I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

Advocates of regulation will credit regulators for the fact that major browser providers Microsoft and Mozilla are going after online “tracking.” In forthcoming versions of their browsers, they will provide controls that protect against unwanted monitoring even better than the controls that now exist.

When consumer advocates cluster in Washington, D.C., asking federal agencies to solve consumer issues, of course, any progress on the issues will be credited to the threat of coercion. But experiments like these have no controls.

Decisions about the qualities of goods and services are made out at the leading edge of consumer demand, where producers work to anticipate developing public interests. Meeting demand after it has been realized is a recipe for business failure because competitors getting there before the others win market share and profits. Laggards are losers.

You can tell when regulators push for something that does not match up with consumer demand as perceived in the business sector. The regulators get nowhere. That would be the FTC’s call a decade ago for a suite of regulations requiring “notice, choice, access, and security.” The current push for “tracking” controls does appear to meet up with consumer demand, and, again, the browser providers are working on it years ahead of what any regulation would have required.

I’ve put “tracking” in scare quotes because the open question is just what anyone means by the word. The report linked above notes a comment from Google, provider of the Chrome browser:

“The idea of ‘Do Not Track’ is interesting, but there doesn’t seem to be consensus on what ‘tracking’ really means, nor how new proposals could be implemented in a way that respects people’s current privacy controls,” said the company…

Maybe Google will be the laggard and loser for not moving on “tracking” as fast as its competitors. That’s one approach, while Microsoft and Mozilla will each take a different tack to the problem. The result will be an experiment that does have controls. The browser provider that meets up with consumer interests, in the consumer-friendliest way, wins. Such would not be the case if a federal regulation—yes, one-size-fits-all—determined what “tracking” was and how browsers or others would provide protection against it.

Marketplace competition will do better than any other known method for determining what “tracking” means to consumers and what to do about it. There is no privacy advocate, there is no technologist, no advocacy group, nor academic who knows what to do here.

The one thing I recommend is that do-not-track efforts should control the content of the header and the domains the browser communicates with. Simply putting a “do-not-track” signal in the header would punt the problem back to regulators and the cadre that surrounds them. This group would come up with something that satisfies itself, the regulatory community, but that does not digest and reconcile actual consumers’ competing interests in privacy, convenience, access to content, and so on.

NY venture capitalist Fred Wilson notes eight advantages of using the iPhone’s Safari browser over iPhone apps to access content. Fred’s arguments seem pretty sound to me and help to illustrate the point I was trying to make a few months ago in a heated exchange over Adam’s post on Apple’s App Store, Porn & “Censorship”: Although Apple restricts pornographic apps, it does not restrict what iPhone (or iPad or iTouch) users can access on their  browsers. (And it’s not censorship, anyway, because that’s what governments do!)

As I noted in that exchange, the main practical advantage of apps right now over the browser seems to be the ability to play videos from websites that require Flash—which is especially useful for porn! Apple has rejected using Flash on the iPhone on technical grounds, in favor of HTML5, which will allow websites to display video without Flash—including on mobile devices. But once HTML5 is implemented (large scale adoption expected in 2012), this primary advantage of apps over mobile Safari will disappear: Users will be able to view porn on their browsers without needing to rely on apps—and Apple’s control over apps based on their content will no longer matter so much, if at all.

Of course, it may take several more years for HTML5 to really become the standard, but what matters is that all Apple products, including mobile Safari, already support HTML5. So it’s just a question of when porn sites move from Flash to HTML5. That seems already to be happening, with major porn publishers already starting the transition. The main stumbling block seems to be HTML5 support from the other browser makers. But Internet Explorer 9 supports HTML5, and is expected out early in 2011 with a beta version due out this August. Mozilla’s Firefox 4.0 (formerly 3.7) also promises HTML5 support and is due out this November. Since porn publishers have always been on the cutting edge of implementing new web technologies, I’d bet we’ll start seeing many porn sites move to HTML5 by this Christmas. And by Christmas 2011, as we all sit around the fire with Grandma sipping eggnog and enjoying our favorite adult websites on our overpriced-but-elegant Apple products loading in HTML5 in the Safari browser, we’ll all look back and wonder why anyone made such a big deal about Apple restricting porn apps.

Oh, and if you get tired of waiting, get an Android phone! Anyway, here are my comments on Adam’s February post:

I do understand why, as a practical matter, it’s a real inconvenience for a porn-lover not to be able to get a porn app on the iPhone. I think we can have a legitimate debate about what Apple needs to do to make this limitation transparent to its customers. But, as I noted above, users now have lots of choices for other platforms that either allow apps stores with porn (e.g., Google’s Android) or simply those that support Mobile Flash. Again, the practical importance of the apps store from a user interface perspective will diminish significantly when mobile Flash comes out this year for the various mobile OSes (except Apple, sadly) because users will be able to watch porn video through their mobile browser without needing a porn-specific app. (Of course, it’s still possible that an app might handle scrolling through photos better.)

And:

Now, as a practical matter, it’s not easy to view porn on mobile browsers, especially since they don’t currently support Flash, so video playing is limited to videos you either (i) download or (ii) stream from the web in a special app, such as for YouTube. Since Flash is used by the vast majority of video streaming sites, including for porn, this means that the abundance of online porn isn’t particularly accessible on a mobile phone. Scrolling through images, pornographic or otherwise, isn’t terribly easy either, especially since even fast data networks suffer from much greater latency than fixed broadband services. But Adobe recently announced that Flash 10.1 would be coming to Android, Blackberry, Windows Mobile 7, Nokia S60/Symbian and Palm WebOS. While it appears that Microsoft won’t be rolling out Flash for Windows Mobile 7 anytime soon, it does appear to be planning to do so at some point in the near future, and Google is already hard at work on rolling out Flash for Android sometime soon. Once these platforms roll out Flash, the Apps stores will no longer have any meaningful “gatekeeper” control over easily accessing video content, since users will be able to view or stream whatever they like in the browser. But today, the historical moment when restrictions on Apple’s app store had anything like the censorious effect claimed by Apple’s critics has passed (even assuming one believed “private censorhip” isn’t a contradiction in terms). Specifically, I’d say it passed sometime in the last year, when Android became a more viable option and, even more specifically, on this issue of mobile access to porn, on November 30, 2009, when MiKandi launched. Sure, it’s true, that Android users can’t access  all their favorite porn sites, and MiKandi app offerings are limited, but more are coming—so to speak! And when Android phone gets Flash this year, this important distinction between mobile Internet browsing and desktop Internet browsing will largely disappear. (I only hope the wireless data networks are prepares for the upsurge in video streaming on their networks that will, to be sure, be driven largely by mobile-browsing porn sites.) So… who really cares what Apple does with their app store? Yes, I understand some app users with long-term contracts may be itching for porn right now, and don’t to pay an early termination fee to jump to Android but, well, too damn bad! You may have a right to access porn if you want to, but that certainly doesn’t give you a right to force Apple to offer it to you in the most convenient way possible. Finally, it’s worth noting here that Apple has  not removed sexually-oriented social networking apps, such asGrindr, a mobile gay-cruising app from the iPhone store. I’d be a little more concerned about Apple removing such apps, whose functionality is harder to replicate from the browser, than simply removing apps for viewing pornography.

Thoughts?

Third on the headlines today on TechMeme (perhaps the leading tech news aggregator) is this headline: “An Apology To Our Readers,” a heart-felt piece from TechCrunch editor Michael Arrington disclosing that a TechCrunch intern had, on at least two occasions, demanded computers from start-ups as compensation for writing favorable blog posts about them on the highly influential site. The intern was immediately suspended and, when the allegation was confirmed, terminated. Arrington made no excuses for Daniel Brusilovsky on account of his age (he’s under 18). You can read Daniel’s response here.

If this incident demonstrates anything, it’s just how essential it is for a site like TechCrunch to, as Arrington promised his readers in closing, “maintain complete transparency with you on how we operate, even when it isn’t such an easy thing to do.” Arrington went so far as to have “deleted all content created by this person on our blogs”—indeed, “every word written by this person on the TechCrunch network,” which presumably includes comments.

One might take from this the lesson that the press, as it evolves from the newspaper model towards something blog-ier but still hard to pin down precisely, can police itself pretty darn well. Alas, the FTC has taken a much dimmer view of the ability of reputational incentives to discipline the influence that might be exerted by “blogola” payments (cash or in-kind) on editorial discretion and journalistic creation. Last October, the FTC updated its “Guides Concerning the Use of Endorsements and Testimonials in Advertising” to provide that bloggers should disclose any direct financial interest in subjects they write about if they wish to avoid being subject to an FTC enforcement action—even though no such endorsement is required of traditional journalists, as Adam noted. The best response to this was probably this splendid open letter from Randall Rothenberg, President and Chief Executive Officer of the Interactive Advertising Bureau (IAB) to FTC Chairman Jon Leibowitz, as Adam noted here.

TechCrunch goes out of their way to avoid even the appearance of bias—just as traditional publications do, if not more so! So why should they be subject to special FTC scrutiny? Of course, if a site sets forth a policy about endorsements, it would clearly be held to that promise by the FTC and any violation for breaking that promise could be considered an “unfair” or “deceptive” trade practice under the FTC’s existing statutory authority.

