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes. These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In the last installment, we covered the privacy features embedded in Microsoft’s Internet Explorer (IE) 8. This installment explores the privacy features in the Mozilla Foundation’s Firefox 3, both the current 3.0.7 version and the second beta for the next release, 3.5 (NOTE – The name for the next version of Firefox was just changed from 3.1 to 3.5 to reflect the large number of changes, but the beta is still named 3.1 Beta 2). We’ll make it clear which features are new to 3.1/3.5 and those which are shared with 3.0.7. Future installments will cover Google’s Chrome 1.0, Apple’s Safari 4, and some of the more useful privacy plug-ins for browsers . The availability and popularity of privacy plug-ins for Firefox such as AdBlock (which we discussed here), NoScript and Tor significantly augments the privacy management capabilities of Firefox beyond the capability currently baked into the browser.  In evaluating the Web browsers, we examine:

(1) cookie management; (2) private browsing; and (3) other privacy features

History of Firefox

Firefox descends from the very first graphical web browser, NCSA Mosaic. Mosaic was developed at the National Center for Supercomputing Applications in 1992. The co-author of Mosaic, Marc Andreessen, co-founded Netscape Communications and was the lead developer of Netscape Navigator, which was first released in 1994 and based in part on NCSA Mosaic code. In 1998, Netscape publicly released the source code for the latest version of its browser and created the Mozilla Organization to coordinate its development. AOL acquired Netscape Communications later that year, and when AOL scaled back its involvement with the Mozilla Organization in 2003, the Mozilla Foundation was launched to ensure the browser could survive without Netscape or AOL. The Mozilla Foundation released Firefox 1.0 on November 9, 2004. According to Net Applications, Firefox is currently the second-most popular Web browser after Internet Explorer, with 21.72% of the market in Q1 2009.

Cookie Management

To access Firefox’s basic cookie management and privacy settings, open the “Tools” menu, click “Options,” and then click on the “Privacy” tab to display the following options:

Instead of using a slider, as Internet Explorer does, Firefox gives more direct control over cookies. Users can choose to refuse all cookies, refuse all third-party cookies (see the previous post in this series for an explanation of the difference between first-party cookies and third-party cookies), and/or control when cookies expire. The “keep until” box gives three options:

(1) ” they expire” – Cookies determine their own expiration date.

(2) ” I close Firefox” – Cookies are deleted when you close the browser.

(3) ” ask me every time” – Every time a cookie is sent to the user’s computer, the user is asked if they want to “Allow” the cookie (accept it and let the cookie determine its own expiration date), “Allow for Session” (equivalent to the “I close Firefox” setting), or “Deny.” Firefox can also optionally save the user’s preference for all future cookies received from that website. The “Show Details” button allows true power users to view the contents of each cookie before making a decision, as seen here:

By clicking the “Show Cookies” button in the Privacy tab of the Options dialog box, users can view all of the cookies already saved on their computer and delete individual cookies or all cookies at once.

Finally, by clicking the “Exceptions” button in the Privacy tab of the Options dialog box, users can specify which websites are always or never allowed to set cookies.

In addition to having the option of deleting all cookies whenever the browser is closed, users can clear other types of private data when the browser is closed. The following dialog box is displayed when a user clicks on the “Settings” button in the Privacy tab of the Options dialog box.

Private Browsing

Similar to Internet Explorer 8’s “InPrivate Browsing” feature (see the previous post in this series for more information) and Chrome’s Incognito, Firefox 3.5 will include a new “Private Browsing Mode” that protects so-called “over the shoulder” privacy. To enable Private Browsing Mode, select “Private Browsing” from the Tools menu. To disable Private Browsing Mode and reload all tabs that appeared when you enabled Private Browsing Mode, just uncheck the same “Private Browsing” menu item in the Tools menu. There is a hidden way to make Firefox 3.1 Beta 2 always start in Private Browsing Mode and a plan to possibly provide an easier way to do this in the final 3.5 release, but the only obvious use for this would be on public computers (e.g., at a library or coffee shop) where it can’t be guaranteed that each user will close the browser before leaving.

Other Privacy Features

• Master Password – As more and more can be done online and more and more sites require user accounts (and passwords), having all those passwords stored in your web browser can be a security problem unto itself. Firefox allows you to view saved passwords, but it also allows you to protect all of your site-specific saved passwords with a single master password. Your saved passwords cannot be used to automatically log into websites and other individuals with access to your computer cannot view your saved passwords unless the master password is entered. Firefox also has a password quality meter to show you how secure your master password is from cracking attempts.

• Instant Web Site ID – For all websites with an Extended Validation SSL Certificate, this feature displays the website owner’s name to the left of the URL in the address bar. Clicking on the “favicon” on the left side of the address bar displays additional information about the certificate (whether an Extended Validation Certificate or regular SSL certificate) and whether the connection is SSL-encrypted. A second click displays the Page Info dialog box which reports whether you’ve previously visited the website and how many times, whether the website is storing cookies on your computer (which you can view with another click), and if there are saved passwords for the website on your computer (which you can also view with another click). From the Page Info dialog box you can also view all of the media embedded in the webpage, all of the meta tags in the HTML source code for the page, any RSS feeds on the page, and the permissions in effect for the page.

• Optional automatic phishing and malware protection – Two options in the “Security” tab of the Options dialog box, “Tell me if the site I’m visiting is a suspected attack site” and “Tell me if the site I’m visiting is a suspected forgery,” allow Firefox to automatically protect users from malware (attack sites) and phishing scams (forgery sites). When either of these options is enabled, Firefox automatically checks the URL of the page you’re visiting against a list of reported phishing and/or malware sites that it downloads in the background every 30 minutes. If you navigate to a page on one of these lists, Firefox will double-check that the URL is on the list by sending a cookie to google.com, who maintains the lists of identified malware and phishing sites used by Firefox. The anti-phishing site aspect of this feature is equivalent to Internet Explorer’s SmartScreen Filter.

Conclusion

In terms of privacy, what makes Firefox unique compared to the other popular browsers is the extensive number of add-ons (also called “plug-ins” or “extensions”) designed to protect users’ privacy. Google’s Chrome browser does not currently support third-party add-ons but plans to do so in an upcoming release. Microsoft’s Internet Explorer does support extensions, and Microsoft has a website devoted to cataloging those extensions, but offers nothing like the variety and complexity of the add-ons available for Firefox. The two most popular Firefox add-ons (in terms of total downloads; currently second and fourth most popular in terms of weekly downloads) are specifically related to privacy. Adblock Plus (ABP) uses dynamically-updated “subscriptions” to maintain a list of unwanted third-party content and automatically  block that content from being displayed or run by Firefox. ABP can block Flash code, images, external scripts, stylesheets, frames, tracking cookies, webbugs, html elements, text ads, backgrounds, and any class, id, and any other HTML or CSS tag. By default, ABP allows all such elements unless they are blocked by a filter.  NoScript, by contrast, blocks all Java, JavaScript, Flash, and other plugins unless you explicitly allow them on a particular website  either (i) temporarily for your current session (until you close the browser); (ii) or permanently for all future sessions. Thus, with these two add-ons, Firefox offers security-conscious users a much more secure (and thus private) browsing environment than currently available in other browsers. We already covered Adblock Plus in a previous installment of our Privacy Solutions Series. We plan to cover NoScript and other popular Firefox add-ons such as TorButton and FoxyProxy in future installments.

Additional Reading / Links

• Download Firefox 3.1 Beta 2
• New features in Firefox 3.1 Beta 2
• Privacy & Security add-ons for Firefox
• Wikipedia entry on Firefox

Google’s new “Interest Based Advertising” (IBA) program represents the company’s first foray into what is generally called “Online Behavioral Advertising” (OBA):  In order to deliver more relevant advertising, Google will begin tailoring ads delivered through AdSense on the Google Content Network (GCN) and YouTube.com (but not Google.com).  This tailoring will be based on a profile of each user’s interests created by tracking their browsing activity across sites that use AdSense-but not search queries or other user information.  Until now, (i) AdSense has delivered essentially “contextual” advertising by choosing which ad to display on a page based on an algorithmic analysis of keywords on that page; and (ii) Google has tracked users’ browsing only for analytics purposes-to limit the number of times a user sees a particular ad (to prevent overexposure) and to allow sequencing of ads in campaigns where one ad must follow another. 

Google is sure to be attacked for crossing a “line in the sand” drawn by some privacy advocates between contextual and behavioral advertising-even though Google’s closest competitor, Yahoo!, already offers a similar program, and the concept in general is hardly new.  Google’s position as the leading search engine and third party ad-delivery network will no doubt cause paroxysms of privacy hysteria among those who consider targeted advertising inherently invasive, unfair or manipulative.

But those whose first priority is advancing consumer privacy, not advancing a political or regulatory agenda, should applaud Google for excluding sensitive categories and for putting the new Ad Preference Manager at the core of the company’s new IBA program.  The Ad Preference Manager sets a new “gold standard” for implementing the principles of Notice and Choice, which have formed the core of both OBA industry self-regulation and the various regulatory proposals made in recent years.  Indeed, Google has done precisely what Adam Thierer and I have called for:  giving consumers more granular control over their own privacy preferences by developing better tools.

How Google’s Ad Preference Manager Works

For years, debates about how OBA should be regulated (whether by industry or by government) have revolved around two key questions: 

• Notice: How should consumers best be informed about the data that’s being collected about them, how it’s being used, by whom, and so on?
• Choice: How should consumers be given the ability to opt-out of tracking for OBA purposes?

While there are significant philosophical disagreements about some aspects of these debates-such as whether the default should be opt-in or opt-out-much of the debate has come down to questions of implementation that may seem trivial or easily-solved to lay people:  Where should notice be provided?  If notice is provided in ads themselves, what should the link say and how big should it be?  By what technological means should users be able to opt-out of tracking?  Google has provided an elegantly simple solution to these questions. 

Google provides “notice” to users in two ways:

• In the ads.  In the bottom left corner of each AdSense ad on sites in the GCN, users will see the URL for the advertiser’s website.  This is already the case for all text ads, but not for display ads.  In the bottom right corner of both display and text ads, users will see an “Ads by Google” link.  Thus, the ad itself provides the user notice of (i) who’s paying for the ad and (ii) who’s serving it. 
• In the Ad Preference Manager.  If the user clicks the “Ads by Google” link, they will see which of the ~20 categories and ~600 subcategories have been associated with the tracking cookie in their browser.  Thus, Google provides notice to the user of what’s in their so-called “digital dossier.”

Google provides “choice” to the user in two ways:

• Editing categories.  The Ad Preference manager not only shows the profile that has been algorithmically assembled of their likely interests, but it lets them decide for themselves which categories they’re really interested in.  If a user finds that they have been placed in the “Automotive > Motorcycles” category but actually owns a SUV, they could select “Automotive > Trucks & SUVs”-or no Automotive category at all.  
• A persistent opt-out.  Users can decide to opt-out completely from having their data collected for IBA purposes.  That choice will be respected in the future, and will therefore be “persistent.”

The Persistent Opt-Out Plug-in

For roughly a decade, the OBA industry has operated under a self-regulatory scheme developed by the Network Advertising Initiative (NAI).  NAI lets users opt-out of receiving ads based on OBA targeting.  But privacy advocates have objected on three grounds:

First, privacy advocates argue that it’s currently too hard for users to find the NAI opt-out tool since users don’t know which ad network is serving which ads and there’s no obvious way to get from an ad to the opt-out option.  Google moots this argument by making its opt-out easily accessible to anyone who clicks on the “Ads by Google” link that appears beneath every IBA-targeted ad.

Second and most importantly, privacy advocates decry NAI’s opt-out because it isn’t “persistent”- i.e., it requires the placement of a special “opt-out cookie” on the user’s computer, which may be inadvertently deleted when users delete all their cookies.  Indeed, many users do precisely that on a regular basis through either their browser or antivirus software-thus erasing their own opt-out choice.  Google moots this argument too:  While Google’s opt-out also relies on a special opt-out cookie, Google has created an easily installed plug-in for the two most common Web browsers, Internet Explorer and Firefox, that ensures that the opt-out cookie is automatically recreated even if a user deletes their cookies.  For the Chrome and Safari Web browsers (which do not support plug-ins), Google has outlined a simple procedure whereby users can achieve the same result.

Third, many critics worry that any cookie-based opt-out mechanism still involves sending data to ad networks that the ad networks could use to track users-despite promises in their privacy policies not to do so.  Even though the FTC can enforce such policies, it may be difficult for users to determine what the ad networks are doing with the data they receive from users that have opted out of tracking.  Although Google’s system seems to be no different in this regard from how other NAI member companies handle opt outs, truly privacy-sensitive users could easily address this concern by configuring their Web browser to not send any data to these networks and/or not allow any persistent cookies, as we’ve discussed in our Privacy Solutions Series.   

A Superior Solution to a “Do-Not-Track” Registry

The privacy advocates who lambaste the inadequacies of the NAI opt-out system have demanded the creation of a government-run “Do-Not-Track” registry loosely modeled on-but very different in practice from-the FTC’s Do-Not-Call registry, by which over 170 million Americans have opted out of receiving telemarketing calls.  Google’s Ad Preference Manager provides a better system.

First, it proves that the “persistency” problem can be solved.  In fact, since Google’s plug-in is open source, these privacy advocates may be able to use it to create a browser plug-in that works for opt-out cookies from other NAI member companies.  Indeed, given how simple Google’s plug-in is, one wonders why they didn’t do this when NAI’s Opt-Out Tool was first made available.  Perhaps the technologists at these organizations have spent a little too much time developing elaborate regulatory solutions and too little time focusing on empowering users.  Or perhaps these organizations simply decided that creating such a tool would undercut their argument that only government intervention could protect users’ privacy.  Ironically, some of the organizations pushing Do-Not-Track have joined us in emphasizing the effectiveness of user empowerment tools in other contexts-such as online child protection, where parental control software offers a more effective alternative to government regulation of Internet content that also does less to restrict constitutionally protected speech.  Even more ironically, their Do-Not-Track proposal specifically calls for the development of browser-based tools to implement the government-maintained Do-Not-Track database.  In an era when anyone can write a browser plug-in that can achieve wild popularity (such as the roughly 43 million downloads of the Firefox plug-ins AdBlock Plus and NoScript), these advocacy organizations have little excuse for not practicing what they preach. 

Second, Google has set a new standard in both Notice-by including a link to the opt-out in every ad-and Choice-by respecting user’s opt-out preferences.  Other ad networks now face intense pressure to catch up with, or outpace, Google by implementing the same kind of Notice and Choice.  Indeed, NAI will now be expected to improve its own opt-out system with a browser plug-in capable of preserving opt-out preferences for all of its members’ ad networks.  To the extent that this plug-in might work better with cooperation from the ad networks, that cooperation should now be more forthcoming than ever. 

Third, if these privacy advocates’ real objection to any cookie-based opt-out system-whether the NAI opt-out tool or Google’s plug-in-is uncertainty as to whether opt-out preferences would really be respected by ad networks that continue to collect tracking data (as discussed above), who better than Google to lead the market in setting higher standards for privacy protection?  Ultimately, these standards will be, and should be, enforced by the FTC under its existing authority to punish unfair and deceptive trade practices.

What This Episode Says About Google

Some privacy advocates will argue that Google is just too big-and therefore too “scary”-to be allowed to engage in OBA, and may try to paint Google’s entry in the OBA marketplace as a net loss to privacy, notwithstanding the extremely pro-privacy way in which Google has implemented its “IBA” service.  But if this incident demonstrates anything about Google, it’s the following:

First, it’s no accident that Google is now leading the pack of third party ad networks by developing innovative solutions that respect consumer privacy.  Unlike most third party ad networks, Google is directly focused on the demands of consumers:  In addition to the ad network they acquired from DoubleClick, of course, Google offers consumers a wide array of other online services (search, email, maps, etc.).  Because these services (and their competitors) are all free, Google has to compete in what economists call “non-price terms”-such as privacy.  So, Google has a lot to lose by alienating its users and a lot to gain by being seen as a leader in privacy protection.  Would an independent DoubleClick have taken so much care to address privacy concerns?  As the developer of a competing search engine once said about the Internet search industry, ”you earn your right to be in business every day, page view after page view, click after click.”  

Second, it’s no accident that Google was a late-comer to the OBA market, lagging behind Yahoo! in particular.  The most likely reason Google has taken its time in rolling out an OBA product is that Google is subject to a unique level of scrutiny by privacy advocates by virtue of its size.  Being the “big kid on the block,” Google has to be especially careful not to appear to be “Big Brother.”  This reputational check on Google should allay some concerns about Google’s size.