If the FTC really wanted to encourage other sites to follow the lead of TechCrunch, they could encourage (but not bully) others into developing some kind of a seal program like that developed by TrustE that would lay out core principles for how sites handle blogola and product endorsements. If a site wanted to advertise its commitment to these principles, it could display the seal on its site—and be held to that commitment by the FTC (with a self-regulatory group perhaps providing additional enforcement or auditing). If a site chose not to do so, users would be able to see that, too.

A very robust version of this idea could take the next step and use a machine-readable tag so that any site choosing to participate in a “trust seal” program wouldn’t have to rely on just putting this icon on its page, but could instead simply include, in the packets sent to users who visit the page, the tag that corresponds to either (a) the URL for its own endorsement policy or (b) the URL for the for that “trust seal” seal program the site participates in. That tag could then be “read” by a plug-in or a tool built directly into the browser that would either link to the disclosure page or display an appropriate “trust” icon for the site next to the address bar, just as HTTPS sites using SSL encryption get a special green block or safe-looking lock next to their URL. (This is precisely the kind of interface the Mozilla Foundation is thinking about implementing its Firefox browser for websites’ privacy policies.) When the user clicks on that icon, they could get more information about the site’s policies or how the trust seal program works.

The important thing about such a concept, however implemented, is that there could be multiple seal programs out there, each of which could do the hard work of figuring out what appropriate disclosure policies could be and how to make them work in an evolving medium. Given TechCrunch’s leadership in this area, I’d say the TechCrunch seal program could be a gold standard in the online news and commentary business.

This is the kind of innovation that could occur in this space (and others, like privacy) if users really care as much about blogola as the FTC thinks they do—and if the FTC encouraged innovation in disclosure and self-regulation instead of trying to write proscriptive rules to cover all possible situations. (In fairness to the FTC, what I’m proposing works well for “first party” content authored by a site’s employees but there’s a separate problem of how to deal with “third party” content like blog comments on someone else’s site. If a company sends its employees to post comments or reviews praising its products on another blog or, say, on Amazon’s product reviews, I don’t really have a problem with expecting that company to require that its employees disclose their affiliation when they post elsewhere because there probably isn’t a better way to deal with this issue.)

For now, I’m content that sites like TechCrunch are already actively guarding their reputation with prompt disciplinary action such as what Arrington described today. The more attention paid to responsible self-regulation like this, the more other sites will be prompted to follow TechCrunch’s lead—and keep innovating in how to build systems and interfaces that assure user trust.

The disabled have much to give thanks for this year—but contrary to common assumptions, it’s not for paternalistic government accessibility mandates, regulations or subsidies (see, for example, the FCC’s November 6 Broadband Accessibility workshop), but for the good ol’ fashioned private sector ingenuity that has made America great. Five broad categories of examples suggest how constantly-improving computing power and innovation can make life easier for many, if not all, disabled users—and how market forces empower the disabled along with everyone else.

Video transcription. Last week, Google announced “the preliminary roll-out of automatic captioning in YouTube, an innovation that takes advantage of our speech recognition technology to turn the spoken word into text captions.” Google uses the same speech recognition technology it refined with its free Goog-411 and Google Voice services to automatically transcribe video dialog (which can also be automatically translated using Google’s translation engine). Why? Not because of any government mandate, but because of some combination of three factors: (i) it’s an easy way for Google to invest in its “reputational capital,” (ii) the underlying technologies of transcribing videos make videos easier to use for all users, not just the hearing-impaired, and (iii) those technologies also make it possible to contextually target advertising to the verbal content of videos.

It’s worth noting that Hulu currently offers closed captioning for some of its television programming but notes that “closed-captioning data that’s used for broadcast TV isn’t easily translated for online use.” The online television clearinghouse promises to offer more closed-captioning soon. Perhaps they ought to license Google’s algorithmic transcription?

Voice recognition for direct consumer use—most notably, Dragon NaturallySpeaking 10, the latest version of the leading voice recognition software, which was released in summer 2008 but only recently seems to have really hit critical mass. By many accounts, and my own personal experience over the last few months (having lost the use of my left hand due to cartilege damage), Dragon 10 is the first speech recognition program that is really “ready for prime time”—good enough that I will very likely continue using it, at least sometimes, even after my wrist heals in the coming months. (I used it to write this post.) It offers non-disabled consumers functionality like dictation-on-the go and points to a day when everyone gets their own personal transcription secretary—think: 1950s office culture meets artificial intelligence.

While Dragon standard currently retails for $50.99 on Amazon (list Price: $99.99), Microsoft’s new Windows 7 includes voice-recognition functionality that is not terribly far behind Dragon in quality among its built-in accessibility features (although, when it comes to voice-recognition, small differences in quality are well worth the cost).

Jon Morrow (Associate Editor of Copyblogger), whose muscular dystrophy rendered him quadriplegic, provides a definitive guide to speech recognition for bloggers, focusing on Dragon:

Voice recognition for search. Google Voice Search, initially launched on the iPhone a year ago, and more recently made available on other mobile devices. By allowing users to search from their phones without typing, the program makes search just that much more accessible for users who have difficulty typing—something I was very grateful for as I recovered from my wrist surgery, with only my Droid to keep me (and my one good hand) company—and allow me to blog! While this is a small step, it foreshadows a day in which all mobile devices will have the kind of speech recognition capability Dragon makes possible on the desktop today.  Given the rapid and constant increase in computing power made possible by Moore’s Law, it’s just a matter of time before this dream comes true.

What these first three product categories have in common, besides speech-to-text functionality, is that they are not exclusively geared to the disabled. Instead, each also offers functionality to a broader market.

Text-to-speech functionality. This is one of the accessibility highlights of Windows 7. Adobe has also improved the screen reader functionality in its Acrobat Reader 9 software. While these features are primarily geared towards the disabled, the quality of text-to-speech automation has improved to the point that it is actually being used for a mass-market.

• Exhibit A: AudioDizer, a service that aims to “enable newspapers, magazines, and blogs to distribute their content in MP3 format for every single article published.” While AudioDizer won’t replace good human readers anytime soon, such software will increasingly remove the absolute necessity—and cost—of having someone read text material you want to podcast. This, in turn, will revolutionize podcasting by making it nearly costless and effortless to put text into audio form.  The quality is probably not acceptable for most people yet, but for many other hard-core “listenists” (people who consume audio content as voraciously as the most dedicated readers), it’s simply revolutionary to have access to a library of audio content potentially as large as the text-Internet itself.  For me, this means I can make better use of the time I spend puttering around the house—or, in my two-arm days, folding laundry, going to the gym  or riding my bike. (I am a particularly big fan of the MIT Technology Review podcast, which will give you an idea of the quality of AudioDizer.) But for the visually impaired, AudioDizer could be far more profoundly important.  In either case, the “killer app” for text-to-speech will be the level of quality finally achieved in speech-to-text by Dragon NaturallySpeaking 10.
• Exhibit B: the text-to-speech capability in Amazon’s Kindle 2 reader device. While the Kindle itself is difficult for the visually impaired or blind to use, the mainstreaming of such functionality will ultimately benefit such disabled users by increasing the incentive to improve text-to-speech functionality. Sadly, after receiving (debatable) copyright complaints from the Author’s Guild, Amazon decided to turn this functionality off  for all books, unless activated by the publisher (an opt-in). If the technology were actually good enough to be a substitute for an audiobook, the Authors Guild’s complaint would be more understandable. Unfortunately, such an opt-in will probably delay the popular acceptance of text-to-speech functionality by average users.

Open source & open platforms.  Their growing success in the marketplace (not because of government, mind you!) likely means that disabled consumers will have more choices.

• Software: There are a slew of accessibility-oriented add-ons for the Firefox browser, and Mozilla makes it easy to find such tools by allowing users to group related add-ons into “Collections” such as this one. In particular, the Firefox Accessibility Extension has been downloaded nearly 150,000 times.
• Hardware: The success of open operating systems such as Google’s Android should make it easier for device manufacturers to build devices with specialty features, say, for the visually-impaired. Certainly, it would be easier to do so than to build such functionality into all iPhones. At the very least, a diversity of form factors will create more real options for the sometimes very specific needs of the disabled.  For example, I simply could not have typed effectively with one hand on my old HTC XV6800, but my new Motorola Droid, with its superior on-screen keyboard and different form factor allows me to type fairly effectively with just one hand (as does my partners iPhone).

Tying It All Together

That’s really the key lesson here: While many advocates for the disabled may complain that the iPhone isn’t as accessible as they might like, mandating accessibility features for all devices comes at a real costs for users: There’s only so much you can fit into a single device. If government mandates additional features, something has to give, because we live in a world of trade-offs: price, bulk, weight, etc. But a world with many devices and competing operating systems is a world in which niche markets are increasingly being served—primarily because Moore’s Law increasingly makes it cost-effective to do so.

The “disabled” are not a monolith but represent a wide spectrum of interface needs along the long tail of human ability-diversity. Rather than trying to stunt the functionality of all devices in the name of “fairness,” we ought to be focusing on the ways in which falling prices, increasing processing power and the increasing efficiency of small-scale consumer electronic device manufacturing make possible an increased degree, and diversity, of functionality previously inconceivable. We also ought to look for ways to make sure that government doesn’t inadvertently get away this ongoing process, such as through cumbersome device testing requirements or by restricting the exclusive handset arrangements that make it possible for wireless carriers to subsidize the cost of expensive devices. The latter is especially important for achieving the kind of scale in adoption of a device that could help make it worthwhile to develop and bring to market specialty devices—say, for the visually-impaired.

The offerings for the disabled will probably always lag behind those for average consumers, but complaining about that is a lot like complaining about the fact that the rich tend to be the only ones who can initially afford new inventions—from air travel to air conditioning to refrigerators to personal computing.  Just as the wealthy tends to fund the investments in these technologies, to the benefit of “average” consumers, so, too, will the mass market for functionalities like speech-to-text and text-to-speech drive the perfection of these technologies, which are particularly important for disabled users.

Of course, there are are indeed some accessibility functionalities necessitated by certain disabilities that may not have such ready dual-use among a mass audience. But I suspect that accessibility functionalities will become increasingly indistinguishable from tools developed for average users.  The main distinction will lie in the fact that for the disabled, these tools may be a life-changing “necessity,” while for most users, they may merely be “cool” or simply “useful.”  Case in point: the volume level on my new Droid’s speakerphone is so loud that it will likely make the phone “accessible” for many heart-of-hearing users who simply couldn’t hear previous smartphones. For me, it’s a nifty feature (and sometimes even annoyance), while for them it may be a fantastic relief.

More generally, it’s important to recognize the diversity of incentives that makes possible this diversity of functionalities for a diversely-capable citizenry: For some companies, like Nuance (maker of Dragon NaturallySpeaking) the disabled are a key market. And anticapitalist critic might claim that “they’re just in it for the money.”  But as Adam Smith said, “It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest.” In other words, it’s a good thing that there are companies out there who try to meet the needs of the disabled. (The Internet has made it easier than ever before for disabled consumers to find products that meet their needs.  Just Google the keywords “disabled products” and you’ll get over 57 million hits.) For some companies, the motive to  invest in accessibility innovation may be “philanthropic”—i.e., a down payment on consumer goodwill. And for other companies, the motive may be more mixed: Google clearly gains additional advertising audience by reaching the disabled, and also uses its accessibility technologies to serve ads better and making it easier for all users to conduct searches.

As for the broader subject of “neuro-diversity” (the broad spectrum of human cognitive abilities and not necessarily a “disability”), I highly recommend Tyler Cohen’s new book Create Your Own Economy (reviewed by Adam here), which celebrates the Internet as a great emancipating force for the neuro-diverse.

Really, what would we do without European antitrust regulators protecting us from the evils of browser innovation? If Microsoft was allowed to actually bundle its Internet Explorer browser alongside its operating system we might actually do something really crazy… like perhaps try it! After all, the latest browser stats make it pretty clear most of us have a choice and that fewer and fewer of us rely on IE. As Erick Schonfeld noted on Tech Crunch today:

The new browser wars on on. More than a decade after Microsoft killed off Netscape with Internet Explorer, competition in the browser market has never been stronger. Just last week, Mozilla released Firefox 3.5, which has now been downloaded nearly 14 million times. Earlier in June, Apple released Safari 4. In March, Microsoft introduced Internet Explorer 8, and Google came out with a speedier beta of its Chrome browser. Some early data is coming in showing relative market share and how fast people are upgrading. If you look at the chart above from Statcounter, it indicates that since March Internet Explorer has lost 11.4 percent market share to other browsers. [..] Where did that go? It went to Firefox, Safari, and Chrome. Nearly 5 percent of that, or about half, went to Firefox 3.0, which currently has 27.6 percent market share. That doesn’t count last week’s upgrade.

Alas, as I pointed out in my essay a few weeks ago (“European Regulators Think Consumers Too Stupid to Know How to Download a Different Browser“), some Euro-crats still seem to believe that changing browsers requires great detective skills to unearth alternatives.  It’s just pure poppycock and yet another sad example of how antitrust law is usually hopelessly behind the times and has absolutely nothing to do with protecting consumers or fostering innovation.

Now, please excuse me while I get back to surfing the Net via Firefox and Chrome (and Opera on my mobile phone). My God, how did I ever find these browser alternatives!

In episode #44 of “Tech Policy Weekly,” Berin Szoka and Adam Thierer engage in a debate with Internet security expert Chris Soghoian, who is a student fellow at the Berkman Center for Internet & Society at Harvard University. He is also a Ph.D. candidate at Indiana University’s School of Informatics.

Chris is an up-and-coming star in the field of cyberlaw and technology policy as he has quickly made a name for himself in debates over privacy policy, data security, and government surveillance.  He straddles the line between academic and activist, and the role he often plays in many tech policy debates is somewhat akin to what Ralph Nader has done in many other fields through the years. Except, in this case, instead of “Unsafe at Any Speed” it’s more like “Unsafe at Any Setting,” since Chris is often raising a stink about what he regards as unjust or unreasonable privacy or security settings that various online websites or service providers use.

On the show, Chris talks about two of his recent crusades to get certain online providers to change their default settings to improve user security or privacy: (1) His effort this week to get major email providers—and Google in particular—to change their default security settings on their email offerings; and (2) his earlier crusade to create permanent opt-out cookies to stop behavioral advertising by advertising networks.

There are several ways to listen to today’s TLF Podcast. You can press play on the player below to listen right now, or download the MP3 file. You can also subscribe to the podcast by clicking on the button for your preferred service. (And do us a favor, Digg this podcast!)

[display_podcast]

Finally, here’s some relevant links that were mentioned during today’s show:

• Chris Soghoian’s webpage + his Harvard Berkman Center page
• Chris’s blog (“Slight Paranoia”)
• Chris’s “TACO” (Targeted Advertising Cookie Opt-Out) plug-in for Firefox (and description of it on his home page)
• Chris’s “Caught in the Cloud” paper (+ a video of him presenting it at Harvard)
• The letter from 38 cybersecurity researchers that Chris sent to Google
• Berin Szoka’s response to Chris’s “Caught in the Cloud” paper
• Berin’s discussion of the issue of preserving user choice through permanent opt-out cookies

According to Ina Fried of CNet News, Microsoft plans to remove its Internet Explorer web browser from the new versions of Windows 7 when it ships it in Europe later this year. [Additional coverage at ZDNet.]  MS is apparently doing so to assuage the concerns of EU antitrust officials, who have been obsessed with the company for the past decade. [Update: Here is MS official announcement.]

Apparently, European officials think their citizens are too stupid to find an alternative browser.  I mean, seriously, how hard is it?  Does the competition lack name recognition such that consumers can’t find them?  Hmmm… Google and Apple seem to be pretty well known brands, and their browsers (Chrome & Safari) are pretty easy to find.  And then there’s Mozilla’s Firefox browser (my PC favorite) and Opera (my mobile phone favorite), which are outstanding browsers. [Incidentally, Firefox already has 31% share of the European market.]

OK, OK, the regulators might say, but these competitors are just too expensive!  Uh, no, wait… every one of them is free. So, strike that theory.

Well, the regulators need another theory then. How about illegal tying of products and services! You know, there’s only certain sites or services you can use with IE, right?   Nope, that theory doesn’t work either.  And does anyone believe that MS could really tie OS functionality to the use of IE? How long would the world tolerate Outlook e-mails or Word documents that only allowed linking to URLs via IE??  Come on.

OK, any other theories left? Not that I can think of. Which brings us back to the only theory the Euro-crats have left: people are sheep. They’ll take whatever MS bundles into the OS free, you see, and they will use it more than they use competing products.  Thus, we regulators have to save them from their own stupidity! The masses just don’t know what’s good for them!  These free, integrated services are harming them! And, therefore, the only remaining solution is to kill innovation by crippling functionality and removing the free offering. That’s pro-consumer! … or so say the European antitrust bureaucrats.

Meanwhile, back in the real world, a whole lotta innovation continues to take place. But shhhh.. don’t tell the Euro-crats. They need a company to pick on. Welcome to the Theater of the Techno-Absurd.

Ted Dziuba has penned a humorous and sharp-tongued piece for The Register about last week’s Adblock vs. NoScript fiasco.  For those of you who aren’t Firefox junkies, a nasty public spat broke out between the makers of these two very popular Firefox Browser extensions (they are the #1 and #3 most popular downloads respectively).  To make a long and complicated story much shorter, basically, NoScript didn’t like Adblock placing them on their list of blacklisted sites and so they fought back by tinkering with the NoScript code to evade the prohibition.  Adblock responded by further tinkering with their code to circumvent the circumvention!  And then, as they say, words were exchanged.

Thus, a war of words and code took place.  In the end, however, it had a (generally) happy ending with NoScript backing down and apologizing. Regardless, Mr. Dzuiba doesn’t like the way things played out:

The real cause of this dispute is something I like to call Nerd Law.  Nerd Law is some policy that can only be enforced by a piece of code, a public standard, or terms of service. For example, under no circumstances will a police officer throw you to the ground and introduce you to his friend the Tazer if you crawl a website and disrespect the robots.txt file. The only way to adjudicate Nerd Law is to write about a transgression on your blog and hope that it gets to the front page of Digg. Nerd Law is the result of the pathological introversion software engineers carry around with them, being too afraid of confrontation after that one time in high school when you stood up to a jock and ended up getting your ass kicked.

Dziuba goes on to suggest that “If you actually talk to people, network, and make agreements, you’ll find that most are reasonable” and, therefore, this confrontation and resulting public fight could have been avoided. They “could have come to a mutually-agreeable solution,” he says.