Third, this episode also demonstrates the advantages of having a player like Google large enough to be able to singlehandedly set a new paradigm in privacy protection.  Google risks alienating some advertisers and publishers with its bold empowerment of users, but was willing to take those risks because of its incentives as a consumer-facing company and able to do so because of its leadership in the marketplace.  Uncomfortable as this reality may be for those who fret about antitrust issues and indeed for Google itself, the simple reality is that sometimes it takes “big dogs” to make self-regulatory systems truly effective.  For example, the video game industry’s highly effective content rating system has worked because the titans in that field were big enough to push through a tough system and keep it working.  Similarly, Microsoft has led the way for years in empowering users by offering in Internet Explorer the most sophisticated cookie management tools available in any browser, as we’ve discussed.  In a nutshell, privacy leadership requires scale. 

Conclusion

Google’s Ad Preference Manager, with its persistent opt-out plug-in, offers precisely the kind of robust opt-out that privacy advocates have always demanded.  Google deserves a rousing “Amen!” from privacy advocates.  But those who respond to this program by insisting that “more needs to be done on how to educate people and tell them how to opt out,” are right in two senses.  First, Google has shown other ad networks how to do more to empower users.  I am confident that they will rise to that challenge by continuing to refine self-regulation through technological innovation.  Second, this is by no means the last word in privacy protection from Google, which operates in the midst of continually-evolving privacy standards.  I expect Google and competing ad networks will continue to innovate in developing technologies that empower users to manage their own privacy-and that this competitive “race to the top” will improve online privacy protection in a broader sense beyond just advertising by putting pressure on other online service providers to improve their privacy practices and policies.

But I fear that too many privacy advocates will instead see this as just another reason for the government to intervene-perhaps because of fear of Google engaging in OBA or  because they think the government, not Google, should be developing privacy solutions.  Or perhaps they think Google’s system shows that a system of government-mandated solutions really could work.  To the contrary, Google’s approach is precisely the kind of innovation that would be discouraged by pre-emptive government regulation.  Worse, those who would freeze privacy protection in place would also freeze in place much of the Internet itself, precluding development of new business models that would compete with Google, allaying concerns about competition and benefiting consumers.  Why preclude broadband providers, for example, from figuring out how to deploy ad-targeting technologies in a manner that does as much to empower users with better privacy controls as Google has-especially when this could create a new source of funding for “free” content and services and even discounts on broadband? 

I hope instead that the effectiveness of Google’s approach will shift the policy debate about protecting user privacy back to an emphasis on the layered approach Adam Thierer and I have outlined, supplementing consumer education, industry self-regulation, existing state privacy tort laws, and  FTC enforcement of corporate privacy policies with increasingly powerful technological “self-help” tools that allow privacy-wary consumers to take privacy into their own hands.

By Adam Thierer, Berin Szoka, & Adam Marcus

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In some of the upcoming installments we will be exploring the privacy controls embedded in the major web browsers consumers use today: Microsoft’s Internet Explorer (IE) 8, the Mozilla Foundation’s Firefox 3, Google’s Chrome 1.0, and Apple’s Safari 4. In evaluating these browsers, we will examine three types of privacy features:

(1) cookie management controls; (2) private browsing; and (3) other privacy features

We will first be focusing on the default features and functions embedded in the browsers. We plan to do subsequent installments on the various downloadable “add-ons” available for browsers, as we already did for AdBlock Plus in the second installment of this series.

In this installment, we’ll be taking a look at the privacy-related features in the most popular browser in use today, Microsoft’s Internet Explorer. Specifically, we’ll be examining the most recent version of the browser, IE 8, Release Candidate 1. We’ll make it clear which features are new to IE 8 and those which are shared with IE 7.

Basic Background

Microsoft’s Internet Explorer browser was launched in 1995 and quickly became America’s most popular web browser, displacing Netscape’s Navigator browser. In recent years, IE has faced new challenges from the Mozilla Foundation’s “Firefox” browser, Apple’s “Safari”, the open source “Opera” browser, and others. (For an excellent history / timeline of web browsers, click here.) Despite these new challenges, IE still commands over 70% of the browser market. Like most other web browsers, Internet Explorer is free. So too are the features we are describing here.

Before we get further in the discussion of privacy controls, it’s important for readers to understand the difference between “first-party” and “third-party” content on webpages. Many webpages today contain a combination of content from many different websites, which enables powerful “Web 2.0” functionality like an interactive Google map displayed along with an address or a “Digg This” link in a blog post. Third-party content can also be used to track users across websites and to serve up advertising. All content loaded from the same domain as is displayed in the Address bar is first-party content. All content loaded from other domains is third-party content. Internet Explorer has a “Privacy Report” function that can show you the source for all the different content elements in the current webpage. To access it, select Webpage Privacy Policy from IE7’s Page menu or IE8’s View menu.

Basic Cookie Management Controls

To access Internet Explorer’s basic cookie management and privacy settings, open the “Tools” menu, click “Internet Options,” and then click on the “Privacy” tab to display the following options:

Users can configure the slider on the upper left-hand side of the window to establish their preferred level of cookie privacy. There are 6 options on the sliding scale from which to choose. Starting from the top of the slider bar:

(1)   ” Block all cookies” — Blocks IE from receiving any new cookies and blocks websites from reading any existing cookies on your computer. (Of course, that would greatly inconvenience users that regularly access websites that require information from the user, such as a Web-based email site that requires users to log in every time they access the website.)

(2)   ” High” — Blocks all cookies from websites that do not have a P3P compact privacy policy or that have a compact privacy policy which specifies that personally-identifiable information is used without your explicit consent. Cookies already on your computer can only be read by the site that created them.

(3)   ” Medium High” — “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without explicit consent,” and “Blocks first-party cookies that save information that can be used to contact you without your implicit consent.”

(4)   ” Medium” — This setting “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without your explicit consent,” and “Restricts first-party cookies that save information that can be used to contact you without your implicit consent.”

(5)   ” Low” — This setting “Blocks third-party cookies that do not have a compact privacy policy” and “Restricts third-party cookies that save information that can be used to contact you without implicit consent.”

(6)   ” Allow all cookies” — This setting allows all cookies from any website.

A P3P compact privacy policy is a machine-readable summary of the full P3P specification, which is a standardized method for explaining a website’s privacy policy. So when IE states that it will “block[] third-party cookies that save information that can be used to contact you without your explicit consent,” it means that the cookie will be blocked unless the site has a P3P compact privacy policy that either indicates that only non-identifiable (NOI) information is collected, or that for every data collection PURPOSE and every type of RECIPIENT that the website shares collected data with, the site’s policy is that the user must opt in (“explicitly consent”) to the practice.

When the slider bar is set anywhere other than the “High” and “Low” levels, users can also click the “Sites” button and then specify different cookie security levels for individual websites. The advantage of this approach is that it lets users create their own personal “white lists” and “black lists” of sites for which they either never want cookies blocked, or for which they always want cookies blocked. This increases the privacy-configurability of the browsing experience. For example, the following screen shows two sites that have been whitelisted and two hypothetical sites that have been blacklisted.

In addition, if the user wishes to manually delete their cookies, web browsing history, form data, personal passwords, or other stored information, they can do so on the “General” tab under the “Browsing History” section. Or, in the new IE 8, they can do so under the new “Safety” drop-down menu (in the Command toolbar) under the first option, “Delete Browser History.” They can also configure IE 8 so that all of this data is deleted each time the browser is closed (essentially converting “persistent cookies” into “session cookies,” concepts Adam Marcus has explained previously). The following screen shows how this user is choosing to delete just their temporary Internet files, cookies, and browsing history. Favorite websites are websites the user has bookmarked.

Using these controls, a particularly privacy-sensitive user who only trusted two or three sites-say, their bank and their employer’s website-could allow cookies for only those sites and block cookies for all other websites. Again, this assumes that they do not mind the potential hassles associated with logging-in to many other sites each time they visit or losing custom preferences that would otherwise be stored in a cookie.

Advanced Cookie Management – “InPrivate Filtering”

Microsoft explains its InPrivate Filtering feature as follows:

Today websites increasingly pull content in from multiple sources, providing tremendous value to consumer and sites alike. Users are often not aware that some content, images, ads and analytics are being provided from third party websites or that these websites have the ability to potentially track their behavior across multiple websites. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can potentially use to track browsing activity.

InPrivate Filtering is off by default and must be enabled on a per-session basis. To use this feature, select InPrivate Filtering from the Safety menu.

In “Automatically Block” mode, InPrivate Filtering will automatically block a site if IE finds that site’s content embedded in more than a user-specified number of other sites (the default is 10) visited by the user.  You can also manually control which sites are blocked, and import and export your list of white/blacklisted sites to share that list with others.