But no. Sadly, software engineers will do what they were raised to do. And while it may be a really big hullabaloo to a very small subset of people who Twitter and blog their every thought as if anybody cared, to the rest of us, it just reaffirms our knowledge that it’s easy to exploit your average introvert.  After all, what’s he gonna do? Blog about it?

OK, so maybe the developers could have come to some sort of an agreement if they had opened direct channels of communications or, better yet, if someone at the Mozilla Foundation could have intervened early on and mediated the dispute.  At the end of the day, however, that did not happen and a public “Nerd War”  ensued.  But I’d like to say a word in defense of Nerd Law and public fights about “a piece of code, a public standard, or terms of service.”

What we had here was a code war that, despite some nastiness, was resolved reasonably well and on a reasonably timely basis.  Now, imagine if this sort of dispute had gone legal, or worse yet, been subjected to a federal regulatory proceeding.  Can you imagine the Federal Communications Commission being asked to adjudicate such a thing!  Next time you hear of a major dispute coming before the commission, start your stopwatch and pray that it doesn’t die before the FCC finally gets around to rendering its judgment on the matter at hand. Worse yet, sit back and watch as entire forests will fall from the resulting paperwork war as both sides hire teams of lawyers, economists, and consultants to file an endless stream of indecipherable documents with the Commission.

What got me thinking about all this is that recently I’ve been critiquing Lessig’s “code-is-law” thesis and pointing out that code really doesn’t have the same force as law, and thank God it doesn’t!  Precisely because it does not have the coercive capacity of actual law or regulation it means that code developers must use other means to persuade competitors or the public to side with them in disputes.  It means that code developers must find ways to innovate around problems, sometimes even creating messy code wars in the process.  And yes, it sometimes means that, when that process goes badly, a war of words may take place online.  But still, isn’t that better than the legal alternative or a regulatory approach?

And, so, when Mr. Dziuba suggests that “The only way to adjudicate Nerd Law is to write about a transgression on your blog and hope that it gets to the front page of Digg,” I guess I just don’t see as much of a downside to that approach as he does.  I share his belief that it would be nice to get both sides to a table to talk and hopefully to hammer out an agreement, but sometimes that doesn’t always happen in cyberspace or in realspace for that matter. What’s going on here is the same game that companies and unions have been playing for years:  Push the envelope in public by any means necessary to drive a better bargaining position when you eventually must come to the table and reach an agreement.  Athletes and sports clubs do the same thing.

Thus, I am rather fond of “Nerd Law,” or “Code Wars” or whatever you want to call it. (Perhaps “hard-nosed public negotiations” is the better umbrella term).  Let coders have their fights and air their dirty laundry in public because, at the end of the day, that process will likely reach a better conclusion than if they took a highly legalistic or regulatory approach to things.  I do not mean to suggest that law or regulation never has a place in resolving disputes. Rather, I am suggesting that the sheer cost of the legal / regulatory route — in terms of time, money, lost innovation opportunities, etc — makes is generally sub-optimal when compared to relying on non-legal means of dispute resolution.

So, let the coders have their Nerd Wars, I say.  And let the best code win.

What a victory for privacy and personal responsibility is Chris Soghoian’s Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). It signals to the 27 ad networks with well-configured opt-out cookies that you don’t want them to track you.

It’s a technical solution that empowers (and places responsibility with) the user to exercise dominion over his or her personal information. No need for law and regulation. No need to go pleading to politicians and bureaucrats for help.

It’s also a little more efficient than my method of controlling tracking, which is to take a glance at cookies as Web sites ask to set them on my computer.

(The answer is usually “no,” but it’s very interesting to see who all wants to get a glance at me when I visit any site. It’s a lot more than just ad networks, btw. I have no idea why people think ad-network tracking is bad and tracking by others is a matter of indifference.)

Now, Chris and I always find something to disagree about, so for good measure I’ll note that I disagree with his goal of switching targeted advertising from opt-out to opt-in.

Cookies are the wrong mechanism for universal opt-out, he correctly notes, and an opt-out HTTP header, were one adopted, would be switched on by default, so the big players won’t go there. “The only way we will get an easy to use, built-into the browser solution,” he concludes, “will be if government regulators get involved. FTC staffers — are you listening?”

Actually, an easy to use, built-into-the-browser solution is right there. In Firefox, it’s Tools > Options > Privacy > uncheck “Accept cookies from sites” or “Accept third-party cookies” (or further define what you want done with cookies). In Internet Explorer, it’s Tools > Internet Options > Privacy > Advanced > select “Override automatic cookie handling” and define what you want done.

A lot of folks think it’s jaw-droppingly difficult to look at cookies as they’re offered. It’s not. It’s easy to give cookies a quick skim as they come in. (Sometimes exercising responsibility for yourself is difficult. Walk it off.)

Now, should everyone do as I do? No. Should everyone do a Chris wants (and be untracked unless they request it)? Also, no.

The default on the street and on the Internet is for information to be available to others. If you don’t like it, you cover up your nakedness with clothes, or you figure out how to block cookies offered by sites you don’t want a relationship with. Kudos to Chris for giving people a cloak to wear, even though he advocates that regulators should tut-tut Web site operators for using their eyes to see.

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes. These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In the last installment, we covered the privacy features embedded in Microsoft’s Internet Explorer (IE) 8. This installment explores the privacy features in the Mozilla Foundation’s Firefox 3, both the current 3.0.7 version and the second beta for the next release, 3.5 (NOTE – The name for the next version of Firefox was just changed from 3.1 to 3.5 to reflect the large number of changes, but the beta is still named 3.1 Beta 2). We’ll make it clear which features are new to 3.1/3.5 and those which are shared with 3.0.7. Future installments will cover Google’s Chrome 1.0, Apple’s Safari 4, and some of the more useful privacy plug-ins for browsers . The availability and popularity of privacy plug-ins for Firefox such as AdBlock (which we discussed here), NoScript and Tor significantly augments the privacy management capabilities of Firefox beyond the capability currently baked into the browser.  In evaluating the Web browsers, we examine:

(1) cookie management; (2) private browsing; and (3) other privacy features

History of Firefox

Firefox descends from the very first graphical web browser, NCSA Mosaic. Mosaic was developed at the National Center for Supercomputing Applications in 1992. The co-author of Mosaic, Marc Andreessen, co-founded Netscape Communications and was the lead developer of Netscape Navigator, which was first released in 1994 and based in part on NCSA Mosaic code. In 1998, Netscape publicly released the source code for the latest version of its browser and created the Mozilla Organization to coordinate its development. AOL acquired Netscape Communications later that year, and when AOL scaled back its involvement with the Mozilla Organization in 2003, the Mozilla Foundation was launched to ensure the browser could survive without Netscape or AOL. The Mozilla Foundation released Firefox 1.0 on November 9, 2004. According to Net Applications, Firefox is currently the second-most popular Web browser after Internet Explorer, with 21.72% of the market in Q1 2009.

Cookie Management

To access Firefox’s basic cookie management and privacy settings, open the “Tools” menu, click “Options,” and then click on the “Privacy” tab to display the following options:

Instead of using a slider, as Internet Explorer does, Firefox gives more direct control over cookies. Users can choose to refuse all cookies, refuse all third-party cookies (see the previous post in this series for an explanation of the difference between first-party cookies and third-party cookies), and/or control when cookies expire. The “keep until” box gives three options:

(1) ” they expire” – Cookies determine their own expiration date.

(2) ” I close Firefox” – Cookies are deleted when you close the browser.

(3) ” ask me every time” – Every time a cookie is sent to the user’s computer, the user is asked if they want to “Allow” the cookie (accept it and let the cookie determine its own expiration date), “Allow for Session” (equivalent to the “I close Firefox” setting), or “Deny.” Firefox can also optionally save the user’s preference for all future cookies received from that website. The “Show Details” button allows true power users to view the contents of each cookie before making a decision, as seen here:

By clicking the “Show Cookies” button in the Privacy tab of the Options dialog box, users can view all of the cookies already saved on their computer and delete individual cookies or all cookies at once.

Finally, by clicking the “Exceptions” button in the Privacy tab of the Options dialog box, users can specify which websites are always or never allowed to set cookies.

In addition to having the option of deleting all cookies whenever the browser is closed, users can clear other types of private data when the browser is closed. The following dialog box is displayed when a user clicks on the “Settings” button in the Privacy tab of the Options dialog box.

Private Browsing

Similar to Internet Explorer 8’s “InPrivate Browsing” feature (see the previous post in this series for more information) and Chrome’s Incognito, Firefox 3.5 will include a new “Private Browsing Mode” that protects so-called “over the shoulder” privacy. To enable Private Browsing Mode, select “Private Browsing” from the Tools menu. To disable Private Browsing Mode and reload all tabs that appeared when you enabled Private Browsing Mode, just uncheck the same “Private Browsing” menu item in the Tools menu. There is a hidden way to make Firefox 3.1 Beta 2 always start in Private Browsing Mode and a plan to possibly provide an easier way to do this in the final 3.5 release, but the only obvious use for this would be on public computers (e.g., at a library or coffee shop) where it can’t be guaranteed that each user will close the browser before leaving.