The beta version of IE8 included a subscriptions feature that would have allowed users to automatically receive updated white or blacklists from others-much like the subscription feature in AdBlock Plus that we discussed previously. However, this functionality was removed in the “Release Candidate 1” version of IE8 (released Jan. 26, 2009) for unspecified reasons.  While we recognize that not every beta feature makes it into final releases because of challenges in implementation, we very much hope Microsoft will ultimately add the subscription feature to Internet Explorer 8.  InPrivate Filtering goes a long way in empowering truly privacy-sensitive users to take more granular control over their own privacy, but a subscription feature would allow less sophisticated users to rely on groups or other individuals they trust to help them avoid specific sites according to their concerns about privacy or security.  Indeed, we hope that other browser manufacturers consider incorporating such tools into their browsers.  Perhaps the privacy advocates who currently focus on inventing one-size-fits-all regulatory or legislative solutions could channel their enthusiasm about user privacy into actually developing whitelists and blacklists.

Private Browsing

Another new privacy-related feature in Internet Explorer 8 is called InPrivate Browsing mode (akin to “Incognito” mode in Chrome), which protects so-called “over the shoulder” privacy, although that’s a somewhat misleading term. By not saving any record of your web browsing while InPrivate Browsing mode is turned on, this feature ensures that others with access to your computer will not know what websites you have accessed. Some people like being able to refer to their browser history and don’t want to delete all of their cookies, but want to hide all traces of some of their browsing activities-such as shopping online for a surprise gift, searching for information about a medical condition you don’t want to disclose and, most obviously, enjoying pornography).

When the InPrivate Browsing mode is enabled, none of the varieties of “browsing history” data is saved-but none of your previous history is deleted, either. This comes in handy because, if someone with direct access to your computer is monitoring your browser history to see what you’ve been up to, deleting all of your browsing history would suggest that you’ve been doing something you wanted to hide. But InPrivate Browsing mode allows you to surf anonymously when desired-without making it obvious that you’re doing so. Parents who are concerned about their kids using the InPrivate Browsing mode can use the parental controls in Windows Vista to disable it. But there does not appear to be a way to disable InPrivate Browsing on Windows XP.

Below is a screenshot of the InPrivate Browsing mode-which, again, can be enabled by clicking on the new “Safety” drop-down menu in IE 8 and selecting “InPrivate Browsing.”

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored:
  • All new cookies become “session” cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
  • New entries will not be saved to the browsing history
• New temporary Internet files will be deleted when the Private Browsing window is closed
• The following data will not be stored:
  • Form data
  • Passwords
  • Addresses typed into the address bar
  • Queries entered into the search box
  • Visited links

Other Privacy Features

• SmartScreen Filter – Called “Phishing filter” in IE 7, this feature monitors and blocks links to malicious downloads. In IE 8, it also monitors links distributed via email and instant messaging (assuming IE is the default Web browser).
• Cross Site Scripting (XSS) filter – Cross-site scripting attacks allow hackers to “inject” malicious scripts into trusted websites, which can then steal the account credentials of users who access these websites. XSS attacks are dangerous because everything looks fine to users and the attackers can gain almost complete access to users’ computers. The XSS filter in IE constantly scans the data received from websites to determine if there is a likely XSS attack and re-writes the data to neutralize the attack.
• ActiveX Opt-In – By default, ActiveX Opt-In disables most ActiveX controls. When a Web page tries to run an ActiveX control, the following text is displayed in an Information Bar: “This website wants to run the following add-on ‘ABC Control’ from ‘XYZ Publisher.’ If you trust the website and the add-on and want to allow it to run, click here …” The user can then choose whether or not to run the ActiveX control.
• Per-Site ActiveX – If a website tries to access an installed ActiveX control that is not permitted to run on the website, this new feature in IE 8 gives the user the option of blocking the attempt, allowing the ActiveX control for the current site, or to allow all websites to access the ActiveX control.
• Domain Highlighting – The domain name of the site you’re viewing is highlighted in the address bar. By making it clearer to the user which website they’re accessing, this feature serves to protect users against phishing attacks from domain names that look like trusted domain names (e.g., www.paypal.com.hax0r.net, which is not PayPal’s actual website).

Additional Reading / Links

• Download Internet Explorer 8
• IEBlog: IE8 and Privacy
• IEBlog: Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Cookies
• Jesse Ruderman’s blog post on new security features in IE 8 – Has links to the first five IEBlog posts about new security features in IE 8.
• Wikipedia entry on Internet Explorer

As a means of introducing myself to TLF readers, this is an article that I wrote for the PFF blog in September that has not been previously mentioned on the TLF. Most of my other PFF blog posts have been cross-posted by Adam Thierer or Berin Szoka, but I’ve taken ownership of those posts so they appear on my TLF author page.

This is the first in a series of articles that will focus directly on technology instead of technology policy. With an average age of 57, most members of Congress were at least 30 when the IBM PC was introduced in 1981. So it is not surprising that lawmakers have difficulty with cutting-edge technology. The goal of this series is to provide a solid technical foundation for the policy debates that new technologies often trigger. No prior knowledge of the technologies involved is assumed, but no insult to the reader’s intelligence is intended.

This article focuses on cookies–not the cookies you eat, but the cookies associated with browsing the World Wide Web. There has been public concern over the privacy implications of cookies since they were first developed. But to understand them , you must know a bit of history.

According to Tim Berners Lee, the creator of the World Wide Web, “[g]etting people to put data on the Web often was a question of getting them to change perspective, from thinking of the user’s access to it not as interaction with, say, an online library system, but as navigation th[r]ough a set of virtual pages in some abstract space. In this concept, users could bookmark any place and return to it, and could make links into any place from another document. This would give a feeling of persistence, of an ongoing existence, to each page.”[1. Tim Berners-Lee, Weaving The Web: The Original Design and Ultimate Destiny of the World Wide Web. p. 37. Harper Business (2000).] The Web has changed quite a bit since the early 1990s.

Today, websites are much more dynamic and interactive, with every page being customized for each user. Such customization could include automatically selecting the appropriate language for the user based on where they’re located, displaying only content that has been added since the last time the user visited the site, remembering a user who wants to stay logged into a site from a particular computer, or keeping track of items in a virtual shopping cart. These features are simply not possible without the ability for a website to distinguish one user from another and to remember a user as they navigate from one page to another. Today, in the Web 2.0 era, instead of Web pages having persistence (as Berners-Lee described), we have dynamic pages and “user-persistence.”

This paper describes the various methods websites can use to enable user-persistence and how this affects user privacy. But the first thing the reader must realize is that the Web was not initially designed to be interactive; indeed, as the quote above shows, the goal was the exact opposite. Yet interactivity is critical to many of the things we all take for granted about web content and services today.

Stateful Sessions

On the original World Wide Web designed by Berners-Lee (Web 1.0), Web servers responded to each client request without relating that request to previous requests. There was no need to remember what other pages the user had requested because the requests were for static pages. But if you’ve used a Web-based email system like Gmail, Hotmail, Yahoo! Mail, etc., you know that once you log in, the service remembers who you are as you click from message to message. When a website can keep track of a user as they move from page to page within a site it is called a “stateful session.” The website doesn’t necessarily need to know anything about the user, it just needs to be able to distinguish that particular user from all other users. For example, if you go to an online store and place a few items in your virtual shopping cart, the site still does not know your name, email address, or billing information. But it does know what you’ve placed in your cart–or more precisely, it knows what someone using your browser has placed placed in a particular cart. If you leave the site before buying anything and then go back an hour later, it’s possible that the site will have completely forgotten about you. In that case, the unique identifier persists during your “session” on the site, but it doesn’t persist between sessions.

URLs and HTTP Requests

Web 1.0 sites achieve Web page persistence by having a unique address or Uniform Resource Locator (URL) for each Web page, which is displayed in the address bar at the top of your browser as you browse the web. For example, http://www.pff.org/about/ is a simple URL pointing to a specific Web page. Every user that visits the PFF site at www.pff.org and clicks on the “About” link will be taken to the exact same page.

URLs can also store information about the user. For example, if you search for “test” on Google, the URL of the resulting page may look like the following: http://www.google.com/search?q=test&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a.[2. http://googlesystem.blogspot.com/2006/07/meaning-of-parameters-in-google-query.html] The URL contains a number of different pieces of data, separated by ampersands. There is the search query (“q=test”), the character encoding of the input (“ie=utf-8”), the character encoding of the output (“oe=utf-8”), the type and language of the client (“rls=org.mozilla:en-US:official”), and the Web browser used (“client=firefox-a”). None of this information can be used to uniquely identify the user, but this basic example illustrates how URLs can be used to specify more than simply static Web pages–and how some information can be remembered as a user navigates a website even without using cookies. Knowing how this works, you can create your own advanced searches or change the way the results are formatted (e.g., changing the language).