Other Privacy Features

• Master Password – As more and more can be done online and more and more sites require user accounts (and passwords), having all those passwords stored in your web browser can be a security problem unto itself. Firefox allows you to view saved passwords, but it also allows you to protect all of your site-specific saved passwords with a single master password. Your saved passwords cannot be used to automatically log into websites and other individuals with access to your computer cannot view your saved passwords unless the master password is entered. Firefox also has a password quality meter to show you how secure your master password is from cracking attempts.

• Instant Web Site ID – For all websites with an Extended Validation SSL Certificate, this feature displays the website owner’s name to the left of the URL in the address bar. Clicking on the “favicon” on the left side of the address bar displays additional information about the certificate (whether an Extended Validation Certificate or regular SSL certificate) and whether the connection is SSL-encrypted. A second click displays the Page Info dialog box which reports whether you’ve previously visited the website and how many times, whether the website is storing cookies on your computer (which you can view with another click), and if there are saved passwords for the website on your computer (which you can also view with another click). From the Page Info dialog box you can also view all of the media embedded in the webpage, all of the meta tags in the HTML source code for the page, any RSS feeds on the page, and the permissions in effect for the page.

• Optional automatic phishing and malware protection – Two options in the “Security” tab of the Options dialog box, “Tell me if the site I’m visiting is a suspected attack site” and “Tell me if the site I’m visiting is a suspected forgery,” allow Firefox to automatically protect users from malware (attack sites) and phishing scams (forgery sites). When either of these options is enabled, Firefox automatically checks the URL of the page you’re visiting against a list of reported phishing and/or malware sites that it downloads in the background every 30 minutes. If you navigate to a page on one of these lists, Firefox will double-check that the URL is on the list by sending a cookie to google.com, who maintains the lists of identified malware and phishing sites used by Firefox. The anti-phishing site aspect of this feature is equivalent to Internet Explorer’s SmartScreen Filter.

Conclusion

In terms of privacy, what makes Firefox unique compared to the other popular browsers is the extensive number of add-ons (also called “plug-ins” or “extensions”) designed to protect users’ privacy. Google’s Chrome browser does not currently support third-party add-ons but plans to do so in an upcoming release. Microsoft’s Internet Explorer does support extensions, and Microsoft has a website devoted to cataloging those extensions, but offers nothing like the variety and complexity of the add-ons available for Firefox. The two most popular Firefox add-ons (in terms of total downloads; currently second and fourth most popular in terms of weekly downloads) are specifically related to privacy. Adblock Plus (ABP) uses dynamically-updated “subscriptions” to maintain a list of unwanted third-party content and automatically  block that content from being displayed or run by Firefox. ABP can block Flash code, images, external scripts, stylesheets, frames, tracking cookies, webbugs, html elements, text ads, backgrounds, and any class, id, and any other HTML or CSS tag. By default, ABP allows all such elements unless they are blocked by a filter.  NoScript, by contrast, blocks all Java, JavaScript, Flash, and other plugins unless you explicitly allow them on a particular website  either (i) temporarily for your current session (until you close the browser); (ii) or permanently for all future sessions. Thus, with these two add-ons, Firefox offers security-conscious users a much more secure (and thus private) browsing environment than currently available in other browsers. We already covered Adblock Plus in a previous installment of our Privacy Solutions Series. We plan to cover NoScript and other popular Firefox add-ons such as TorButton and FoxyProxy in future installments.

Additional Reading / Links

• Download Firefox 3.1 Beta 2
• New features in Firefox 3.1 Beta 2
• Privacy & Security add-ons for Firefox
• Wikipedia entry on Firefox

I’ve already laid out my own reactions to Google’s roll-out of an “interest based advertising” (IBA) program here.  In a nutshell, I applauded Google setting a new “gold standard” in user empowerment by providing:

• Notice in their IBA-targeted ads of who’s paying for the ad and the fact that Google is serving it; and 
• A link to a powerful “Ad Preference Manager” that allows users to:
  • See and modify the “digital dossier” (to use the fearmonger’s term) of interests associated with the cookie on their computer; and 
  • Opt-out of tracking for IBA purposes.    

But as I predicted, despite these pro-privacy features (and despite the fact that other major companies such as Yahoo! and Microsoft already have IBA programs), a number of privacy advocacy organizations are attacking Google for daring to enter the IBA (or “online behavioral advertising”) business at all.   I’ll have much more to say about the criticism of Google’s new Ad Preference Manager soon, especially coming from Marc Rotenberg of EPIC (a “disaster“) and Jeff Chester of CDD—precisely the sort of the “paroxysms of privacy hysteria” I predicted.  

But first, the criticism from Ari Schwartz of the Center for Democracy & Technology requires a response today.  At its best, CDT plays a vital role in calling corporations to continually raise the bar on privacy.  My own think tank, the Progress & Freedom Foundation, works closely with CDT on many issues, such as advocating user empowerment through technological means as a constitutionally “less restrictive” way of protecting children than government censorship.

 Here’s what Ari had to say:

[T]he opt-out is based on a failed premise. The truth of the matter is that the industry needs to work together to move beyond the discredited cookie opt-out model….  Google claims to have improved upon the old model by creating a plug-in for users to keep their opt-out cookie while deleting the rest of their cookies. While as a technical matter that may be true, without an industry-wide solution these plug-in options just serve to confuse users about what they need to do to protect themselves. If this plug-in approach catches on, will users need to download a plug-in from every network advertiser and every analytics company to stop the tracking? That model just isn’t sustainable.

Ari is setting up a straw man when he suggests that users are going to have to download a separate plug-in for every ad network.  The obvious solution, as Ari points out, is an industry-wide plug-in. But if it’s so obvious, why can’t CDT just write it themselves?  Indeed, why didn’t they write it years ago?

These aren’t rhetorical questions.  I  really  want to know what would be required to create a plug-in that does what Google’s plug-in does for every other ad network’s opt-out cookie in the Opt-out tool developed by the Network Advertising Initiative (NAI):  Maintain “persistent” user choice by checking to see whether a user has deleted whatever their opt-out cookies and, if so, restoring those cookies.  

CDT will probably insist that, if it’s really so easy to create such an industry-wide plug-in, NAI should have done so years ago.  Maybe so.  Perhaps if the industry had moved faster to innovate in privacy protection, they would be in a stronger position right now politically.  Of course, if the industry moves slowly in this regard, maybe that’s because they’ve got their hands full trying to keep advertising, the economic engine that funds the Internet’s “free” content and services, working-a reality Ari ignores.  Or perhaps it wouldn’t matter:  It seems that no matter what industry might do, it’s just not good enough for Ari.  Under the banner of “Keeping the Internet Open, Innovative and Free,” Ari is in fact leading CDT in a full-on attack on the Internet, pushing for regulation that will make the Internet:

• Less “Open” to competition among service providers and the diversity of voices and choices produced by online content creators who depend on advertising;
• Less “Innovative” in terms of new content, new services, new online personalization technologies, and new advertising business models that could broaden the base of economic support for the entire Internet; and
• Less “Free” both in political terms—“free” from government regulation and controls—and in financial terms—“free” to users because advertisers foot the bill.

CDT ignores these very real costs to crippling online advertising, which will ultimately be borne by the very consumers whom CDT claims to be protecting.  This is precisely why Adam Thierer and I have argued so strongly for a layered approach (and here at page 7) to privacy concerns about online advertising that combines self-regulation and tough FTC enforcement of privacy policies with a recognition that only by empowering individual users to make their own choices can we balance inherently subjective concerns about privacy with the need to fund the Internet’s future:

We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet.  Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers.  If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs. 

Back to the plug-in…  CDT argues that the opt-out cookie system is flawed in respects other than ensuring the persistence of user opt-outs.  We can debate that question.  But I’d just like to get a clear answer once and for all about why CDT hasn’t already developed this plug-in themselves.

Here‘s the NAI opt-out, Ari, and here‘s the code for Google’s plug-in—it’s open source! How much easier could Google have made this for you?  Quit yapping and start coding! 

Since CDT doesn’t seem up to the task, we’ve already modified the Google plug-in to preserve another ad network’s opt-out cookie (download our beta plug-in here) and are currently working to expand the plug-in to work for multiple cookies—which is simply a matter of coding.  We’d welcome help from anyone with experience in writing Firefox plug-ins. 

NAI could (and probably should) do this, themselves.  But if CDT wants to start being philosophically consistent about empowering consumers across in the board —on privacy issues as well as child protection issues—writing this plug-in themselves is a great way to shame the rest of the advertising industry into picking up where Google left off.   I suspect CDT’s failure to do so thus far reflects a crass political calculation that anything they does to empower users to manage their own privacy through technical solutions simply undermines their arguments that only government can protect users—thus weakening their push for regulation.  So much for CDT’s declared mission of “seek[ing] practical solutions to enhance privacy!”

By Adam Thierer, Berin Szoka, & Adam Marcus

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In some of the upcoming installments we will be exploring the privacy controls embedded in the major web browsers consumers use today: Microsoft’s Internet Explorer (IE) 8, the Mozilla Foundation’s Firefox 3, Google’s Chrome 1.0, and Apple’s Safari 4. In evaluating these browsers, we will examine three types of privacy features:

(1) cookie management controls; (2) private browsing; and (3) other privacy features

We will first be focusing on the default features and functions embedded in the browsers. We plan to do subsequent installments on the various downloadable “add-ons” available for browsers, as we already did for AdBlock Plus in the second installment of this series.

In this installment, we’ll be taking a look at the privacy-related features in the most popular browser in use today, Microsoft’s Internet Explorer. Specifically, we’ll be examining the most recent version of the browser, IE 8, Release Candidate 1. We’ll make it clear which features are new to IE 8 and those which are shared with IE 7.

Basic Background

Microsoft’s Internet Explorer browser was launched in 1995 and quickly became America’s most popular web browser, displacing Netscape’s Navigator browser. In recent years, IE has faced new challenges from the Mozilla Foundation’s “Firefox” browser, Apple’s “Safari”, the open source “Opera” browser, and others. (For an excellent history / timeline of web browsers, click here.) Despite these new challenges, IE still commands over 70% of the browser market. Like most other web browsers, Internet Explorer is free. So too are the features we are describing here.

Before we get further in the discussion of privacy controls, it’s important for readers to understand the difference between “first-party” and “third-party” content on webpages. Many webpages today contain a combination of content from many different websites, which enables powerful “Web 2.0” functionality like an interactive Google map displayed along with an address or a “Digg This” link in a blog post. Third-party content can also be used to track users across websites and to serve up advertising. All content loaded from the same domain as is displayed in the Address bar is first-party content. All content loaded from other domains is third-party content. Internet Explorer has a “Privacy Report” function that can show you the source for all the different content elements in the current webpage. To access it, select Webpage Privacy Policy from IE7’s Page menu or IE8’s View menu.

Basic Cookie Management Controls

To access Internet Explorer’s basic cookie management and privacy settings, open the “Tools” menu, click “Internet Options,” and then click on the “Privacy” tab to display the following options:

Users can configure the slider on the upper left-hand side of the window to establish their preferred level of cookie privacy. There are 6 options on the sliding scale from which to choose. Starting from the top of the slider bar:

(1)   ” Block all cookies” — Blocks IE from receiving any new cookies and blocks websites from reading any existing cookies on your computer. (Of course, that would greatly inconvenience users that regularly access websites that require information from the user, such as a Web-based email site that requires users to log in every time they access the website.)

(2)   ” High” — Blocks all cookies from websites that do not have a P3P compact privacy policy or that have a compact privacy policy which specifies that personally-identifiable information is used without your explicit consent. Cookies already on your computer can only be read by the site that created them.

(3)   ” Medium High” — “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without explicit consent,” and “Blocks first-party cookies that save information that can be used to contact you without your implicit consent.”

(4)   ” Medium” — This setting “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without your explicit consent,” and “Restricts first-party cookies that save information that can be used to contact you without your implicit consent.”

(5)   ” Low” — This setting “Blocks third-party cookies that do not have a compact privacy policy” and “Restricts third-party cookies that save information that can be used to contact you without implicit consent.”

(6)   ” Allow all cookies” — This setting allows all cookies from any website.

A P3P compact privacy policy is a machine-readable summary of the full P3P specification, which is a standardized method for explaining a website’s privacy policy. So when IE states that it will “block[] third-party cookies that save information that can be used to contact you without your explicit consent,” it means that the cookie will be blocked unless the site has a P3P compact privacy policy that either indicates that only non-identifiable (NOI) information is collected, or that for every data collection PURPOSE and every type of RECIPIENT that the website shares collected data with, the site’s policy is that the user must opt in (“explicitly consent”) to the practice.

When the slider bar is set anywhere other than the “High” and “Low” levels, users can also click the “Sites” button and then specify different cookie security levels for individual websites. The advantage of this approach is that it lets users create their own personal “white lists” and “black lists” of sites for which they either never want cookies blocked, or for which they always want cookies blocked. This increases the privacy-configurability of the browsing experience. For example, the following screen shows two sites that have been whitelisted and two hypothetical sites that have been blacklisted.

In addition, if the user wishes to manually delete their cookies, web browsing history, form data, personal passwords, or other stored information, they can do so on the “General” tab under the “Browsing History” section. Or, in the new IE 8, they can do so under the new “Safety” drop-down menu (in the Command toolbar) under the first option, “Delete Browser History.” They can also configure IE 8 so that all of this data is deleted each time the browser is closed (essentially converting “persistent cookies” into “session cookies,” concepts Adam Marcus has explained previously). The following screen shows how this user is choosing to delete just their temporary Internet files, cookies, and browsing history. Favorite websites are websites the user has bookmarked.

Using these controls, a particularly privacy-sensitive user who only trusted two or three sites-say, their bank and their employer’s website-could allow cookies for only those sites and block cookies for all other websites. Again, this assumes that they do not mind the potential hassles associated with logging-in to many other sites each time they visit or losing custom preferences that would otherwise be stored in a cookie.

Advanced Cookie Management – “InPrivate Filtering”

Microsoft explains its InPrivate Filtering feature as follows:

Today websites increasingly pull content in from multiple sources, providing tremendous value to consumer and sites alike. Users are often not aware that some content, images, ads and analytics are being provided from third party websites or that these websites have the ability to potentially track their behavior across multiple websites. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can potentially use to track browsing activity.

InPrivate Filtering is off by default and must be enabled on a per-session basis. To use this feature, select InPrivate Filtering from the Safety menu.

In “Automatically Block” mode, InPrivate Filtering will automatically block a site if IE finds that site’s content embedded in more than a user-specified number of other sites (the default is 10) visited by the user.  You can also manually control which sites are blocked, and import and export your list of white/blacklisted sites to share that list with others.

The beta version of IE8 included a subscriptions feature that would have allowed users to automatically receive updated white or blacklists from others-much like the subscription feature in AdBlock Plus that we discussed previously. However, this functionality was removed in the “Release Candidate 1” version of IE8 (released Jan. 26, 2009) for unspecified reasons.  While we recognize that not every beta feature makes it into final releases because of challenges in implementation, we very much hope Microsoft will ultimately add the subscription feature to Internet Explorer 8.  InPrivate Filtering goes a long way in empowering truly privacy-sensitive users to take more granular control over their own privacy, but a subscription feature would allow less sophisticated users to rely on groups or other individuals they trust to help them avoid specific sites according to their concerns about privacy or security.  Indeed, we hope that other browser manufacturers consider incorporating such tools into their browsers.  Perhaps the privacy advocates who currently focus on inventing one-size-fits-all regulatory or legislative solutions could channel their enthusiasm about user privacy into actually developing whitelists and blacklists.

Private Browsing

Another new privacy-related feature in Internet Explorer 8 is called InPrivate Browsing mode (akin to “Incognito” mode in Chrome), which protects so-called “over the shoulder” privacy, although that’s a somewhat misleading term. By not saving any record of your web browsing while InPrivate Browsing mode is turned on, this feature ensures that others with access to your computer will not know what websites you have accessed. Some people like being able to refer to their browser history and don’t want to delete all of their cookies, but want to hide all traces of some of their browsing activities-such as shopping online for a surprise gift, searching for information about a medical condition you don’t want to disclose and, most obviously, enjoying pornography).

When the InPrivate Browsing mode is enabled, none of the varieties of “browsing history” data is saved-but none of your previous history is deleted, either. This comes in handy because, if someone with direct access to your computer is monitoring your browser history to see what you’ve been up to, deleting all of your browsing history would suggest that you’ve been doing something you wanted to hide. But InPrivate Browsing mode allows you to surf anonymously when desired-without making it obvious that you’re doing so. Parents who are concerned about their kids using the InPrivate Browsing mode can use the parental controls in Windows Vista to disable it. But there does not appear to be a way to disable InPrivate Browsing on Windows XP.

Below is a screenshot of the InPrivate Browsing mode-which, again, can be enabled by clicking on the new “Safety” drop-down menu in IE 8 and selecting “InPrivate Browsing.”

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored:
  • All new cookies become “session” cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
  • New entries will not be saved to the browsing history
• New temporary Internet files will be deleted when the Private Browsing window is closed
• The following data will not be stored:
  • Form data
  • Passwords
  • Addresses typed into the address bar
  • Queries entered into the search box
  • Visited links

Other Privacy Features

• SmartScreen Filter – Called “Phishing filter” in IE 7, this feature monitors and blocks links to malicious downloads. In IE 8, it also monitors links distributed via email and instant messaging (assuming IE is the default Web browser).
• Cross Site Scripting (XSS) filter – Cross-site scripting attacks allow hackers to “inject” malicious scripts into trusted websites, which can then steal the account credentials of users who access these websites. XSS attacks are dangerous because everything looks fine to users and the attackers can gain almost complete access to users’ computers. The XSS filter in IE constantly scans the data received from websites to determine if there is a likely XSS attack and re-writes the data to neutralize the attack.
• ActiveX Opt-In – By default, ActiveX Opt-In disables most ActiveX controls. When a Web page tries to run an ActiveX control, the following text is displayed in an Information Bar: “This website wants to run the following add-on ‘ABC Control’ from ‘XYZ Publisher.’ If you trust the website and the add-on and want to allow it to run, click here …” The user can then choose whether or not to run the ActiveX control.
• Per-Site ActiveX – If a website tries to access an installed ActiveX control that is not permitted to run on the website, this new feature in IE 8 gives the user the option of blocking the attempt, allowing the ActiveX control for the current site, or to allow all websites to access the ActiveX control.
• Domain Highlighting – The domain name of the site you’re viewing is highlighted in the address bar. By making it clearer to the user which website they’re accessing, this feature serves to protect users against phishing attacks from domain names that look like trusted domain names (e.g., www.paypal.com.hax0r.net, which is not PayPal’s actual website).