So how did Google know I speak English and use Firefox? That information is included in the HTTP request that my Web browser sends to the Google Web server when it requests a page. HTTP requests specify (among a few other more technical things) the desired language and a “User-Agent” field that includes the name of the browser and sometimes your operating system. This information allows websites to customize their content for different Web browsers (e.g., to ensure that it displays properly). HTTP requests also include your IP address so the Web server knows where to send its response, and geotagging allows Web servers to associate an IP address with a geographic area (though the area is rarely more accurate than the country or state). HTTP requests can also contain HTTP cookies.

HTTP Cookies

URLs can be used to uniquely identify individual users and allow stateful sessions, but unless a user bookmarks the URL containing their unique identifier, there is no way for the site to associate the same unique identifier with the same user on subsequent visits. Another option is to have users create an account and then log in each time they access the site. The website could then include the user’s unique ID in the URL on subsequent pages, so that the user only needs to log in once per session. Having to bookmark or create an account on every site you want to remember you would quickly become unmanageable. It would be nice if mapping and weather websites, for example, just remembered your location. It would be nice if the blogs you follow remembered what post you last read and displayed only unread posts when you next visit their site. What was needed at this point in the Web’s evolution was a way for websites to automatically store a unique identifier on the user’s computer and send it back to the website automatically[3. A site could also try to uniquely identify users by the IP address of their computer, but this is unreliable as there can be many computers behind a firewall sharing a single IP address.]—which is precisely what a cookie does.

To quote Wikipedia,

“HTTP cookies, or more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a Web client (usually a browser) and then sent back unchanged by the client each time it accesses that server. HTTP cookies are used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts.”

A cookie can contain one or more pieces of data, a description and/or URL for an online description of the cookie, how long the Web browser should store the cookie, and the domain, path, and port that the cookie should be limited to. Cookies can be set to expire after a specified interval, or can be “session cookies” that will expire when the Web browser is closed. When a cookie expires, it is deleted by the Web browser. Unexpired cookies are automatically sent back to the originating Web server when the Web browser makes any subsequent requests to the same server (the same domain, path, and port).

Neither Web servers nor Web browsers are required to support cookies, but a server may refuse to work with a Web browser that does not return the cookie(s) it sends. Cookies do not contain any executable code and are extremely small in size. They only contain data sent by the website and the data is not changed by the client computer, so there generally should be no privacy concerns about sending a cookie back to the website that created it (“First-party cookies”).

First-Party and Third-Party Cookies

Cookies are normally only sent to the server setting them or a server in the same domain ( e.g., a cookie set by mail.google.com could be shared with calendar.google.com). These are called first-party cookies because they’re set by the site displayed in the address bar of the Web browser. These cookies are typically used to tailor the website for the user. Third-party cookies, on the other hand, are typically used by advertising networks to track users across multiple Web sites where the networks have placed advertising–which allows the advertising network to target subsequent advertisements to the user’s presumed interests and also to limit the number of times a user is shown a particular ad. This targeting allows the delivery of “smarter” advertising that is less annoying and more informative to the user–and therefore more valuable to the advertiser, who will be willing to pay websites more for their ad space. However, this targeting also raises privacy concerns.

It is trivial for a Web page to contain images or other components stored on servers in other domains (“third-party elements”). In fact, it is often easier to link to an image already hosted online elsewhere than it is to host an image on your own Website.

Examples:

• Typical first-party embedded image:
• Typical third-party embedded image:

Whenever a Web browser loads a Web page or component of a Web page, it will include in its request for that component any cookies already stored on the user’s computer that are associated with the domain hosting the content. The Web server, in turn, can send a cookie or update a cookie already existing on the user’s computer.

Although your Web browser will not send a third-party cookie to the first-party Web server (and it won’t send a first-party cookie to the third-party Web server), the first-party Web server can send information to the third-party Web server by embedding it in the URL for the third-party content. The most common form of this communication between the sites you visit and the sites they rely on for content or ads is called a “web bug”–a small (usually 1 pixel by 1 pixel) graphic not meant to be noticed by the user. Its purpose is to cause the user’s Web browser to load the third-party embedded content from the external Web server, which will allow the third party (usually an advertising network) to track the user.

• Example third-party embedded web bug:

While this all may seem scary and invasive,the fact that a website or ad network can uniquely identify your browser does not mean that they have any clue who you are. Even if you provide your name, email address, or other personally-identifiable information to the first-party Web site, most sites’ privacy policies state that they will not share this information with their advertising partners. To use a real-world analogy, third-party advertising is equivalent to a marketer in a mall watching you come out of a music store and then offering you a flyer for a concert: The marketer may know that you’re interested in music (because you were shopping at the music store), but they have no idea who you are. And as my colleagues Adam Thierer and Berin Szoka explained in their post on Adblock Plus, websites (especially smaller independent websites) depend on advertising as a source of revenue and to cover their overhead costs.

Alternatives to Cookies

Cookies are not the only way websites can do stateful sessions. As has already been mentioned, Websites can put unique identifiers in URLs. But custom URLs don’t last between sessions. Websites that need to remember users ( e.g., websites that charge a fee for access) can require users to create an account and log into the site every time they use it.

But most websites do not require users to create an account and log in every time. And more and more users are configuring their Web browsers to delete all cookies when they close the browser. In response, Web site operators have found other methods to uniquely identify users by storing a unique identifier on users’ computers.

The cookie alternatives listed below are not any more or less invasive of privacy than cookies if the user is aware of them and manages them the same way they manage cookies. But most Web browsers don’t give users the same amount of control over cookie alternatives that they do over cookies, and few users know about these alternatives.

Per-session cookie alternatives – These cookie alternatives are not saved to disk and thus are not accessible after you close your Web browser.

• Hidden form fields – Web pages can contain hidden Web forms that submit data back to the Web server when an on-screen button is pressed. This method is quite limited because it requires the user to click a specific button, and there is no method for saving data after you’ve navigated away from the site. Beyond these limitations, the only way to detect hidden form fields is to inspect the HTML code for a page. There is also no easy way to block hidden form fields.
• window.name – JavaScript embedded in a Web page can set or read the this internal value that’s not really used for anything else. The value can be up to 32 megabytes in size and once set a value can be accessed by any Web site. Although the only way to detect this is to inspect the HTML code for a page, you can disable JavaScript.

Persistent cookie alternatives – These cookie alternatives are like cookies in that they are saved on your computer and can be accessed even after you’ve closed your Web browser.

• Flash Cookies – Also known as Local Shared Objects, Flash cookies require Adobe Flash to be installed on your computer. Whereas HTTP cookies are limited to 4 kilobytes, Flash cookies can contain up to 100 kilobytes by default and can contain an unlimited amount of data if the user desires. To view and delete the Flash cookies stored on your computer, go to this page (although accessed via a Web page, the Flash cookies shown are stored on your computer). You can also permanently disable Flash cookies on that page.
• DOM Storage – DOM storage was designed specifically to allow Web 2.0 applications to work offline, saving data locally when they are unable to access the host website and to save data that would otherwise be lost if a page is accidentally reloaded. DOM storage is currently only implemented in Firefox (and Internet Explorer 8 Beta). If cookies are disabled, DOM storage is also disabled. Users can also manually disable DOM storage even when cookies are enabled.
• userData behavior – The userData behavior does for Internet Explorer what DOM storage does for Firefox. Each “document” is limited to 128 kilobytes of storage, with a per-domain limit of 1024 kilobytes. The data is stored in Internet Explorer’s cache and are deleted when you delete cookies using the Delete Browsing History dialog box.

Conclusion

This article should give you a better sense of what cookies are used for and how they work. You should now see that per-session cookies and cookie alternatives are completely harmless. Persistent cookies (and cookie alternatives) can make your Web browsing a bit easier, but deleting them will not (in most cases) cause any problems. If you are concerned about your privacy, you will need to do a bit more than just delete cookies–you also need to delete or disable the above-mentioned cookie alternatives.

Chris Soghoian called out a problem and now takes credit for a fix to the way the Whitehouse.gov Web site delivered third-party cookies – specifically YouTube cookies.

The use of YouTube videos on the President’s site is a Web 2.0-ish improvement, which is welcome, but embedding videos meant that YouTube was placing cookies on the computers of visitors to Whitehouse.gov and – as a natural result – collecting records of people’s visits to that site.

Things got weird when the Whitehouse.gov privacy policy exempted YouTube cookies from the general ban on persistent cookies on federal Web sites.