Additional Reading / Links

• Download Internet Explorer 8
• IEBlog: IE8 and Privacy
• IEBlog: Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Cookies
• Jesse Ruderman’s blog post on new security features in IE 8 – Has links to the first five IEBlog posts about new security features in IE 8.
• Wikipedia entry on Internet Explorer

Over at Ars, Ryan Paul has an appropriately sharp-tongued response to the Mozilla Foundation’s troubling move to become a cheerleader for the European Commission’s ongoing antitrust efforts against Microsoft. Apparently Mozilla will assist the EC’s investigation “by offering expertise about the browser market.”

Paul focuses on what’s wrong with this in both a micro and macro sense. He rightly points out that the potential remedies here do not bode well for the future of this sector, since regulatory tinkering with high-tech product standards is bound to end badly and create a terrible precedent for future interventions. “It’s hard to find a rational argument in favor of mandatory standards enforcement,”  Paul says. “It would be punitive and unhelpful to the advancement of the web.” Moreover, Paul notes that things have never looked better on the browser front:

Claims that Microsoft’s monopoly status has eliminated competition in the browser market sound hollow in the face of the profoundly vibrant browser market that exists today. The record-setting launch of Firefox 3 added up to over 8 million downloads in the first 24 hours alone. Firefox’s global market share continues to climb every month and the browser has grabbed almost 30 percent of the European market.

And let’s not forget about those two little companies called Google and Apple who have competing products in the field! They’re making serious inroads in the browser wars. Moreover, Microsoft is struggling to hold on to whatever “dominance” they have left in their core market: OS. As Paul concludes:

To the observant tech enthusiast, all signs seem to indicate that Microsoft’s monopoly is on its way out. The Redmond giant is in no danger of annihilation, but it’s definitely not positioned to dictate terms to the rest of the industry anymore.

But what is perhaps most shocking about Mozilla’s call for intervention is the way that Mozilla Foundation chairperson Mitchell Baker minimizes the importance of not just Firefox, but the entire open source movement, when justifying EC intervention in this marketplace.

“The success of Mozilla and Firefox does not indicate a healthy marketplace for competitive products,” she wrote. “I am convinced that we could not have been, and will not be, successful except as a public benefit organization living outside the commercial motivations. And I certainly hope that neither the EU nor any other government expects to maintain a healthy Internet ecosystem based on nonprofits stepping in to correct market deficiencies.”

As Paul points out in his Ars story, “[Mozilla’s] position on this matter is highly questionable.” Indeed, I believe it’s more than just highly questionable, it’s a bit of insult to an entire community of developers. Paul is generally correct in his response that:

There are quite a few open source software enthusiasts who would argue that, for a broad range of software products, the emergence of a Mozilla-like model is actually desirable and highly advantageous for consumers. A point will eventually arrive for many kinds of software where there is simply no point in trying to derive value from shrink-wrapping it, and then efforts will converge around collaboratively-developed open source implementations that will displace and eliminate the need for proprietary commercial implementations. Why should that be viewed as unhealthy?

Indeed, but it actually goes beyond that. The message that Mozilla’s Baker seems to sending to the open source community is: You can’t change the world. Your voluntary, collaborative actions cannot correct market deficiencies or fulfill unmet needs.

Geez, isn’t that what the open source movement is all about?!  I’m hardly some sort of open source / free software fanatic — indeed, I envision a future full of plenty of open source AND proprietary types of software and service — but the beauty of the open source movement to me is the way it has so nicely filled unsatisfied niches of demand in the software universe.  And, here’s the really important point, as Paul points out in his Ars article:

The popularization of the open source development model arguably emerged as a response to Microsoft’s monopoly. Developers had to find innovative ways to compete with an entrenched product. If the government had intervened in the software industry at an early stage and those conditions hadn’t existed, the browser market could arguably be a lot less rich and competitive than it is today. If Internet Explorer had never gained the dominant marketshare to necessitate a change in the status quo, the only browser choices we would have today might be between an ad-encumbered Opera and a proprietary Netscape.

That is exactly right. I have been making the argument for many years that it is at a market’s supposedly darkest hour that we are likely seeing some of the most exciting innovation being spawned. People don’t innovate most when they are completely happy with the world around them. It’s when they are pissed-off that they get cracking!!  Mozilla’s Firefox is the perfect example of that. And so is just about everything that Google and Apple have developed in response to Microsoft over the past 10 years.

And yet, sadly, the folks at the Mozilla Foundation want to now become handmaidens to the state — and the European Commission, no less — in their pathetic effort to stick it to a competitor using the law instead of using more marketplace innovation and competition. SHAME ON YOU MOZILLA!  I would dump your browser today if I didn’t love it so much! And thank you to all the brilliant, dedicated people behind the scenes who do keep innovating and making Firefox even better. I sincerely hope that the Mozilla Foundation doesn’t speak for you on this matter.

When people ask me why I do what I do for a living — and, more specifically, why I focus all my attention on digital media and technology policy — I often respond by showing them the new gadgets or software I am playing with at any given time.  I just love digital technology.  I am swimming in a sea of digital gadgets, consumer electronics, online applications, computing software, video games, and all sorts of cyber-stuff.

Anyway, even though this is a technology policy blog, I sometimes highlight new digital toys or applications that have changed my life for the better. As the year winds down, therefore, I thought I would share with you five technologies that improved my life and productivity in 2008. I’d also love to hear from all of you about the technologies that you fell in love with this year in case I might have missed them. Here’s my list:

#1) Naturally Speaking 10:

Thanks to Nate Anderson’s outstanding review over at Ars Technica, I finally made the plunge and bought Dragon Naturally Speaking 10 earlier this month.  Wow, what a life-changer. I had played around with an earlier version of this market-leading speech recognition technology and found it somewhat clunky and unreliable. But Ver. 10, has ironed out almost all the old problems and become an incredibly sophisticated piece of software in the process. I love the way I can use simple voice commands to navigate menus in Microsoft Word and in Firefox. Perhaps best of all, I can dictate random rants into a pocket recording device and then upload them to Naturally Speaking (via a USB connection) and have them instantly transcribed. I’m even composing blog entries like this using it! Only problem is inserting HTML code; that’s still a hassle. Also, I find that switching from one input device to another definitely affects the quality of the transcription. Once you “train” Naturally Speaking using one device, it makes sense to stick with it. It’s not just the quality of the microphone; it’s also the proximity to your mouth that makes a difference. Regardless, this is one great product and, best of all, it’s should help save my rapidly-aging hands from becoming prematurely arthritic! All those years of video games and keyboards have taken their toll. #2) Scribd:

Like many other policy wonks and academics, I’ve long been housing my papers and studies on SSRN to give them more widespread visibility or share them with others. But SSRN’s format is clunky and its functionality is extremely limited. Worst of all, it didn’t provide any embeddable code such that documents could be hosted directly within a blog post. Scribd solves all those problems for me. It’s a slick document-hosting service that is also highly searchable. It also offers up relevant documents as you are viewing others (the same way YouTube does for video). Very cool feature. Better yet, Scribd let’s you create groups for your organization or interests to collect related documents in one place. (For example, check out the PFF group page here.) Why couldn’t SSRN be more like this?!

#3) Ubiquity for Firefox:

“CTRL-SPACE BAR.” Thanks to Ubiquity, that keyboard shortcut has forever changed the way I use the Firefox web browser. I know this won’t seem like a big deal to some people, but for an old geek like me, I still prefer navigating some applications with keyboard shortcuts instead of using my mouse and drop-down menus. Ubiquity lets me do so in a browser environment. Basically, anytime I see something in my browser that I’d like more info about, I just run my cursor over that term, hit CTRL/SPACE and up pops a command prompt box that lets me run an inquiry of my choice. Once that box pops up, I can run a quick search about the term by just typing Google, MSN, or Yahoo and then hitting enter. Or I can map it instantly by typing “map.” Or search for an image or video related to it by typing “Flickr” or “YouTube.” Or “eBay” it. Or “Wiki” it. Or “Digg” it. And so on, and so on. Here’s lists of the command prompts at your disposal (1, 2, 3).

#4) HTC Touch (Verizon Wireless XV6900):

Screw the iPhone. This is little beauty can do everything the iPhone can do and do it in more compact package. This thing sits in my front shirt pocket and I often forget its there. It also has a stylus. Don’t understand how you iPhone zombies get along without one. It also has none of the silly restrictions that encumber the iPhone. I’ve downloaded more mods and apps to this thing than I know what to do with. While you iPhoners are salivating over the slim pickings at the iPhone apps store, I’m sitting on 10,000 choices to decide from over at Handango (and that doesn’t even begin to scratch the market for homebrew hacks). HTC’s TouchFlo navigation is very cool and works effortlessly with the flick of your thumb. The touchscreen keyboard wasn’t so hot, but who cares when dozens of aftermarket ones are available (I went with Resco). Same goes for the IE mobile browser, which is the weak spot of any Windows Mobile equipped device. But I solved that problem with my next choice…

#5) Skyfire mobile web browser:

The mobile version of Internet Explorer has just never cut it, and Skyfire capitalized on that fact to produce a very slick touchscreen browser for Windows Mobile smartphones. The early beta version had some bugs, but they’ve been working those out and producing a great product in the process. Is the iPhone Safari mobile browser better? Yes, it still is. Even an Apple-hater like me will admit it.  But Skyfire is catching up quickly.