For videos that are visible on WhiteHouse.gov, a ‘persistent cookie’ is set by third party providers when you click to play a video. . . . This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.

A government entity should not show preference for a particular service provider in a policy like this and the White House should either exempted third-party cookies generally, or not at all.

The federal government’s June, 1999 policy on cookies (formerly found here, but apparently moved) reflects June, 1999 thinking about cookies – as sinister and dastardly. It was a little silly back then, and is more so today.

And that’s the one small difference I have with the way Chris characterizes the problem. He says, “the decision to embed YouTube videos . . . also enabled the Google owned video sharing site to sneakily collect data on the millions of people who visit whitehouse.gov.”

Cookies aren’t sneaky. First- and third-party cookies are placed by more sites than not, and they exist in droves. They are used for tracking, recordkeeping, and customer service functions of various kinds. To someone who knows how the Internet and browsers work, they’re anything but sneaky. They’re integral.

I agree that Whitehouse.gov policy and practice were out of step with one another, and exempting YouTube from the policy was not a good fix. But Web sites using cookies to gather information online is about as sneaky as humans using eyeballs to gather information on the street. As with controlling what you reveal when you walk down the street, the onus should be on Internet users to be aware of cookies, their purpose and function, and how to control them.

I, for one, ask my browser to prompt me about first- and third-party cookies, refusing most of them. (It’s quite easy once you’re in the habit.) User education and personal responsibility are the solutions to the cookie “problem.” That’s not easy – it’ll take one generation – but the result will be much better than chasing Web site after Web site trying to insulate a supine user community from their own profligacy with information.

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

• Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
• Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
• Protecting online speech and expression both in the U.S. and abroad;
• Defending Section 230 immunity for Internet intermediaries;
• Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
• Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.

By Berin Szoka & Adam Thierer Progress Snapshot 4.19 (PDF)

Since the fall of 2008, a debate has raged in Washington over “targeted online advertising,” an ominous-sounding shorthand for the customization of Internet ads to match the interests of users.  Not only are these ads more relevant and therefore less annoying to Internet users than untargeted ads, they are more cost-effective to advertisers and more profitable to websites that sell ad space.  While such “smarter” online advertising scares some—prompting comparisons to a corporate “Big Brother” spying on Internet users—it is also expected to fuel the rapid growth of Internet advertising revenues from $21.7 billion in 2007 to $50.3 billion in 2011-an annual growth rate of more than 24%. Since this growing revenue stream ultimately funds the free content and services that Internet users increasingly take for granted, policymakers should think very carefully about what’s really best for consumers before rushing to regulate an industry that has thrived for over a decade under a layered approach that combines technological “self-help” by privacy-wary consumers, consumer education, industry self-regulation, existing state privacy tort laws, and Federal Trade Commission (FTC) enforcement of corporate privacy policies.

In an upcoming PFF Special Report, we will address the many technical, economic, and legal aspects of this complicated policy issue-especially the possibility that regulation may unintentionally thwart market responses to the growing phenomenon of users blocking online ads.

We will also issue a three-part challenge to those who call for regulation of online advertising practices:

1. Identify the harm or market failure that requires government intervention.
2. Prove that there is no less restrictive alternative to regulation.
3. Explain how the benefits of regulation outweigh its costs.

The Online Advertising Market

While there are other forms of targeted advertising based on who you are (“demographic”) or where you are (“locational”), the most important varieties are based on what you’re searching for, seeing or doing online at any particular moment (“contextual”) and the pattern of what you’re searching for, seeing or doing over time (“behavioral”). The bulk of Internet advertising falls into one or both of these last two categories, with behavioral advertising growing rapidly.

Search engines deliver contextual ads on search results pages based on the search keywords entered by a user, while third-party advertising networks (some of which also run search engines) deliver contextual ads on behalf of website operators who sell ad space to the network, with the ads displayed on each page chosen according to keywords on that page. Contextual advertising is far “smarter” than displaying the same “dumb” untargeted banner ads to every user, because the contextual ad uses keywords to “guess” what the user is interested in based on the context of each page. But the purely contextual ad network doesn’t “remember” what the user has looked at in the past, so its insights into what the user would find relevant are very limited, especially for some websites. Online behavioral advertising (OBA) solves this problem and increases the value of advertising space on all websites by targeting ads based on a “profile” of the user created by tracking websites the user has visited—as well as limiting the number of times a user is shown a particular ad.

The Perceived Harm Driving Calls for Regulation

For a decade, the basic technology behind OBA has changed little: When a user visits the typical webpage, they download not only the webpage contents but also a small piece of code that allows the website to distinguish that user’s browser from other browsers (a “cookie”)—without personally identifying the user. Some cookies are required to make sites work properly (“site cookies”) while others (“tracking cookies”) are used by the third party ad network in which that site participates to recognize that browser across multiple sites participating in the ad network, and thus create a “profile” of what the user might be interested in. Even though such profiles themselves are anonymous, many privacy advocates have pointed to four reasons why online profiling is becoming “too invasive:” (i) It is sometimes possible to infer the actual identity of the user; (ii) though all browsers allow users to opt-out of tracking by “cleaning out” their tracking cookies, a website may be able to restore deleted tracking cookies through the use of cookie alternatives such as “Flash cookies”; (iii) certain vulnerabilities in current browser design make it theoretically possible to “sniff” a user’s browsing history, cache or bookmarks; and (iv) the use of “packet inspection” by Internet Service Providers (ISPs) (instead of the use of cookies) to track online browsing amounts to illegal wiretapping.

The other concerns expressed by the advocates of regulation vary significantly. Some fear that browsing profiles could be captured by hackers, somehow associated with personally identifying information, and used for identity theft. These advocates demand limits on data retention as well as data security mandates. Others demand that users have access to their own profiles—a goal inherently in tension with data security. Most share a vague queasiness about “being tracked” and about advertising in general, while downplaying the effectiveness of self-regulation or user self-help.

Perhaps most legitimately, others fear that the real “Big Brother”—the government—will gain access to a “honeypot” of surveillance data that might be associated with individual users. A variety of other solutions have been proposed to what is, for the most part, a poorly defined problem, including a government-run “Do Not Track” registry to make it easier for users to block tracking cookies; mandating opt-in for some or all forms of profiling; and banning completely the collection of tracking data about sensitive subjects, cross-referencing of data sets, and use of packet inspection data for OBA.

The Less Restrictive Means: A Layered Approach

But how should policymakers decide which, if any, of these interventions are really necessary–or would even be effective? Ironically, those who demand immediate OBA regulation to protect user privacy are often the first to insist on less burdensome approaches whenever a policy “problem” involves purely non-commercial speech. For example, emphasizing personal and parental responsibility is often favored as the more sensible approach to dealing with free speech and child protection concerns. But, as Chapman University Law Professor Tom Bell has asked, why not apply the same standard across the board? Why not expect those especially privacy-sensitive users who object to OBA to do something about it? To the extent effective self-help privacy tools exist, they provide a means of solving policy problems that is not only “less restrictive” than government regulation but generally more effective and customizable as well. Why settle for one-size-fits-all solutions of incomplete effectiveness when users can quite easily and effectively manage their own privacy? Indeed, those who advocate personal responsibility and industry self-regulatory approaches to free speech and child protection issues should be advancing the same position with regards to privacy.

Fortunately, a wide variety of self-help tools and “technologies of evasion” are readily available to all users and can easily thwart traditional cookie-based tracking, as well as more sophisticated tracking technologies such as packet inspection. While cookie management tools that allow users to delete their cookies have been standard in browsers for some time, the latest generation of browsers incorporates far more advanced control over what kind of cookies browsers will accept from websites in the first place. Furthermore,  the extensible nature of modern browsers allows any freelance software developer who sees a way to improve a browser to do so by writing an add-on that “plugs in” to the browser using standard programming interfaces designed by each browser developer.  Many such add-ons are wildly popular, but even those users who never install a single one benefit from the acceleration of browser evolution made possible by add-ons.  We will be documenting examples of these tools in our upcoming Special Report and in an ongoing  series of blog essays.

The Benefits of Smarter Advertising

The “free” Internet economy is based on a simple value exchange: Users get access to an ever-expanding collection of content and services at no cost from websites that are able to generate revenue from “eyeballs” on their pages by selling space on their sites to advertisers, usually through ad networks. The smarter that advertising, the more free content and services it can support. This is the same value exchange that has supported free, over-the-air television and radio content for decades. The only difference is technological: Because websites can connect directly with the user, they need not rely on crude profiling tools such as Nielsen ratings.