Honorable mentions…

LinkedIn: Yes, I know LinkedIn has been around a couple of years, but it really took off in 2008 and made impressive improvements to become more than just the “Facebook for Old Farts” I once thought it was. I am a huge fan of the new applications they have worked into the site, especially the WordPress blog app and the Amazon books app.

Google Chrome: Although it won’t be displacing Firefox in my heart any time soon, I have come to really appreciate Chrome’s speed compared to my Firefox experience, which is now bogged down with waaaaaay too many add-ons. (So much so that it takes me well over a minute to even get Firefox to boot up!) So, I pull up Chrome and run it alongside Firefox to surf script-heavy or graphically-intensive sites (like ESPN.com) or to just keep my eMail accounts and LinkedIn page active on another screen.

By Adam Thierer & Berin Szoka

The goal of our “Privacy Solution Series,” as we noted in the first installment, is to detail the many “technologies of evasion” (i.e., user-empowerment or user “self-help” tools) that allow web surfers to better protect their privacy online—and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that, in our view, provides an effective alternative to government-mandated regulation of online privacy.

In this second installment in this series, we will highlight Adblock Plus (ABP), a free downloadable extension for the Firefox web browser (as well as for the Flock browser, though we focus on the Firefox version here).

Purpose: The primary purpose of Adblock Plus is to block online ads from being downloaded and displayed on a user’s screen as they browse the Web.  In a broad sense, this functionality might be considered a “privacy” tool by those who consider it an intrusion upon, or violation of, their “privacy” to be “subjected” to seeing advertisements as they browse the web.  But if one thinks of privacy in terms of what others know about you, Adblocking is not so much about “privacy” as about user annoyance (measured in terms of distracting images cluttering webpages or simply in terms of long download times for webpages).  In this sense, ABP may not qualify as a “technology of evasion,” strictly speaking.  But, as explained below the fold, ABP does allow its users to “evade” some forms of online tracking by blocking the receipt of some, but not all, tracking cookies.

Cost: Like almost all other Firefox add-ons, both the ABP extensions and the filter subscriptions on which it relies (as described below) are free.

Popularity / Adoption: While there are a wide variety of ad-blocking tools available, Adblock Plus is far and away the leader.  ABP has proven enormously popular since its release in November 2005 as the successor to Adblock, which was first developed in 2002 and reached over 10,000,000 downloads before being abandoned by its developer and even today garners nearly 40,000 downloads a week.  This history of Adblock provides further details.

ABP was named one the 100 best products of 2007 by PC World magazine and is now the #1 most downloaded add-on for Firefox with over 500,000 weekly downloads, up significantly for just a few months.  In a blog post last month, ABP creator Wladimir Palant estimated that “no more than 5% of Firefox users have Adblock Plus installed,” but that percentage is bound to grow larger as more people discover Adblock.  As one indicator of ABP’s popularity, the number of Google searches for “Adblock” has nearly eclipsed the number of searches for “identity theft,” which seems like a far more serious concern than having to look at web ads.

Of course, not every Firefox user would chose to use Adblock even if they were aware of it.  For example, one of us (Berin) finds it indispensable and leaves it on all the time.  The other (Adam) almost never turns it on, preferring to see what sort of ads are being served on each page he visits.  For those users primarily concerned with having their browsing tracked, there are other tools more effective than ABP for that purpose, as future entries in this series will describe.

This raises a point we make in our upcoming paper on online advertising and privacy:  Internet users all have different preferences and sensitivities when it comes to ads and online privacy.   Some of us find ads annoying, intrusive, and potentially privacy-violating.  Others of us just don’t care or even find some informational benefit in seeing them—especially when they are tailored to our particular interests.  Fortunately, tools like Adblock Plus let us each decide for ourselves what sort of browsing experience and privacy protections to use—rather than relying on the heavy, clumsy hand of Big Government to impose sweeping regulations that make a one-size-fits-all determination for everyone.

How Adblock Plus Works: Adblock Plus on its own offers nothing more than the capability to filter certain elements (images, external scrips, frames, Flash, etc.) sent to the user’s computer when they attempt to download the contents of a webpage.  Unbeknownst to many users, the HTML code of most webpages includes instructions to download images and other content (such as ads) stored on that website or on third party sites.  ABP does not recognize ad images as such, so it cannot automatically distinguish ads from non-ad content.  Instead, ABP relies on a blacklist of terms that the keeper of the list has determined correspond to parts of a URL used to load ads.  The following screenshot illustrates how ABP works:

The user here (Berin) subscribed to EasyList USA, the most commonly-used U.S. “filter” (blacklist + whitelist) when he first installed AdBlock.  (Additional filter subscriptions are available here.)  The “filter rules” are ranked by “Hits” or number of ads blocked since the filter was installed (in May 2008).  Shown here are only the top examples of effective filters, such as any URL that begins with “http://ad.” or contains “/ads/”.  Also shown here are three custom ad filters created by Berin.  This clip (click on “Show me how this is done”) illustrates how users can block images to create their own custom ad filter.  Last, the green text is just the most commonly-applied filter rule contained in EasyList’s white list of terms that should not be blocked, trumping black list filters.  For example, htttp://wikimedia.org/wikipedia/ads/… would normally be blocked because of the “/ads/” filter rule in the blacklist, but the green white list filter rule in our example trumps that rule to make sure that all URLs containing “htttp://*.wikimedia.org/wikipedia” (where * is a wild card operator) will not be blocked.

As mentioned above, ABP can block the downloading of some tracking cookies by preventing the user’s computer from attempting to download an element (usually an image) associated with that cookie—called “web bugs” or “web beacons.”  As Wikipedia explains:

Originally, a Web bug was a small (usually 1×1 pixel) transparent GIF or PNG image (or an image of the same colour of the background) that was embedded in an HTML page, usually a page on the Web or the content of an e-mail. Modern Web bugs also use the HTML IFrame, style, script, input link, embed, object, and other tags to track usage. Whenever the user opens the page with a graphical browser or e-mail reader, the image or other information is downloaded. This download requires the browser to request the image from the server storing it, allowing the server to take notice of the download. As a result, the organization running the server is informed when the HTML page has been viewed.

Larger Implications: As you can imagine, advertising networks and advertisers are less than thrilled about the idea of users blocking their ads, but it is website operators that have thus far objected most strongly to ad-blocking, because it threatens what is for many websites the only source of revenue.  Even amateur sites that do not have to pay for content production often rely on advertising revenue to cover other costs, such as hosting.  It’s not hard to imagine why many site operators might want to discourage or thwart ad-blocking to maintain the quid pro quo of the online economy:  Users get free content and services from websites in exchange for looking at advertising, which websites can sell through ad networks to advertisers.  This dilemma is not unique to the online world, of course.  In the offline context, television advertisers have responded to ad-skipping via DVRs through increasing reliance on product placement.

But because web-browsing is an essentially interactive experience between the user’s browser and the website, website operators may have greater leverage in the relationship with a user who wants to block ads.  In particular, the website may be able to detect the use of ABP, at least indirectly through the pattern of page element blocking caused by ABP’s use. (Prior to June 2008, websites could directly detect whether a browser was using ABP by noticing the presence of an API interface designed to allow ABP to work with other extensions, but this feature was removed in a recent update to ABP.)

Thus, once adblocking rises above a certain “acceptable loss” threshold, a website could respond in at least three distinct ways:

1. Moral exhortation – websites might display this kind of pop-up notice to ABP users:

   

2. “Blocking” adblocking – Because ABP’s relies on relatively crude keyword filters to distinguish ad elements of a page from content elements, websites can confuse these filters by making advertisements less easily distinguishable from content.  On the one hand, websites might attempt to “embed” advertisements a la television product placement.  On the other, we may see ad networks rely more on distributing ads through websites directly, rather than from ad network servers, so that adblocking filters cannot easily identify ads by the source referenced in their URL.
3. Tying website functionality to the acceptance of tracking cookies – As mentioned above, Adblock will block some “tracking cookies” by blocking the downloading from ad network servers of web beacons—which is often how such cookies are placed on the uer’s computer in the first place.   By requiring the downloading of those cookies to access the full functionality of the site, websites might be able to require users to accept tracking cookies in exchange for full access to the site.

As is so often the case, this will likely result in a war of “spy v. spy,” whereby the user community develops better evasive measures, and the websites community develops better countermeasures, and so on–as illustrated in this scene from the 1998 Marky Mark cult-classic film, The Big Hit: (Warning: Includes foul language).

Related Reading & Links

• Download Adblock Plus for Firefox (ver. 0.7.5.5)
• Adblock for Flock browser
• Adblock Plus main page (English language version)
• Adblock Plus blog
• How to disable Adblock Plus on your bookmarked pages (i.e., create a whitelist for accepted ads)
• Wikipedia entry
• Interview with Adblock creator Wladimir Palant
• New York Times article: Noam Cohen, “Whiting Out the Ads, but at What Cost?” New York Times, September 3, 2007.
• Nick Carr on Adblock: “What Would Jesus Do?” (and Wladimir Palant’s response to such criticisms)
• YouTube demo videos:
http://www.youtube.com/v/RAYtLA1ZKW0&hl=en&fs=1 http://www.youtube.com/v/vl4_NEiyVIk&hl=en&fs=1