There are larger economic benefits of smarter online advertising. First, it makes the overall economy more open and competitive by allowing small market entrants to reach consumers with messages about their products. Second, those who attack the use of packet inspection by ISPs for OBA fail to see that it is precisely the kind of “game-changer” that could disrupt Google’s currently dominant market position. Third, the involvement of ISPs in OBA could help defer broadband costs: Even if OBA revenue does not completely subsidize monthly service costs, smarter advertising could at least keep prices in check and potentially lower them significantly going forward.

But smarter advertising isn’t just about selling products or services. It is ultimately about making all kinds of speech more cost-effective. The ability to “target” listeners more narrowly also increases the ability of political and other not-for-profit speakers to communicate their messages. In short, smarter advertising means more voices, more choices, and more speech. The line between “advertising” and “content” is already blurring rapidly, as the technologies used to customize advertising are also used to customize webpages and ad networks themselves are used to deliver content.

The Larger Implications of Potential Regulation

As if reducing the advertising revenue generated by each web ad didn’t do enough to reduce the total amount of funding for free web content and services, government regulation of targeted online advertising could reduce advertising revenues even further by aggravating the problem of adblocking in two ways. First, the less relevant ads are, the more annoying users will find them, and the more likely users are to try to block them. Increased relevance is perhaps the most important remedy for adblocking and the best way to maintain the implicit value exchange that currently supports free Internet content and services

Second, regulation could short-circuit the eternal battle of technological one-upmanship between online advertisers and those users who rely on the technologies of evasion to “opt-out” of seeing ads or being tracked. Such privacy-conscious users are “free-riding” off of those users who don’t opt-out, since (at present) they generally don’t lose access to the free content and services supported by the targeted advertisements that other users do see. The user who blocks tracking, but not ads, is still free-riding off those users who don’t opt-out of tracking. On a large enough scale, such self-help has the potential to disrupt the value exchange of the Internet, just as automatic commercial-skipping has already disrupted the value exchange of television. As with all “Spy v. Spy” battles, this long-term trend is inevitable: As more sophisticated technologies of evasion are incorporated seamlessly into browsers and can be used without significantly degrading the browsing experience, their use will become increasingly mainstream. But ultimately, just as with television commercial-skipping, market forces can and will, if permitted, respond through technological means and the development of new business models. Today’s implicit quid pro quo may become, of necessity, explicit: Websites and ad networks will have to find increasingly creative ways to grant access to certain content and services for users who do not block ads or the tracking that makes ad space more valuable. Policymakers should take care not to ban such technologies or cripple such business models (e.g., through requiring opt-in), which may rely on more sophisticated forms of targeting such as the use of packet inspection data.

As users face an increasingly clear choice between (i) getting content and services for free supported by behavioral advertising and (ii) paying to receive those same services and content without tracking or even without ads altogether, policymakers will finally see whether users are really as bothered by profiling as the advocates of OBA regulation insist. Given the ongoing and widespread replacement of fee- or subscription-supported web business models with ad-supported models, it seems likely that the vast majority of consumers will continue to choose ad-supported models, including profiling.

Conclusion

The questions raised above—about the harm that supposedly requires intervention, the availability of less restrictive means, and the cost/benefit analysis of regulation—are vital considerations for the future of the Internet. Indeed, if smarter online advertising will not fund the Internet’s future, what will? As both the desire for “free” services and content and the need for bandwidth expand, OBA has the potential to offer important new revenue sources that can help support the entire ecosystem of online content creation and service innovation, while also providing a new source of funding for Internet infrastructure and making ads less annoying and more informative. That would certainly seem preferable to increased user fees or other “pay-per-view” pricing models for Internet content and services.

But looming legislative and regulatory action could stop all of that by replacing the current regime—in which the FTC merely enforces industry self-regulatory policies—with one in which the government preemptively dictates how data may be collected and used. The more enlightened approach is a “layered” approach to privacy protection that combines industry self-regulation, enforcement of industry-established privacy policies, consumer education, and user “self-help” solutions. These and other issues will be addressed in greater detail in our upcoming PFF Special Report.

By Adam Thierer & Berin Szoka

The goal of our “Privacy Solution Series,” as we noted in the first installment, is to detail the many “technologies of evasion” (i.e., user-empowerment or user “self-help” tools) that allow web surfers to better protect their privacy online—and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that, in our view, provides an effective alternative to government-mandated regulation of online privacy.

In this second installment in this series, we will highlight Adblock Plus (ABP), a free downloadable extension for the Firefox web browser (as well as for the Flock browser, though we focus on the Firefox version here).

Purpose: The primary purpose of Adblock Plus is to block online ads from being downloaded and displayed on a user’s screen as they browse the Web.  In a broad sense, this functionality might be considered a “privacy” tool by those who consider it an intrusion upon, or violation of, their “privacy” to be “subjected” to seeing advertisements as they browse the web.  But if one thinks of privacy in terms of what others know about you, Adblocking is not so much about “privacy” as about user annoyance (measured in terms of distracting images cluttering webpages or simply in terms of long download times for webpages).  In this sense, ABP may not qualify as a “technology of evasion,” strictly speaking.  But, as explained below the fold, ABP does allow its users to “evade” some forms of online tracking by blocking the receipt of some, but not all, tracking cookies.

Cost: Like almost all other Firefox add-ons, both the ABP extensions and the filter subscriptions on which it relies (as described below) are free.

Popularity / Adoption: While there are a wide variety of ad-blocking tools available, Adblock Plus is far and away the leader.  ABP has proven enormously popular since its release in November 2005 as the successor to Adblock, which was first developed in 2002 and reached over 10,000,000 downloads before being abandoned by its developer and even today garners nearly 40,000 downloads a week.  This history of Adblock provides further details.

ABP was named one the 100 best products of 2007 by PC World magazine and is now the #1 most downloaded add-on for Firefox with over 500,000 weekly downloads, up significantly for just a few months.  In a blog post last month, ABP creator Wladimir Palant estimated that “no more than 5% of Firefox users have Adblock Plus installed,” but that percentage is bound to grow larger as more people discover Adblock.  As one indicator of ABP’s popularity, the number of Google searches for “Adblock” has nearly eclipsed the number of searches for “identity theft,” which seems like a far more serious concern than having to look at web ads.

Of course, not every Firefox user would chose to use Adblock even if they were aware of it.  For example, one of us (Berin) finds it indispensable and leaves it on all the time.  The other (Adam) almost never turns it on, preferring to see what sort of ads are being served on each page he visits.  For those users primarily concerned with having their browsing tracked, there are other tools more effective than ABP for that purpose, as future entries in this series will describe.

This raises a point we make in our upcoming paper on online advertising and privacy:  Internet users all have different preferences and sensitivities when it comes to ads and online privacy.   Some of us find ads annoying, intrusive, and potentially privacy-violating.  Others of us just don’t care or even find some informational benefit in seeing them—especially when they are tailored to our particular interests.  Fortunately, tools like Adblock Plus let us each decide for ourselves what sort of browsing experience and privacy protections to use—rather than relying on the heavy, clumsy hand of Big Government to impose sweeping regulations that make a one-size-fits-all determination for everyone.

How Adblock Plus Works: Adblock Plus on its own offers nothing more than the capability to filter certain elements (images, external scrips, frames, Flash, etc.) sent to the user’s computer when they attempt to download the contents of a webpage.  Unbeknownst to many users, the HTML code of most webpages includes instructions to download images and other content (such as ads) stored on that website or on third party sites.  ABP does not recognize ad images as such, so it cannot automatically distinguish ads from non-ad content.  Instead, ABP relies on a blacklist of terms that the keeper of the list has determined correspond to parts of a URL used to load ads.  The following screenshot illustrates how ABP works:

The user here (Berin) subscribed to EasyList USA, the most commonly-used U.S. “filter” (blacklist + whitelist) when he first installed AdBlock.  (Additional filter subscriptions are available here.)  The “filter rules” are ranked by “Hits” or number of ads blocked since the filter was installed (in May 2008).  Shown here are only the top examples of effective filters, such as any URL that begins with “http://ad.” or contains “/ads/”.  Also shown here are three custom ad filters created by Berin.  This clip (click on “Show me how this is done”) illustrates how users can block images to create their own custom ad filter.  Last, the green text is just the most commonly-applied filter rule contained in EasyList’s white list of terms that should not be blocked, trumping black list filters.  For example, htttp://wikimedia.org/wikipedia/ads/… would normally be blocked because of the “/ads/” filter rule in the blacklist, but the green white list filter rule in our example trumps that rule to make sure that all URLs containing “htttp://*.wikimedia.org/wikipedia” (where * is a wild card operator) will not be blocked.

As mentioned above, ABP can block the downloading of some tracking cookies by preventing the user’s computer from attempting to download an element (usually an image) associated with that cookie—called “web bugs” or “web beacons.”  As Wikipedia explains:

Originally, a Web bug was a small (usually 1×1 pixel) transparent GIF or PNG image (or an image of the same colour of the background) that was embedded in an HTML page, usually a page on the Web or the content of an e-mail. Modern Web bugs also use the HTML IFrame, style, script, input link, embed, object, and other tags to track usage. Whenever the user opens the page with a graphical browser or e-mail reader, the image or other information is downloaded. This download requires the browser to request the image from the server storing it, allowing the server to take notice of the download. As a result, the organization running the server is informed when the HTML page has been viewed.

Larger Implications: As you can imagine, advertising networks and advertisers are less than thrilled about the idea of users blocking their ads, but it is website operators that have thus far objected most strongly to ad-blocking, because it threatens what is for many websites the only source of revenue.  Even amateur sites that do not have to pay for content production often rely on advertising revenue to cover other costs, such as hosting.  It’s not hard to imagine why many site operators might want to discourage or thwart ad-blocking to maintain the quid pro quo of the online economy:  Users get free content and services from websites in exchange for looking at advertising, which websites can sell through ad networks to advertisers.  This dilemma is not unique to the online world, of course.  In the offline context, television advertisers have responded to ad-skipping via DVRs through increasing reliance on product placement.

But because web-browsing is an essentially interactive experience between the user’s browser and the website, website operators may have greater leverage in the relationship with a user who wants to block ads.  In particular, the website may be able to detect the use of ABP, at least indirectly through the pattern of page element blocking caused by ABP’s use. (Prior to June 2008, websites could directly detect whether a browser was using ABP by noticing the presence of an API interface designed to allow ABP to work with other extensions, but this feature was removed in a recent update to ABP.)

Thus, once adblocking rises above a certain “acceptable loss” threshold, a website could respond in at least three distinct ways:

1. Moral exhortation – websites might display this kind of pop-up notice to ABP users:

   

2. “Blocking” adblocking – Because ABP’s relies on relatively crude keyword filters to distinguish ad elements of a page from content elements, websites can confuse these filters by making advertisements less easily distinguishable from content.  On the one hand, websites might attempt to “embed” advertisements a la television product placement.  On the other, we may see ad networks rely more on distributing ads through websites directly, rather than from ad network servers, so that adblocking filters cannot easily identify ads by the source referenced in their URL.
3. Tying website functionality to the acceptance of tracking cookies – As mentioned above, Adblock will block some “tracking cookies” by blocking the downloading from ad network servers of web beacons—which is often how such cookies are placed on the uer’s computer in the first place.   By requiring the downloading of those cookies to access the full functionality of the site, websites might be able to require users to accept tracking cookies in exchange for full access to the site.

As is so often the case, this will likely result in a war of “spy v. spy,” whereby the user community develops better evasive measures, and the websites community develops better countermeasures, and so on–as illustrated in this scene from the 1998 Marky Mark cult-classic film, The Big Hit: (Warning: Includes foul language).

Related Reading & Links

• Download Adblock Plus for Firefox (ver. 0.7.5.5)
• Adblock for Flock browser
• Adblock Plus main page (English language version)
• Adblock Plus blog
• How to disable Adblock Plus on your bookmarked pages (i.e., create a whitelist for accepted ads)
• Wikipedia entry
• Interview with Adblock creator Wladimir Palant
• New York Times article: Noam Cohen, “Whiting Out the Ads, but at What Cost?” New York Times, September 3, 2007.
• Nick Carr on Adblock: “What Would Jesus Do?” (and Wladimir Palant’s response to such criticisms)
• YouTube demo videos:
http://www.youtube.com/v/RAYtLA1ZKW0&hl=en&fs=1 http://www.youtube.com/v/vl4_NEiyVIk&hl=en&fs=1

By Adam Thierer & Berin Szoka

Whatever ordinary Americans actually think about online privacy, it remains a hot topic inside the Beltway. While much of that amorphous concern focuses on government surveillance and government access to information about web users, many in Washington have focused on targeted online advertising by private companies as a dire threat to Americans’ privacy — and called for prophylactic government regulation of an industry that is expected to more than double in size to $50.3 billion in 2011 from $21.7 billion last year.

In 1998, when targeted advertising was in its infancy, the FTC proposed four principles as the basis for self-regulation of online data collection: notice, choice, access & security. In 2000, the Commission declared that too few online advertisers adhered to these principles and therefore recommended that Congress mandate their application in legislation that would allow the FTC to issue binding regulations. Subsequent legislative proposals (indexed by CDT by Congress here along with other privacy bills) have languished in Congress ever since. During this time self-regulation of data collection (e.g., the National Advertising Initiative) has matured, the industry has flourished without any clear harm to users and the FTC has returned to its original support for self-regulation over legislation or regulatory mandates.

But over the last year, the advocates of regulation have succeeded in painting a nightmarish picture of all-invasive snooping by online advertisers using more sophisticated techniques of collecting data for targeted advertising. The Federal Trade Commission (FTC) has responded cautiously by proposing voluntary self-regulatory guidelines intended to address these concerns, because the agency recognizes that this growing revenue stream is funding the explosion of “free” (to the user) online content and services that so many Americans now take for granted, and that more sophisticated targeting produces ads that are more relevant to consumers (and therefore also more profitable to advertisers).

The Hill has responded by holding hearings, sending out angry letters to online advertisers, and demanding that ISPs cease experimenting with a new form of online behavioral advertising (OBA) based on packet inspection. Some in the think tank community have cheered this on, demanding draconian regulation. But before rushing to regulate — and potentially choking the economic engine fueling “free” online content and services — policymakers should be asking whether alternatives to command-and-control regulation can adequately address privacy concerns.

We are in the process of penning a major study on this debate, which will challenge those who are calling for regulation to:

(1) Show us the harm or market failure.

(2) Prove to us that no less restrictive alternative to regulation exists.

(3) Explain to us how the benefits of regulation outweigh the costs.

It is that second point that we would like to focus more on in a series of upcoming (and likely ongoing) blog entries.
Building on the excellent work of our TLF colleague Ryan Radia, we plan to detail the many “technologies of evasion” (i.e, empowerment or user “self-help” tools) that allow web surfers to better protect their privacy online — and especially to defeat tracking for OBA purposes. These tools and methods form an important part of a layered approach that, in our view, provides an effective alternative to government-mandated regulation. Such an approach would also include user education, self-regulatory schemes like the National Advertising Initiative, and FTC enforcement of privacy policies.

Before one can determine the true necessity for government intervention (and, indeed, its constitutionality), one must understand the availability, sophistication and convenience of the technologies of evasion we will describe. In an important 2001 Cato Institute paper, our TLF colleague Tom Bell argues that web surfers must bear some of the responsibility for protecting themselves online, just as they do with regards to potentially objectionable (i.e., “indecent”) online content:

Digital self-help makes unnecessary state action limiting speech that is indecent or harmful to minors. The same argument applies to state action that would limit speech by commercial entities about Internet users. Digital self-help offers more hope of protecting Internet users’ privacy than it does of effectively filtering out unwanted speech, and the availability of such self-help casts doubt on the constitutionality of legislation restricting speech by commercial entities about Internet users. From the more general point of view of policy, moreover, digital self-help offers a better approach to protecting Internet privacy than does state action.

What Bell means is that the digital “self-help” tools that consumers rely on to protect themselves or their children from objectionable content must always confront the subjective problems associated with defining what is indecent or obscene. Thus, even though Internet filtering tools and other parental controls can generally offer a very effective means of blocking access to objectionable content, at the margins there will always be definitional controversies. By contrast, the privacy self-help tools we will describe are much more likely to provide an effective shield because those consumers who are truly sensitive about their online privacy can make far more definitive choices about allowing or disallowing cookies or certain types of personal information from being collected/tracked for targeted advertising purposes.

Finally, Bell correctly notes that “digital self-help” is more likely to be effective than regulatory solutions for a variety of reasons–not least of which is the fact that truly “bad” actors on the Internet are rarely stopped or even discouraged by regulation from doing bad things online where we are talking about the pure exchange of bits (as opposed to purchases or shipments) because they can generally continue their activities from off-shore. In such cases, technical means are the only way of stopping such activities.

We invite you to share examples of technologies of evasion with us as we go along.
And we hope that our TLF colleagues might chime in with entries of their own as they find examples of privacy-enhancing technologies that privacy-conscious web surfers can employ to take privacy in their own hands.

– Adam Thierer & Berin Szoka